update version file on release

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
anchore · May 9, 2024 · 7fd7a20 · 7fd7a20
1 parent aba4d04
commit 7fd7a20
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 12 deletions.
diff --git a/.github/scripts/update-version-file.sh b/.github/scripts/update-version-file.sh
@@ -2,8 +2,8 @@
 set -ue
 
 BIN="grype"
-DISTDIR=$1
-VERSION=$2
+VERSION_FILE="VERSION"
+VERSION=$1
 
 # the source of truth as to whether we want to notify users of an update is if the release just created is NOT
 # flagged as a pre-release on github
@@ -12,10 +12,9 @@ if [[ "$(curl -SsL https://api.github.com/repos/anchore/${BIN}/releases/tags/${V
    exit 0
 fi
 
-echo "creating and publishing version file"
+echo "creating and publishing version file (${VERSION})"
 
 # create a version file for version-update checks
-VERSION_FILE="${DISTDIR}/VERSION"
 echo "${VERSION}" | tee "${VERSION_FILE}"
 
 # upload the version file that supports the application version update check

diff --git a/.github/workflows/release-version-file.yaml b/.github/workflows/release-version-file.yaml
@@ -0,0 +1,32 @@
+name: "Release"
+
+on:
+
+  workflow_dispatch:
+    inputs:
+      version:
+        description: release version to update the version file with (prefixed with v)
+        required: true
+
+  workflow_call:
+    inputs:
+      version:
+        type: string
+        description: release version to update the version file with (prefixed with v)
+        required: true
+
+jobs:
+
+  release:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+
+      - name: Update version file
+        run: make ci-release-version-file
+        env:
+          RELEASE_VERSION: ${{ github.event.inputs.version }}
+          # for updating the VERSION file in S3...
+          AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
+
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -90,6 +90,10 @@ jobs:
           echo "CLI Test (Linux) Status: ${{ steps.cli-linux.outputs.conclusion }}"
           false
 
+  # only release core assets within the "release" job. Any other assets not already under the purview of the
+  # goreleaser configuration should be added as separate jobs to allow for debugging separately from the release workflow
+  # as well as not accidentally be re-run as a step multiple times (as could be done within the release workflow) as
+  # not all actions are guaranteed to be idempotent.
   release:
     needs: [quality-gate]
     runs-on: ubuntu-20.04
@@ -121,9 +125,6 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Cosign install
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
-
       - name: Tag release
         run: |
           git config user.name "anchoreci"
@@ -146,10 +147,6 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # for updating brew formula in anchore/homebrew-syft
           GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}
-          # for updating the VERSION file in S3...
-          AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
-
 
       - uses: anchore/sbom-action@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
         continue-on-error: true
@@ -165,3 +162,10 @@ jobs:
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
         if: ${{ success() }}
+
+  release-version-file:
+    needs: [release]
+    uses: ./.github/workflows/release-version-file.yaml
+    with:
+      version: ${{ github.event.inputs.version }}
+    secrets: inherit
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -249,7 +249,7 @@ docker_manifests:
 
 
 signs:
-  - cmd: cosign
+  - cmd: .tool/cosign
     signature: "${artifact}.sig"
     certificate: "${artifact}.pem"
     args: 

diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -387,6 +387,16 @@ tasks:
         silent: true
       - "{{ .RELEASE_CMD }}"
 
+  ci-release-version-file:
+    # desc: "[CI only] Update the version file"
+    deps: [tools]
+    cmds:
+      - task: ci-check
+      - ".github/scripts/update-version-file.sh {{ .RELEASE_VERSION }}"
+    requires:
+      vars:
+        - RELEASE_VERSION
+
   ci-validate-test-config:
     # desc: "[CI only] Ensure the update URL is not overridden (not pointing to staging)"
     silent: true