diff options
author | Eric Lorenzana <eric.lorenzana@sonarsource.com> | 2022-11-17 15:03:44 +0100 |
---|---|---|
committer | Eric Lorenzana <eric.lorenzana@sonarsource.com> | 2022-11-25 12:37:35 +0100 |
commit | 902ba352c9e70be2b4375948985074ce941e1b5d (patch) | |
tree | 716a7c918e58503b5dfd03b9adea2a46fac9a9a7 | |
parent | f624cc7dad9f1f5eeddf9e2354df7073149ade02 (diff) | |
download | sonar-scanner-cli-902ba352c9e70be2b4375948985074ce941e1b5d.tar.gz sonar-scanner-cli-902ba352c9e70be2b4375948985074ce941e1b5d.zip |
feat(BUILD-2144): Make release workflow use Vault
Replace release and maven sync with `SonarSource/gh-action_release`
Also fix secrets for Github release token and Slack, now using Vault.
Replace slack action with `slackapi/slack-github-action`
-rw-r--r-- | .github/workflows/release.yml | 112 |
1 files changed, 24 insertions, 88 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 38556ba..6b44210 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,58 +5,34 @@ on: types: - published -env: - PYTHONUNBUFFERED: 1 - jobs: - run_release: + release: + permissions: + id-token: write + contents: write + uses: SonarSource/gh-action_release/.github/workflows/main.yaml@5.0.1 + with: + publishToBinaries: true + mavenCentralSync: true + slackChannel: sonarqube-build + release_docker: runs-on: ubuntu-latest - name: Start release process + name: Start Docker release process + needs: release timeout-minutes: 60 steps: - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.BINARIES_AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.BINARIES_AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.BINARIES_AWS_REGION }} - - name: Run release action - id: run_release - uses: SonarSource/gh-action_release/main@v4 - with: - distribute: true - publish_to_binaries: true - attach_artifacts_to_github_release: true - run_rules_cov: false - slack_channel: sonarqube-build - env: - ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }} - BINARIES_AWS_DEPLOY: ${{ secrets.BINARIES_AWS_DEPLOY }} - BURGRX_USER: ${{ secrets.BURGRX_USER }} - BURGRX_PASSWORD: ${{ secrets.BURGRX_PASSWORD }} - CIRRUS_TOKEN: ${{ secrets.CIRRUS_TOKEN }} - PATH_PREFIX: ${{ secrets.BINARIES_PATH_PREFIX }} - GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} - RELEASE_SSH_USER: ${{ secrets.RELEASE_SSH_USER }} - RELEASE_SSH_KEY: ${{ secrets.RELEASE_SSH_KEY }} - SLACK_API_TOKEN: ${{secrets.SLACK_API_TOKEN }} - - name: Log outputs - if: always() - run: | - echo "${{ steps.run_release.outputs.releasability }}" - echo "${{ steps.run_release.outputs.release }}" - echo "${{ steps.run_release.outputs.distribute_release }}" - - name: Notify success on Slack - uses: Ilshidur/action-slack@2.0.0 - env: - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + - name: get secrets + id: secrets + uses: SonarSource/vault-action-wrapper@8e22afd670393ed80f489f5dbd517d09ea21d75b with: - args: "Release successful for {{ GITHUB_REPOSITORY }} by {{ GITHUB_ACTOR }}" + secrets: | + development/github/token/SonarSource-sonar-scanner-cli-release token | GITHUB_TOKEN_RELEASE; + development/kv/data/slack token | SLACK_BOT_TOKEN; - name: Create Release for Docker Image id: create_release uses: softprops/action-gh-release@v1 env: - GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN_RELEASE }} GITHUB_REPOSITORY: SonarSource/sonar-scanner-cli-docker with: tag_name: ${{ github.event.release.tag_name }} @@ -64,50 +40,10 @@ jobs: draft: false prerelease: false - name: Notify failures on Slack - uses: Ilshidur/action-slack@2.0.0 + uses: slackapi/slack-github-action@v1.23.0 if: failure() - env: - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} with: - args: "Release failed, see the logs at https://github.com/{{ GITHUB_REPOSITORY }}/actions by {{ GITHUB_ACTOR }}" - maven-central-sync: - runs-on: ubuntu-latest - needs: - - run_release - steps: - - name: Setup JFrog CLI - uses: jfrog/setup-jfrog-cli@v1 - - name: JFrog config - run: jfrog rt config repox --url https://repox.jfrog.io/artifactory/ --apikey $ARTIFACTORY_API_KEY --basic-auth-only - env: - ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }} - - name: Get the version - id: get_version - run: | - IFS=. read major minor patch build <<< "${{ github.event.release.tag_name }}" - echo ::set-output name=build::"${build}" - - name: Create local repository directory - id: local_repo - run: echo ::set-output name=dir::"$(mktemp -d repo.XXXXXXXX)" - - name: Download Artifacts - uses: SonarSource/gh-action_release/download-build@v4 - with: - build-number: ${{ steps.get_version.outputs.build }} - local-repo-dir: ${{ steps.local_repo.outputs.dir }} - - name: Maven Central Sync - id: maven-central-sync - continue-on-error: true - uses: SonarSource/gh-action_release/maven-central-sync@v4 - with: - local-repo-dir: ${{ steps.local_repo.outputs.dir }} - env: - OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} - OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - - name: Notify on failure - if: ${{ failure() || steps.maven-central-sync.outcome == 'failure' }} - uses: 8398a7/action-slack@v3 - with: - status: failure - fields: repo,author,eventName - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_BUILD_WEBHOOK }} + channel-id: sonarqube-build + slack-message: "Release failed, see the logs at https://github.com/{{ GITHUB_REPOSITORY }}/actions by {{ GITHUB_ACTOR }}" + env: + SLACK_BOT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_BOT_TOKEN }} |