chore(deps): update actions/attest-build-provenance action to v2.2.0 #538
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Release | |
on: | |
push: | |
branches: | |
- main | |
permissions: | |
contents: read | |
pull-requests: read | |
env: | |
PROVIDER: proxmoxve | |
GO111MODULE: "on" | |
NUGET_FEED_URL: https://api.nuget.org/v3/index.json | |
jobs: | |
release: | |
runs-on: ubuntu-latest | |
name: Release | |
outputs: | |
release_created: ${{ steps.release.outputs.release_created }} | |
permissions: | |
contents: write | |
pull-requests: write | |
steps: | |
- uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 | |
id: release | |
publish_provider: | |
if: needs.release.outputs.release_created | |
runs-on: ubuntu-latest | |
name: Publish Provider | |
permissions: | |
id-token: write | |
contents: write | |
attestations: write | |
needs: | |
- release | |
strategy: | |
max-parallel: 4 | |
matrix: | |
go-version: [1.23.x] | |
steps: | |
- uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
with: | |
go-version: "${{ matrix.go-version }}" | |
cache-dependency-path: "**/*.sum" | |
- uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0 | |
with: | |
repo: pulumi/pulumictl | |
- uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 | |
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9 | |
- uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 | |
with: | |
args: -p 3 release --clean --timeout 60m0s | |
version: latest | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0 | |
with: | |
subject-path: | | |
dist/*.tar.gz | |
dist/*.sbom.json | |
dist/*_checksums.txt | |
dist/*.sig | |
dist/*.pem | |
publish_sdk: | |
if: needs.release.outputs.release_created | |
runs-on: ubuntu-latest | |
name: Publish SDK | |
permissions: | |
id-token: write | |
contents: read | |
needs: | |
- release | |
- publish_provider | |
strategy: | |
max-parallel: 10 | |
matrix: | |
go-version: [1.23.x] | |
node-version: [20.x] | |
dotnet-version: [6.0.x] | |
python-version: [3.11] | |
java-version: [11] | |
language: | |
- go | |
- nodejs | |
- python | |
- dotnet | |
- java | |
steps: | |
- uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
with: | |
go-version: "${{ matrix.go-version }}" | |
cache-dependency-path: "**/*.sum" | |
- uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0 | |
with: | |
repo: pulumi/pulumictl | |
- uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 | |
- uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0 | |
with: | |
dotnet-version: "${{ matrix.dotnet-version }}" | |
if: matrix.language == 'dotnet' | |
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | |
with: | |
python-version: "${{ matrix.python-version }}" | |
if: matrix.language == 'python' | |
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version: "${{ matrix.node-version }}" | |
if: matrix.language == 'nodejs' | |
- uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 | |
with: | |
distribution: corretto | |
java-version: ${{ matrix.java-version }} | |
if: matrix.language == 'java' | |
- uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 | |
if: matrix.language == 'java' | |
- run: make install_plugins | |
- run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH | |
- run: make build_${{ matrix.language }} | |
- uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0 | |
id: import-secrets | |
with: | |
method: jwt | |
url: ${{ secrets.VAULT_ADDR }} | |
path: ${{ secrets.VAULT_PATH }} | |
role: ${{ secrets.VAULT_ROLE }} | |
secrets: | | |
github-pulumi-proxmoxve/data/nuget publish_key | NUGET_PUBLISH_KEY ; | |
github-pulumi-proxmoxve/data/npm token | NPM_TOKEN ; | |
github-pulumi-proxmoxve/data/java signing_key | SIGNING_KEY ; | |
github-pulumi-proxmoxve/data/java signing_key_id | SIGNING_KEY_ID ; | |
github-pulumi-proxmoxve/data/java signing_password | SIGNING_PASSWORD ; | |
github-pulumi-proxmoxve/data/sonatype publish_password | PUBLISH_REPO_PASSWORD ; | |
github-pulumi-proxmoxve/data/sonatype publish_username | PUBLISH_REPO_USERNAME | |
- name: Publish .NET SDK | |
run: | | |
dotnet nuget push -s "${{ env.NUGET_FEED_URL }}" -k "${{ env.NUGET_PUBLISH_KEY }}" ${{github.workspace}}/sdk/dotnet/bin/Debug/*.nupkg | |
if: matrix.language == 'dotnet' | |
- name: Publish Python SDK | |
uses: pypa/gh-action-pypi-publish@8cafb5c2bf2f478231c9abbba1feb4edb6ccf405 # release/v1 | |
with: | |
skip-existing: true | |
packages-dir: "${{ github.workspace }}/sdk/python/bin/dist/" | |
if: matrix.language == 'python' | |
- name: Publish NodeJS SDK | |
uses: JS-DevTools/npm-publish@19c28f1ef146469e409470805ea4279d47c3d35c # v3.1.1 | |
with: | |
package: ./sdk/nodejs/bin/package.json | |
access: public | |
token: ${{ env.NPM_TOKEN }} | |
provenance: true | |
if: matrix.language == 'nodejs' | |
- name: Java PACKAGE_VERSION | |
run: | | |
REF_NAME=`git describe --abbrev=0 --tags` | |
echo "PACKAGE_VERSION=${REF_NAME:1}" >> $GITHUB_ENV | |
if: matrix.language == 'java' | |
- name: Publish Java SDK | |
working-directory: sdk/java | |
run: gradle publishToSonatype closeAndReleaseSonatypeStagingRepository | |
if: matrix.language == 'java' | |
continue-on-error: true # Java SDK publishing is in alpha stage | |
tag_sdk: | |
if: needs.release.outputs.release_created | |
runs-on: ubuntu-latest | |
name: Tag SDK Release | |
permissions: | |
id-token: write | |
contents: write | |
needs: | |
- release | |
- publish_sdk | |
steps: | |
- uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- run: | | |
git config --local user.email "${{ env.GITHUB_ACTION }}+github-actions[bot]@users.noreply.github.com" | |
git config --local user.name "github-actions[bot]" | |
- run: | | |
REF_NAME=`git describe --abbrev=0 --tags` | |
echo "found tag: $REF_NAME" | |
git tag -a sdk/$REF_NAME -m sdk/$REF_NAME | |
git push origin sdk/$REF_NAME |