apko/.github/workflows/release.yaml at main · chainguard-dev/apko · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
name: Release

on:
  schedule:
    - cron: '0 0 * * 1' # every Monday at 00:00 UTC
  workflow_dispatch:

permissions: {}

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest

    # https://docs.github.com/en/actions/reference/authentication-in-a-workflow
    permissions:
      id-token: write
      contents: write

    steps:
      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: block
          allowed-endpoints: >
            *.blob.core.windows.net:443
            *.githubapp.com:443
            api.github.com:443
            dl.google.com:443
            fulcio.sigstore.dev:443
            github.com:443
            go.dev:443
            goreleaser.com:443
            objects.githubusercontent.com:443
            proxy.golang.org:443
            raw.githubusercontent.com:443
            rekor.sigstore.dev:443
            release-assets.githubusercontent.com:443
            storage.googleapis.com:443
            sum.golang.org:443
            tuf-repo-cdn.sigstore.dev:443
            uploads.github.com:443

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Check if any changes since last release
        id: check
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git fetch --tags
          TAG=$(git tag --points-at HEAD)
          if [ -z "$TAG" ]; then
            echo "No tag points at HEAD, checking if changes warrant a release."

            # Get the last release tag
            LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")

            if [ -n "$LAST_TAG" ]; then
              echo "Last release tag: $LAST_TAG"

              # Get all changed files since last tag
              CHANGED_FILES=$(git diff --name-only "$LAST_TAG"..HEAD)

              # Only release if changes include .go files, go.mod, go.sum, or LICENSE
              RELEASE_WORTHY_CHANGES=$(echo "$CHANGED_FILES" | grep -E '(\.go$|^go\.mod$|^go\.sum$|^LICENSE$)' || true)

              if [ -z "$RELEASE_WORTHY_CHANGES" ]; then
                echo "No Go source files, go.mod, go.sum, or LICENSE changed since last release. Skipping release."
                echo "need_release=no" >> $GITHUB_OUTPUT
              else
                echo "Found release-worthy changes since last release:"
                echo "$RELEASE_WORTHY_CHANGES"
                echo "need_release=yes" >> $GITHUB_OUTPUT
              fi
            else
              echo "No previous tags found. Creating first release."
              echo "need_release=yes" >> $GITHUB_OUTPUT
            fi
          else
            RELEASE=$(gh release view "$TAG" --json tagName --jq '.tagName' || echo "none")
            if [ "$RELEASE" == "$TAG" ]; then
              echo "A release exists for tag $TAG, which has the latest changes, so no need for a new tag or release."
              echo "need_release=no" >> $GITHUB_OUTPUT
            else
              echo "Tag $TAG exists, but no release is associated. Need a new release."
              echo "need_release=yes" >> $GITHUB_OUTPUT
              echo "existing_tag=$TAG" >> $GITHUB_OUTPUT
            fi
          fi

      - name: Bump version and push tag
        id: create_tag
        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
        if: steps.check.outputs.need_release == 'yes' && steps.check.outputs.existing_tag == ''
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        if: steps.check.outputs.need_release == 'yes'
        with:
          ref: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }}

      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        if: steps.check.outputs.need_release == 'yes'
        with:
          go-version-file: './go.mod'
          check-latest: true

      # Cosign is used by goreleaser to sign release artifacts.
      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
        if: steps.check.outputs.need_release == 'yes'
        with:
          # https://github.com/goreleaser/goreleaser/issues/6195
          cosign-release: "v2.6.1"

      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        if: steps.check.outputs.need_release == 'yes'
        with:
          version: latest
          install-only: true

      - name: Release
        if: steps.check.outputs.need_release == 'yes'
        run: make release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }}