Publish #36
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish | |
on: | |
release: | |
types: [published] | |
jobs: | |
build_wheels: | |
name: Build wheels on ${{ matrix.os }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-22.04, ubuntu-20.04, macos-10.15, macos-11, macos-12] | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
ref: ${{ github.event.inputs.release }} | |
- name: Configure Python | |
uses: actions/setup-python@v3 | |
# TODO: This may result in macOS compiling against a newer version of libarchive | |
# than Linux. | |
- name: Install dependencies (macOS) | |
if: startsWith(matrix.os, 'macos-') | |
run: brew install libarchive | |
- name: Install cibuildwheel | |
run: python -m pip install cibuildwheel==2.12.3 | |
- name: Build wheels (macOS) | |
run: python -m cibuildwheel --output-dir wheelhouse | |
if: startsWith(matrix.os, 'macos-') | |
- name: Build wheels (Ubuntu) | |
run: python -m cibuildwheel --output-dir wheelhouse | |
if: startsWith(matrix.os, 'ubuntu-') | |
env: | |
CIBW_BEFORE_ALL_LINUX: > | |
curl -sOL https://github.com/libarchive/libarchive/releases/download/v3.6.1/libarchive-3.6.1.tar.gz && | |
tar -zxvf libarchive-3.6.1.tar.gz && | |
cd libarchive-3.6.1/ && | |
./configure --without-lzo2 --without-nettle --without-xml2 --without-openssl --with-expat && | |
make && | |
make install | |
- uses: actions/upload-artifact@v3 | |
with: | |
path: ./wheelhouse/*.whl | |
build_sdist: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Configure Python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.11 | |
- name: Build Python sdist | |
run: | | |
python -m pip install --upgrade pip wheel setuptools | |
pip install build | |
python -m build --sdist --outdir dist/ . | |
- uses: actions/upload-artifact@v3 | |
with: | |
path: dist/*.tar.gz | |
publish: | |
needs: [build_wheels, build_sdist] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
ref: ${{ github.event.inputs.release }} | |
- uses: actions/download-artifact@v3 | |
with: | |
name: artifact | |
path: dist | |
- name: Extract version | |
run: | | |
git clone https://www.github.com/stacscan/stacs-rules.git /tmp/stacs-rules | |
pushd /tmp/stacs-rules | |
RULES_VERSION="$(git rev-parse --short HEAD)" | |
popd | |
STACS_VERSION="$(python -c 'exec(open("stacs/scan/__about__.py").read()) ; print(__version__, end="")')" | |
echo "IMAGE_VERSION=${STACS_VERSION}-r${RULES_VERSION}" >> "${GITHUB_ENV}" | |
echo "STACS_VERSION=${STACS_VERSION}" >> "${GITHUB_ENV}" | |
- name: Publish Python package | |
uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 | |
with: | |
user: __token__ | |
password: ${{ secrets.PYPI_TOKEN }} | |
- name: Wait a minute for PyPi to catch up | |
run: sleep 60s | |
shell: bash | |
- name: Login to DockerHub | |
uses: docker/login-action@v1 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Build and push Docker image | |
id: docker_build | |
uses: docker/build-push-action@v2 | |
with: | |
context: . | |
push: true | |
tags: stacscan/stacs:latest,stacscan/stacs:${{ env.IMAGE_VERSION }} | |
build-args: | | |
VERSION=${{ env.IMAGE_VERSION }} | |
STACS_BUILD=${{ env.STACS_VERSION }} |