Skip to content

feat: Periodically check for hook updates on scan (#336) #38

feat: Periodically check for hook updates on scan (#336)

feat: Periodically check for hook updates on scan (#336) #38

Workflow file for this run

# This workflow will call the build_and_test.yml workflow to install Python dependencies, run tests and lint
# with a single version of Python
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
# These jobs are specifically designed to test the codebase
# and ensure that basic contributing from both mac and windows will work
# Once both windows and mac builds are successful, the next steps will
# - using semantic-version will version the code, pushing the version back to the repo
# - push a package to pypi
# - push a formula to the homebrew repo
name: Publish
on:
push:
branches: [ main ]
jobs:
build-test:
name: Build & Test
uses: ./.github/workflows/build_and_test.yml
secureli-release:
name: GH Release
needs: [ build-test ]
runs-on: ubuntu-latest
environment: publish
concurrency: release
permissions:
id-token: write
contents: write
outputs:
uploaded: ${{ steps.upload.outputs.uploaded }}
steps:
- name: Get App Token
uses: tibdex/github-app-token@v2
id: app_token
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.app_token.outputs.token }}
- name: Python Semantic Release
id: release
uses: python-semantic-release/python-semantic-release@v8.1.1
with:
github_token: ${{ steps.app_token.outputs.token }}
- name: Upload assets to GitHub Releases
id: upload
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
run: |
if [[ -d dist ]]; then
if [[ -n "$(find ./dist -name 'secureli*' -print -quit)" ]]; then
gh release upload ${{ steps.release.outputs.tag }} ./dist/secureli*
echo "uploaded=true" >> "$GITHUB_OUTPUT"
else
echo "uploaded=false" >> "$GITHUB_OUTPUT"
fi
else
echo "uploaded=false" >> "$GITHUB_OUTPUT"
fi
- name: Display Output
run: echo uploaded=${{ steps.upload.outputs.uploaded }}
secureli-publish:
name: PyPI Publish
if: needs.secureli-release.outputs.uploaded == 'true'
runs-on: ubuntu-latest
needs: secureli-release
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- name: Display Inputs
run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }}
- name: Checkout seCureLI Repo
uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
- name: Set up Python 3.9
id: setup-python
uses: actions/setup-python@v4
with:
python-version: "3.9"
- run: |
pip install poetry
poetry install
poetry build
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
skip-existing: true
deploy:
name: Upload Homebrew Formula
if: needs.secureli-release.outputs.uploaded == 'true'
runs-on: ubuntu-latest
environment: publish
needs: secureli-release
steps:
- name: Display Inputs
run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }}
- name: Get App Token
uses: tibdex/github-app-token@v2
id: app_token
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
- name: Checkout seCureLI Homebrew Repo
uses: actions/checkout@v4
with:
repository: slalombuild/homebrew-secureli
token: ${{ steps.app_token.outputs.token }}
path: homebrew-secureli
ref: main
fetch-depth: 0
- name: Homebrew Formula Generation
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
run: ./scripts/secureli-deployment.sh
integration-testing:
name: Integration Testing
needs: [ build-test, secureli-release, secureli-publish, deploy ]
if: |
always() &&
(needs.secureli-publish.result == 'success' || needs.secureli-publish.result == 'skipped') &&
(needs.deploy.result == 'success' || needs.deploy.result == 'skipped')
uses: ./.github/workflows/integration_testing.yml