diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 093852bd..4da3b9ce 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,6 +21,11 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout Console uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -42,48 +47,49 @@ jobs: - name: move files run: mv ./temp/ui/* ./internal/controller/http/ui - - uses: actions/setup-go@v5 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: ">=1.23.0" - name: 🔬 Check semantic versioning id: semantic-release + env: + GITHUB_REF: ${{ github.head_ref }} run: | - GITHUB_REF=${{ github.head_ref }} - npx semantic-release --no-ci --dry-run --plugins @semantic-release/commit-analyzer --branches ${{ github.head_ref }} - VERSION=$(cat .VERSION) - + npx semantic-release --no-ci --dry-run --plugins @semantic-release/commit-analyzer --branches $GITHUB_REF + VERSION=$(cat .VERSION) + - shell: bash run: | echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV - #build linux + #build linux - shell: bash if: matrix.os == 'ubuntu-latest' run: | CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -ldflags "-s -w -X 'github.com/open-amt-cloud-toolkit/console/internal/app.Version=$VERSION'" -trimpath -o dist/linux/console_linux_x64 ./cmd/app/main.go - - - shell: bash + + - shell: bash if: matrix.os == 'windows-latest' run: | CGO_ENABLED=1 GOOS=windows GOARCH=amd64 go build -ldflags "-s -w -X 'github.com/open-amt-cloud-toolkit/console/internal/app.Version=$VERSION'" -trimpath -o dist/windows/console_windows_x64 ./cmd/app/main.go - + - shell: bash if: matrix.os == 'macos-latest' run: | CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 go build -ldflags "-s -w -X 'github.com/open-amt-cloud-toolkit/console/internal/app.Version=$VERSION'" -trimpath -o dist/farwin/console_mac_arm64 ./cmd/app/main.go - - - uses: actions/cache@v4 + + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 if: matrix.os == 'ubuntu-latest' with: path: dist/linux key: linux-${{ env.sha_short }} - - uses: actions/cache@v4 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 if: matrix.os == 'macos-latest' with: path: dist/darwin key: darwin-${{ env.sha_short }} - - uses: actions/cache@v4 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 if: matrix.os == 'windows-latest' with: path: dist/windows @@ -105,15 +111,15 @@ jobs: - shell: bash run: | echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV - - uses: actions/cache@v3.2.3 + - uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3 with: path: dist/linux key: linux-${{ env.sha_short }} - - uses: actions/cache@v3.2.3 + - uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3 with: path: dist/darwin key: darwin-${{ env.sha_short }} - - uses: actions/cache@v3.2.3 + - uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3 with: path: dist/windows key: windows-${{ env.sha_short }} @@ -147,7 +153,7 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} logout: true - + - name: Semantic Release uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # v4.1.1 if: steps.cache.outputs.cache-hit != 'true' # do not run if cache hit