generated from hydephp/hyde
-
-
Notifications
You must be signed in to change notification settings - Fork 1
143 lines (119 loc) · 4.97 KB
/
create-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# This workflow allows for the creation of a new release through the GitHub UI.
# This is done by creating a pull request to the protected stable release branch.
# From there, the publish-release.yml workflow will take over and publish the release.
name: Create a new release PR
on:
workflow_dispatch:
inputs:
type:
type: choice
description: The SemVer level of the release
options:
- patch
- minor
- major
permissions:
contents: write
pull-requests: write
id-token: write
attestations: write
jobs:
prepare-release:
runs-on: ubuntu-latest
name: Prepare a new release
steps:
- uses: actions/checkout@v4
with:
ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
ref: stable
- name: Pull latest changes from master
run: |
git fetch origin master:master
git reset --hard master
- name: Remove development dependencies
run: |
composer remove mockery/mockery --dev --no-install
composer remove pestphp/pest --dev --no-install
- name: Install dependencies
run: composer install --no-interaction --no-progress --no-suggest --prefer-dist
- name: Bump application version
id: build-version
run: |
php ./bin/bump-application-version.php ${{ github.event.inputs.type }}
echo "version=$(php ./bin/get-release-version.php)" >> $GITHUB_OUTPUT
echo "Version: v$(php ./bin/get-release-version.php)"
- name: Build executable
run: php hyde standalone:build --build-version-suffix="${{ steps.build-version.outputs.sha_short }}"
- name: Verify executable
run: php builds/hyde
- name: Verify executable version
run: php builds/hyde --version
- name: Upload executable artifact
uses: actions/upload-artifact@v4
with:
name: hyde
path: builds/hyde
- name: Import GPG key
if: github.event.repository.full_name == 'hydephp/cli'
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4
with:
gpg_private_key: ${{ secrets.GPG_SIGNING_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
trust_level: 5
- name: Sign the executable
if: github.event.repository.full_name == 'hydephp/cli'
run: |
gpg --local-user 657B4D97184E9E6E596E6EA13B829782D5B7BA59 \
--batch \
--yes \
--passphrase="${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}" \
--detach-sign \
--output builds/hyde.sig \
builds/hyde
- name: Verify the signature
if: github.event.repository.full_name == 'hydephp/cli'
run: |
gpg --import-ownertrust <<< "657B4D97184E9E6E596E6EA13B829782D5B7BA59:6:"
gpg --verify builds/hyde.sig builds/hyde
- name: Create OpenSSL fallback signature
if: github.event.repository.full_name == 'hydephp/cli'
run: |
mkdir -p $HOME/.cert/
chmod 0700 $HOME/.cert/
echo "${{ secrets.RSA_SIGNING_PRIVATE_KEY }}" > $HOME/.cert/private_encrypted.key
echo "${{ secrets.RSA_SIGNING_KEY_PASSPHRASE }}" > $HOME/.cert/passphrase.txt
openssl rsa -in $HOME/.cert/private_encrypted.key -out $HOME/.cert/private.key -passin file:$HOME/.cert/passphrase.txt
openssl dgst -sha512 -sign $HOME/.cert/private.key -out builds/signature.bin builds/hyde
rm -rf $HOME/.cert/
- name: Upload signature artifacts
if: github.event.repository.full_name == 'hydephp/cli'
uses: actions/upload-artifact@v4
with:
name: signature
path: |
builds/hyde.sig
builds/signature.bin
- name: Attest build provenance
if: false # Disabled pending issue https://github.com/actions/attest-build-provenance/issues/110
uses: actions/attest-build-provenance@v1
with:
subject-path: builds/hyde
- name: Reset Composer file changes
run: git restore composer.json composer.lock
- name: Create pull request
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e
with:
commit-message: "HydeCLI v${{ steps.build-version.outputs.version }}"
title: "HydeCLI v${{ steps.build-version.outputs.version }}"
branch: "release/v${{ steps.build-version.outputs.version }}"
delete-branch: true
add-paths: |
app/Application.php
builds/hyde
builds/hyde.sig
builds/signature.bin
body: |
This pull request was automatically created by the [HydeCLI release workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
Please review and merge it to publish a new release, which will be created automatically upon merge.
reviewers: caendesilva
labels: release