generated from jacobtomlinson/python-container-action
-
Notifications
You must be signed in to change notification settings - Fork 3
106 lines (104 loc) · 4.38 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# yamllint disable rule:line-length
---
name: Release
on:
workflow_call:
inputs:
dryRun:
type: boolean
description: Flag to enable the dry-run execution
default: false
required: false
publishToBinaries:
type: boolean
description: Flag to enable the publication to binaries
default: false
required: false
binariesS3Bucket:
type: string
description: Target bucket
default: downloads-cdn-eu-central-1-prod
required: false
slackChannel:
type: string
description: Channel to post notifications
default: build
required: false
vaultAddr:
type: string
description: Custom vault installation
default: https://vault.sonar.build:8200
required: false
artifactoryRoleSuffix:
type: string
description: Artifactory promoter suffix specified in Vault repo config
default: promoter
required: false
mavenCentralSync:
type: boolean
description: Enable synchronization to Maven Central
default: false
required: false
jobs:
release:
name: Release
runs-on: ubuntu-latest
permissions:
id-token: write # to authenticate via OIDC
contents: write # to revert a github release
timeout-minutes: 30
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
outputs:
releasability: ${{ steps.release.outputs.releasability }}
promote: ${{ steps.release.outputs.promote }}
publish_to_binaries: ${{ steps.release.outputs.publish_to_binaries }}
release: ${{ steps.release.outputs.release }}
steps:
- name: Vault Secrets
id: secrets
uses: SonarSource/vault-action-wrapper@d1c1ab4ca5ad07fd9cdfe1eff038a39673dfca64 # tag=2.4.2-1
with:
url: ${{ inputs.vaultAddr }}
secrets: |
development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ inputs.artifactoryRoleSuffix }} access_token | artifactory_access_token;
development/kv/data/slack token | slack_api_token;
development/kv/data/repox url | artifactory_url;
development/kv/data/burgr github_username | burgrx_username;
development/kv/data/burgr github_password | burgrx_password;
development/aws/sts/downloads access_key | binaries_aws_access_key_id;
development/aws/sts/downloads secret_key | binaries_aws_secret_access_key;
development/aws/sts/downloads security_token | binaries_aws_security_token;
- name: Release
id: release
uses: SonarSource/gh-action_release/main@v5
with:
publish_to_binaries: ${{ inputs.publishToBinaries }} # Used only if the binaries are delivered to customers
slack_channel: ${{ inputs.slackChannel }}
dry_run: ${{ inputs.dryRun }}
env:
PYTHONUNBUFFERED: 1
ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).artifactory_access_token }}
BINARIES_AWS_DEPLOY: ${{ inputs.binariesS3Bucket }} # Required for pushing the binaries
BURGRX_USER: ${{ fromJSON(steps.secrets.outputs.vault).burgrx_username }}
BURGRX_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).burgrx_password }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SLACK_API_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).slack_api_token }}
AWS_ACCESS_KEY_ID: ${{ fromJSON(steps.secrets.outputs.vault).binaries_aws_access_key_id }}
AWS_SECRET_ACCESS_KEY: ${{ fromJSON(steps.secrets.outputs.vault).binaries_aws_secret_access_key }}
AWS_SESSION_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).binaries_aws_security_token }}
AWS_DEFAULT_REGION: eu-central-1
- name: Release action results
if: always()
run: |
echo "${{ steps.release.outputs.releasability }}"
echo "${{ steps.release.outputs.promote }}"
echo "${{ steps.release.outputs.publish_to_binaries }}"
echo "${{ steps.release.outputs.release }}"
mavenCentral:
name: Maven Central
needs: release
if: ${{ inputs.mavenCentralSync && inputs.dryRun != true }}
uses: SonarSource/gh-action_release/.github/workflows/maven-central.yaml@v5
with:
vaultAddr: ${{ inputs.vaultAddr }}
artifactoryRoleSuffix: ${{ inputs.artifactoryRoleSuffix }}