mirror of
https://github.com/we-promise/sure.git
synced 2026-06-01 08:49:01 +00:00
956c27df6b
* chore(ci): pin GitHub Actions to commit SHAs (#1811) Follow-up to #1810. The Node-24 upgrade left every workflow on mutable tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.) which superagent-security[bot] flagged on the ci.yml + publish.yml reviews. Pin all 18 external actions to the commit SHA they currently resolve to and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see the version. Local reusable-workflow refs (`uses: ./.github/...`) are left alone — pinning those would defeat the point. Closes #1811 * chore(ci): address review — persist-credentials + setup-node consistency (#1811) Two pieces of follow-up feedback on the SHA-pinning PR: - @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials: false' to checkout steps in jobs that don't perform authenticated git operations. Adds the line to 17 read-only checkouts across 9 workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight, llm-evals, preview-cleanup, preview-deploy, publish:build). Checkouts inside jobs that 'git push' (chart-release, mobile-build, mobile-release, helm-publish:second-checkout, publish:bump-pre_release) are intentionally left alone so they keep their token. - @jjmata: preview-deploy.yml was the only workflow on actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise on v5.0.0 to match. Dependabot config already has a github-actions ecosystem entry with a weekly schedule, so no addition needed for that point. * chore(ci): document intentional setup-node v6→5 normalization (#1811) @superagent-security flagged the v6.4.0 -> v5.0.0 change in preview-deploy.yml as a possible unintended downgrade. The downgrade was deliberate, per @jjmata's review request to normalize setup-node across all workflows. Add an inline YAML comment next to the line so future scans don't re-flag it. --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
94 lines
3.1 KiB
YAML
94 lines
3.1 KiB
YAML
name: Chart Release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'chart-v*'
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
prepare_release:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
tag_name: ${{ steps.tag.outputs.tag_name }}
|
|
chart_version: ${{ steps.tag.outputs.chart_version }}
|
|
app_version: ${{ steps.tag.outputs.app_version }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Resolve chart release tag
|
|
id: tag
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
# Read the canonical version from .sure-version (single source of truth)
|
|
APP_SEMVER=$(cat .sure-version | tr -d '[:space:]')
|
|
if [ -z "$APP_SEMVER" ]; then
|
|
echo "::error::Could not read version from .sure-version"
|
|
exit 1
|
|
fi
|
|
echo "App version from .sure-version: $APP_SEMVER"
|
|
|
|
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
|
# Use the app version as the chart version (monorepo: versions stay in sync)
|
|
TAG_NAME="chart-v${APP_SEMVER}"
|
|
|
|
if git rev-parse "refs/tags/${TAG_NAME}" >/dev/null 2>&1; then
|
|
echo "::error::Tag ${TAG_NAME} already exists. Bump the version in .sure-version and charts/sure/Chart.yaml first."
|
|
exit 1
|
|
fi
|
|
|
|
git config user.name "${GITHUB_ACTOR}"
|
|
git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
|
|
if ! git tag "$TAG_NAME"; then
|
|
echo "::error::Failed to create tag ${TAG_NAME}"
|
|
exit 1
|
|
fi
|
|
if ! git push origin "$TAG_NAME"; then
|
|
echo "::error::Failed to push tag ${TAG_NAME} to origin"
|
|
exit 1
|
|
fi
|
|
else
|
|
TAG_NAME="${GITHUB_REF_NAME}"
|
|
fi
|
|
|
|
CHART_VERSION="${TAG_NAME#chart-v}"
|
|
|
|
echo "tag_name=$TAG_NAME" >> "$GITHUB_OUTPUT"
|
|
echo "chart_version=$CHART_VERSION" >> "$GITHUB_OUTPUT"
|
|
echo "app_version=$APP_SEMVER" >> "$GITHUB_OUTPUT"
|
|
|
|
publish_chart:
|
|
needs: prepare_release
|
|
uses: ./.github/workflows/helm-publish.yml
|
|
with:
|
|
chart_version: ${{ needs.prepare_release.outputs.chart_version }}
|
|
app_version: ${{ needs.prepare_release.outputs.app_version }}
|
|
update_gh_pages: true
|
|
secrets: inherit
|
|
|
|
release:
|
|
needs: [prepare_release, publish_chart]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Download Helm chart artifact
|
|
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
|
with:
|
|
name: helm-chart-package
|
|
path: ${{ runner.temp }}/helm-artifacts
|
|
|
|
- name: Create chart GitHub Release
|
|
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
|
|
with:
|
|
tag_name: ${{ needs.prepare_release.outputs.tag_name }}
|
|
name: ${{ needs.prepare_release.outputs.tag_name }}
|
|
generate_release_notes: true
|
|
files: ${{ runner.temp }}/helm-artifacts/*.tgz
|