Build and Draft Release #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Purpose: Build, sign, and check a draft release | |
| name: Build and Draft Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| # checkov:skip=CKV_GHA_7:Manual inputs are desired. | |
| releaseName: | |
| description: "Release Name" | |
| required: true | |
| type: string | |
| version: | |
| description: "Release Version (e.g., 1.2.4)" | |
| required: true | |
| type: string | |
| runQuickCheck: | |
| description: "Run a quick check of release" | |
| required: false | |
| type: boolean | |
| default: true | |
| permissions: read-all | |
| jobs: | |
| build-and-draft: | |
| name: Build and Draft Release | |
| runs-on: windows-latest | |
| environment: Development | |
| env: | |
| RELEASE_VERSION: ${{ inputs.version }} | |
| permissions: | |
| id-token: write | |
| contents: write | |
| # This condition prevents duplicate runs. | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| path: repo | |
| - name: OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true) | |
| uses: azure/login@v1 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| enable-AzPSSession: true | |
| - name: Sign Module | |
| uses: azure/powershell@v1 | |
| env: | |
| KEY_VAULT_INFO: ${{ secrets.SCUBA_KEY_VAULT_PROD}} | |
| with: | |
| inlineScript: | | |
| dotnet --version | |
| dotnet tool install --global AzureSignTool --version 4.0.1 | |
| $KeyVaultInfo = ${env:KEY_VAULT_INFO} | ConvertFrom-Json | |
| . repo/utils/DeployUtils.ps1 | |
| # Remove non-release files | |
| Remove-Item -Recurse -Force repo -Include .git* | |
| SignScubaGearModule ` | |
| -AzureKeyVaultUrl $($KeyVaultInfo.KeyVault.URL) ` | |
| -CertificateName $($KeyVaultInfo.KeyVault.CertificateName) ` | |
| -ModulePath 'repo' | |
| Move-Item -Path repo -Destination "ScubaGear-${env:RELEASE_VERSION}" -Force | |
| Compress-Archive -Path "ScubaGear-${env:RELEASE_VERSION}" -DestinationPath "ScubaGear-${env:RELEASE_VERSION}.zip" | |
| azPSVersion: "latest" | |
| - name: release | |
| uses: softprops/action-gh-release@v1 | |
| id: create_release | |
| with: | |
| draft: true | |
| prerelease: false | |
| name: ${{ inputs.releaseName }} | |
| tag_name: v${{ inputs.version }} | |
| files: ScubaGear-${{ inputs.version }}.zip | |
| generate_release_notes: true | |
| fail_on_unmatched_files: true | |
| - name: Download release | |
| uses: dsaltares/[email protected] | |
| if: ${{ inputs.runQuickCheck }} | |
| with: | |
| version: ${{ steps.create_release.outputs.id}} | |
| file: "ScubaGear-${{ inputs.version }}.zip" | |
| - name: Quick check release | |
| if: ${{ inputs.runQuickCheck }} | |
| shell: powershell | |
| run: | | |
| Expand-Archive -Path "ScubaGear-${{ inputs.version }}.zip" | |
| Get-ChildItem | |
| Set-Location -Path "ScubaGear-${{ inputs.version }}" | |
| Import-Module -Name .\PowerShell\ScubaGear\ScubaGear.psd1 | |
| Invoke-SCuBA -Version |