-
Notifications
You must be signed in to change notification settings - Fork 2
108 lines (96 loc) · 3.33 KB
/
draft-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
name: draft-release
on:
push:
tags:
- 'v*'
jobs:
check:
name: Check Tag Signature
runs-on: ubuntu-latest
steps:
- name: Verify Tag Signature
uses: actions/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { repository: repo, ref: tagRef } = context.payload
const tagRefInfo = await github.git.getRef({
owner: repo.owner.login,
repo: repo.name,
ref: tagRef.replace("refs/", "")
})
core.debug("tagRef: " + JSON.stringify(tagRefInfo))
const tagInfo = await github.git.getTag({
owner: repo.owner.login,
repo: repo.name,
tag_sha: tagRefInfo.data.object.sha
})
core.debug("tagInfo: " + JSON.stringify(tagInfo))
if (tagInfo.data.verification.verified != true || tagInfo.data.verification.reason != "valid") {
throw new Error(`Tag ${tagRef} is not signed or signature is not valid. Reason: ${tagInfo.data.verification.reason}`)
}
core.info(`Tag ${tagRef} signature is valid.`)
let signature = tagInfo.data.verification.signature
signature = signature.split("\n").slice(2, -3).join("")
core.exportVariable("TAG_SIGNATURE", signature)
- name: Verify Signature Key ID
run: |
SIGNATURE_KEY_ID=$(echo -n $TAG_SIGNATURE | base64 -d | od -t x1 -An -v | tr -d ' ' | tr -d '\n' | cut -b 49-64 | tr a-z A-Z)
SIG_IDS_LIST=$(echo $ALLOWED_SIGNATURE_IDS | tr "," "\n")
if [[ " ${SIG_IDS_LIST[@]} " =~ " ${SIGNATURE_KEY_ID} " ]]; then
echo "Signature Key ID matched"
exit 0
else
echo "::error ::Signature Key ID '$SIGNATURE_KEY_ID' is not allowed to make releases."
exit 1
fi
env:
ALLOWED_SIGNATURE_IDS: ${{ secrets.RELEASE_GPG_KEY_ID }}
build:
name: Build
runs-on: ubuntu-latest
needs: check
strategy:
matrix:
node-version: [12.x, 14.x]
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}
- name: install and build
run: |
yarn install --frozen-lockfile
yarn run coverage
yarn run build
env:
CI: true
release:
name: Create release
runs-on: ubuntu-latest
needs: [check,build]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Get Previous Tag
run: |
PREV_TAG=$(git describe --abbrev=0 --tags "${{ github.ref }}^")
echo "baseRef=$PREV_TAG" >> $GITHUB_ENV
- name: Generate Changelog
id: generate_changelog
uses: nblagoev/pull-release-notes-action@v1
with:
base-ref: ${{ env.baseRef }}
head-ref: ${{ github.ref }}
- name: Create Release
uses: actions/create-release@v1
with:
tag_name: ${{ github.ref }}
release_name: ${{ github.ref }}
body: ${{steps.generate_changelog.outputs.result}}
draft: true
prerelease: false