forked from semgrep/semgrep
-
Notifications
You must be signed in to change notification settings - Fork 0
342 lines (323 loc) · 12.9 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
# This workflow performs additional tasks on a PR when
# someone (or start-release.yml) push to a vXXX branch.
# Those tasks are to push a new develop docker image, create
# release artifacts with the Linux and MacOS semgrep packages,
# update PyPy and homebrew, etc.
name: release
on:
workflow_dispatch:
inputs:
dry-run:
description: "Run the release in dry-run mode, e.g., without changing external state (like pushing to PyPI/Docker)"
required: true
type: boolean
default: true
workflow_call:
inputs:
dry-run:
description: "Run the release in dry-run mode, e.g., without changing external state (like pushing to PyPI/Docker)"
required: true
type: boolean
default: true
push:
branches:
# Sequence of patterns matched against refs/tags
- "**-test-release"
tags:
- "v*" # Push events to matching v*, i.e. v1.0, v20.15.10
jobs:
dry-run:
name: Evaluate Dry Run
runs-on: ubuntu-22.04
outputs:
dry-run: ${{steps.dry-run.outputs.dry-run}}
steps:
- name: Evaluate Dry Run
id: dry-run
run: |
if [ "${{ inputs.dry-run }}" = "true" ]; then
echo "dry-run=true" >> $GITHUB_OUTPUT
echo "Setting dry-run to TRUE"
else
echo "dry-run=false" >> $GITHUB_OUTPUT
echo "Setting dry-run to FALSE"
fi
park-pypi-packages:
name: Park PyPI package names
runs-on: ubuntu-latest
needs: [dry-run]
if: ${{ !contains(github.ref, '-test-release') && needs.dry-run.outputs.dry-run != 'true' }}
defaults:
run:
working-directory: cli/
env:
SEMGREP_SKIP_BIN: "1"
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: "3.10"
cache: pipenv
- run: sudo python3 -m pip install pipenv==2022.6.7
- name: Install dependencies
run: pipenv install --dev
- name: Build parked packages
run: pipenv run python setup.py park
- name: Publish to Pypi
uses: pypa/gh-action-pypi-publish@master
if: ${{ !contains(github.ref,'-test-release') }}
with:
user: __token__
password: ${{ secrets.pypi_upload_token }}
skip_existing: true
packages_dir: cli/dist/
- name: Publish to test Pypi
uses: pypa/gh-action-pypi-publish@master
if: ${{ contains(github.ref,'-test-release') }}
with:
repository_url: https://test.pypi.org/legacy/
user: __token__
password: ${{ secrets.test_pypi_upload_token }}
skip_existing: true
packages_dir: cli/dist/
build-test-docker:
uses: ./.github/workflows/build-test-docker.yaml
secrets: inherit
with:
docker-tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
repository-name: ${{ github.repository }}
artifact-name: image-release
file: Dockerfile
enable-tests: true
build-test-osx-x86:
uses: ./.github/workflows/build-test-osx-x86.yaml
secrets: inherit
build-test-osx-m1:
uses: ./.github/workflows/build-test-osx-m1.yaml
secrets: inherit
build-test-core-x86:
uses: ./.github/workflows/build-test-core-x86.yaml
secrets: inherit
build-test-ubuntu-16-04:
needs: [build-test-core-x86]
uses: ./.github/workflows/build-test-ubuntu-x86.yaml
secrets: inherit
build-test-manylinux-x86:
needs: [build-test-core-x86]
uses: ./.github/workflows/build-test-manylinux-x86.yaml
secrets: inherit
wait-for-build-test:
name: Wait for Build/Test All Platforms
runs-on: ubuntu-22.04
needs:
[
build-test-docker,
build-test-manylinux-x86,
build-test-osx-x86,
build-test-osx-m1,
build-test-ubuntu-16-04,
]
steps:
- name: Continue
run: echo "All Platforms have been built and tested - proceeding!"
push-docker:
needs: [wait-for-build-test, dry-run]
uses: ./.github/workflows/push-docker.yaml
secrets: inherit
with:
artifact-name: image-release
repository-name: ${{ github.repository }}
dry-run: ${{ needs.dry-run.outputs.dry-run == 'true' }}
upload-wheels:
name: Upload Wheels to PyPI
runs-on: ubuntu-latest
needs: [wait-for-build-test, dry-run]
steps:
- name: Download Artifact
uses: actions/download-artifact@v3
with:
name: manylinux-wheel
path: manylinux-wheel
- name: Download Osx Artifact
uses: actions/download-artifact@v3
with:
name: osx-wheel
path: osx-wheel
- name: Download Artifact
uses: actions/download-artifact@v3
with:
name: m1-wheel
path: m1-wheel
- name: Unzip
run: unzip ./manylinux-wheel/dist.zip
- name: Unzip OSX Wheel
# Don't unzip tar.gz because it already exists from ./manylinux-wheel/dist.zip.
run: unzip ./osx-wheel/dist.zip "*.whl"
- name: Unzip M1 Wheel
# Don't unzip tar.gz because it already exists from ./manylinux-wheel/dist.zip.
run: unzip ./m1-wheel/dist.zip "*.whl"
- name: Publish to Pypi
uses: pypa/gh-action-pypi-publish@master
if: ${{ !contains(github.ref, '-test-release') && needs.dry-run.outputs.dry-run != 'true' }}
with:
user: __token__
password: ${{ secrets.pypi_upload_token }}
skip_existing: true
create-release:
name: Create the Github Release
runs-on: ubuntu-latest
needs: [wait-for-build-test, dry-run]
if: ${{ !contains(github.ref, '-test-release') && needs.dry-run.outputs.dry-run != 'true' }}
steps:
- name: Get the version
id: get-version
run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
# wait for the draft release since these may not be ready after the refactor of the start-release.
- name: Wait for Draft Release if not Ready
id: wait-draft-release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
while ! gh release --repo returntocorp/semgrep list -L 5 | grep -q "${{ steps.get-version.outputs.VERSION }}"; do
echo "release not yet ready, sleeping for 5 seconds"
sleep 5
done
- name: Publish Release
id: publish_release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release --repo returntocorp/semgrep edit ${{ steps.get-version.outputs.VERSION }} --draft=false
create-release-interfaces:
name: Create the Github Release on Semgrep Interfaces
runs-on: ubuntu-latest
if: ${{ !contains(github.ref, '-test-release') && needs.dry-run.outputs.dry-run != 'true' }}
needs: [wait-for-build-test, dry-run]
steps:
- name: Get the version
id: get-version
run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
- name: Get JWT for semgrep-ci GitHub App
id: jwt
uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
env:
EXPIRATION: 600 # seconds
ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }} # semgrep-ci GitHub App id
PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
- name: Get token for semgrep-ci GitHub App
id: token
run: |
TOKEN="$(curl -X POST \
-H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
jq -r .token)"
echo "::add-mask::$TOKEN"
echo "token=$TOKEN" >> $GITHUB_OUTPUT
- name: Checkout
uses: actions/checkout@v3
with:
submodules: true
token: ${{ steps.token.outputs.token }}
- name: Upload Schema Files
id: upload-semgrep-schema-files
env:
GITHUB_TOKEN: "${{ steps.token.outputs.token }}"
run: |
gh release --repo returntocorp/semgrep-interfaces upload ${{ steps.get-version.outputs.VERSION }} cli/src/semgrep/semgrep_interfaces/rule_schema_v1.yaml
- name: Publish Release Semgrep Interfaces
id: publish_release_semgrep_interfaces
env:
GITHUB_TOKEN: "${{ steps.token.outputs.token }}"
run: |
gh release --repo returntocorp/semgrep-interfaces edit ${{ steps.get-version.outputs.VERSION }} --draft=false
sleep-before-homebrew:
name: Sleep 10 min before releasing to homebrew
# Need to wait for pypi to propagate ssince pipgrip relies on it being published on pypi
needs: [dry-run, upload-wheels]
runs-on: ubuntu-latest
steps:
- name: Sleep 10 min
if: ${{ !contains(github.ref, '-test-release') && needs.dry-run.outputs.dry-run != 'true' }}
run: sleep 10m
homebrew-core-pr:
name: Update on Homebrew-Core
needs: [dry-run, sleep-before-homebrew] # Needs to run after pypi released so brew can update pypi dependency hashes
runs-on: macos-12
steps:
- name: Get the version
id: get-version
run: |
TAG=${GITHUB_REF/refs\/tags\//}
if [ "${{ needs.dry-run.outputs.dry-run }}" = "true" ]; then
TAG=v99.99.99
fi
echo "Using TAG=${TAG}"
echo "TAG=${TAG}" >> $GITHUB_OUTPUT
echo "Using VERSION=${TAG#v}"
echo "VERSION=${TAG#v}" >> $GITHUB_OUTPUT
- uses: actions/setup-python@v4
id: python-setup
with:
# Pin to python 3.9 for pipgrip issues: see https://github.com/returntocorp/semgrep/issues/4213
python-version: "3.9.x"
- name: Brew update
run: brew update
# pipgrip tries to install [email protected], and that has linking issues unless --overwrite is passed.
# we may be able to remove the python setup above.
- name: Brew install [email protected]
run: brew install --overwrite [email protected]
- name: Install pipgrip
run: brew install --overwrite pipgrip
- name: Dry Run Brew PR
# This step does some brew oddities (setting a fake version, and setting a revision) to allow the brew PR prep to succeed
# The `brew bump-formula-pr` does checks to ensure your PR is legit, but we want to do a phony PR (or at least prep it) for Dry Run only
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.SEMGREP_HOMEBREW_RELEASE_PAT }}
if: ${{ contains(github.ref, '-test-release') || needs.dry-run.outputs.dry-run == 'true' }}
run: |
brew bump-formula-pr --force --no-audit --no-browse --write-only \
--message="semgrep 99.99.99" \
--tag="v99.99.99" --revision="${GITHUB_SHA}" semgrep --python-exclude-packages semgrep
- name: Open Brew PR
if: ${{ !contains(github.ref, '-test-release') && needs.dry-run.outputs.dry-run != 'true' }}
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.SEMGREP_HOMEBREW_RELEASE_PAT }}
run: |
brew bump-formula-pr --force --no-audit --no-browse --write-only \
--message="semgrep ${{ steps.get-version.outputs.VERSION }}" \
--tag="${{ steps.get-version.outputs.TAG }}" semgrep
- name: Prepare Branch
env:
GITHUB_TOKEN: ${{ secrets.SEMGREP_HOMEBREW_RELEASE_PAT }}
R2C_HOMEBREW_CORE_FORK_HTTPS_URL: https://github.com/semgrep-release/homebrew-core.git
run: |
cd "$(brew --repository)/Library/Taps/homebrew/homebrew-core"
git status
git diff
git config user.name ${{ github.actor }}
git config user.email ${{ github.actor }}@users.noreply.github.com
gh auth setup-git
git remote add r2c "${R2C_HOMEBREW_CORE_FORK_HTTPS_URL}"
git checkout -b bump-semgrep-${{ steps.get-version.outputs.VERSION }}
git add Formula/semgrep.rb
git commit -m "semgrep ${{ steps.get-version.outputs.VERSION }}"
- name: Push Branch to Fork
env:
GITHUB_TOKEN: ${{ secrets.SEMGREP_HOMEBREW_RELEASE_PAT }}
if: ${{ !contains(github.ref, '-test-release') && needs.dry-run.outputs.dry-run != 'true' }}
run: |
cd "$(brew --repository)/Library/Taps/homebrew/homebrew-core"
git push --set-upstream r2c --force "bump-semgrep-${{ steps.get-version.outputs.VERSION }}"
- name: Push to Fork
env:
GITHUB_TOKEN: ${{ secrets.SEMGREP_HOMEBREW_RELEASE_PAT }}
R2C_HOMEBREW_CORE_OWNER: semgrep-release
if: ${{ !contains(github.ref, '-test-release') && needs.dry-run.outputs.dry-run != 'true' }}
run: |
gh pr create --repo homebrew/homebrew-core \
--base master --head "${R2C_HOMEBREW_CORE_OWNER}:bump-semgrep-${{ steps.get-version.outputs.VERSION }}" \
--title="semgrep ${{ steps.get-version.outputs.VERSION }}" \
--body "Bump semgrep to version ${{ steps.get-version.outputs.VERSION }}"