Skip to content

fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (#… #681

fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (#…

fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (#… #681

on:
push:
branches:
- main
env:
# Stringified list of items that should be published
PUBLISHABLE_ITEMS: '["flagd","flagd-proxy"]'
REGISTRY: ghcr.io
REPO_OWNER: ${{ github.repository_owner }}
DEFAULT_GO_VERSION: '1.20'
PUBLIC_KEY_FILE: publicKey.pub
GOPRIVATE: buf.build/gen/go
name: Release Please
jobs:
release-please:
name: Release Please
runs-on: ubuntu-latest
# Release-please creates a PR that tracks all changes
steps:
- name: Get current date
id: date
run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
- uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4
id: release
with:
token: ${{secrets.GITHUB_TOKEN}}
default-branch: main
- name: Dump Release Please Output
env:
RELEASE_PLEASE_OUTPUT: ${{ toJson(steps.release.outputs) }}
run: |
echo "$RELEASE_PLEASE_OUTPUT"
- name: Determine what should be published
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
id: items-to-publish
env:
CHANGED_ITEMS: "${{ steps.release.outputs.paths_released }}"
with:
# Release please outputs a string representation of an array under the key paths_released
# This script parses the output, and filters each of the changed items (provided as paths to the root of the package, e.g. flagd or core)
# to remove any values not present in the PUBLISHABLE_ITEMS array. This filtered array is then stringified and exported as items-to-publish.outputs.result
# this can be picked up by subsequent jobs and used in a matrix to loop over the PUBLISHABLE_ITEMS within the release
script: |
const changedItems = JSON.parse(process.env.CHANGED_ITEMS || '[]');
console.log("changed items", changedItems);
const eligibleItems = JSON.parse(process.env.PUBLISHABLE_ITEMS || '[]');
console.log("eligible items", eligibleItems);
const itemsToPublish = changedItems.filter(i => eligibleItems.includes(i));
console.log("items to publish", itemsToPublish);
return itemsToPublish;
outputs:
date: ${{ steps.date.outputs.date }}
items_to_publish: ${{ steps.items-to-publish.outputs.result }}
flagd_version: ${{ steps.release.outputs.flagd--version }}
flagd_tag_name: ${{ steps.release.outputs.flagd--tag_name }}
flagd-proxy_version: ${{ steps.release.outputs.flagd-proxy--version }}
flagd-proxy_tag_name: ${{ steps.release.outputs.flagd-proxy--tag_name }}
container-release:
name: Build and push containers to GHCR
needs: release-please
runs-on: ubuntu-latest
if: ${{ needs.release-please.outputs.items_to_publish != '' && toJson(fromJson(needs.release-please.outputs.items_to_publish)) != '[]' }}
strategy:
matrix:
path: ${{ fromJSON(needs.release-please.outputs.items_to_publish) }}
env:
TAG: ${{ needs.release-please.outputs[format('{0}_tag_name', matrix.path)] }}
VERSION: v${{ needs.release-please.outputs[format('{0}_version', matrix.path)] }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
ref: ${{ env.TAG }}
- name: Log in to the Container registry
uses: docker/login-action@3d58c274f17dffee475a5520cbe67f0a882c4dbb
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e
with:
images: ${{ env.REGISTRY }}/${{ matrix.path }}
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Build
id: build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
with:
builder: ${{ steps.buildx.outputs.name }}
context: .
file: ./${{ matrix.path }}/build.Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: |
${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}:latest
${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}:${{ env.VERSION }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
VERSION=${{ env.VERSION }}
COMMIT=${{ github.sha }}
DATE=${{ needs.release-please.outputs.date }}
- name: Install Cosign
uses: sigstore/cosign-installer@b18d21aaa20ef40c4e681202a598b7591d5be577
- name: Sign the image
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}@${{ steps.build.outputs.digest }}
cosign public-key --key env://COSIGN_PRIVATE_KEY --outfile ${{ env.PUBLIC_KEY_FILE }}
env:
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
- name: Generate image SBOM file name
id: image-sbom-file-gen
run: echo "IMG_SBOM_FILE=${{ format('{0}-{1}-sbom.spdx', matrix.path, env.VERSION) }}" >> $GITHUB_OUTPUT
- name: SBOM for latest image
uses: anchore/sbom-action@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0
with:
image: ${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}:${{ env.VERSION }}
artifact-name: ${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
output-file: ${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
- name: Bundle release assets
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
tag_name: ${{ env.TAG }}
files: |
${{ env.PUBLIC_KEY_FILE }}
${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
release-go-binaries:
name: Create and publish binaries to GitHub
needs: release-please
runs-on: ubuntu-latest
if: ${{ needs.release-please.outputs.items_to_publish != '' && toJson(fromJson(needs.release-please.outputs.items_to_publish)) != '[]' }}
strategy:
matrix:
path: ${{ fromJSON(needs.release-please.outputs.items_to_publish) }}
env:
TAG: ${{ needs.release-please.outputs[format('{0}_tag_name', matrix.path)] }}
VERSION: v${{ needs.release-please.outputs[format('{0}_version', matrix.path)] }}
VERSION_NO_PREFIX: ${{ needs.release-please.outputs[format('{0}_version', matrix.path)] }}
COMMIT: ${{ github.sha }}
DATE: ${{ needs.release-please.outputs.date }}
BUILD_ARGS: '-a -ldflags "-X main.version=${VERSION} -X main.commit=${COMMIT} -X main.date=${DATE}"'
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
ref: ${{ env.TAG }}
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
with:
go-version: ${{ env.DEFAULT_GO_VERSION }}
- name: Download cyclonedx-gomod
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2
with:
version: v1
- name: setup for builds
# TODO: The README should also be moved ready for bundling once both flagd-proxy and flagd have package specific READMEs
run: |
make workspace-init
mv ./${{ matrix.path }}/CHANGELOG.md CHANGELOG.md
cd ${{ matrix.path }} && cyclonedx-gomod app > ../sbom.xml
- name: build darwin arm64
run: |
env CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_darwin_arm64 ./${{ matrix.path }}/main.go
tar -cvzf ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Darwin_arm64.tar.gz ./${{ matrix.path }}_darwin_arm64 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
- name: build darwin x86_64
run: |
env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_darwin_x86_64 ./${{ matrix.path }}/main.go
tar -cvzf ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Darwin_x86_64.tar.gz ./${{ matrix.path }}_darwin_x86_64 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
- name: build linux arm64
run: |
env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_linux_arm64 ./${{ matrix.path }}/main.go
tar -cvzf ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Linux_arm64.tar.gz ./${{ matrix.path }}_linux_arm64 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
- name: build linux x86_64
run: |
env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_linux_x86_64 ./${{ matrix.path }}/main.go
tar -cvzf ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Linux_x86_64.tar.gz ./${{ matrix.path }}_linux_x86_64 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
- name: build linux i386
run: |
env CGO_ENABLED=0 GOOS=linux GOARCH=386 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_linux_i386 ./${{ matrix.path }}/main.go
tar -cvzf ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Linux_i386.tar.gz ./${{ matrix.path }}_linux_i386 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
# Windows artifacts use .zip archive
- name: build windows x86_64
run: |
env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_windows_x86_64 ./${{ matrix.path }}/main.go
zip -r ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Windows_x86_64.zip ./${{ matrix.path }}_windows_x86_64 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
- name: build windows i386
run: |
env CGO_ENABLED=0 GOOS=windows GOARCH=386 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_windows_i386 ./${{ matrix.path }}/main.go
zip -r ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Windows_i386.zip ./${{ matrix.path }}_windows_i386 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
# Bundle licenses
- name: Install go-licenses
run: go install github.com/google/go-licenses@latest
- name: Build license extraction locations
id: license-files
run: |
echo "LICENSE_FOLDER=${{ format('{0}-third-party-license', matrix.path) }}" >> $GITHUB_OUTPUT
echo "LICENSE_ERROR_FILE=${{ format('{0}-license-errors.txt', matrix.path) }}" >> $GITHUB_OUTPUT
- name: Run go-licenses for module ${{ matrix.path }}
run: go-licenses save ./${{ matrix.path }} --save_path=./${{ steps.license-files.outputs.LICENSE_FOLDER }} --force --logtostderr=false 2> ./${{ steps.license-files.outputs.LICENSE_ERROR_FILE }}
continue-on-error: true # tool set stderr which can be ignored and referred through error artefact
- name: Bundle license extracts
run: tar czf ./${{ steps.license-files.outputs.LICENSE_FOLDER }}.tar.gz ./${{ steps.license-files.outputs.LICENSE_FOLDER }}
# Bundle release artifacts
- name: Bundle release assets
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
tag_name: ${{ env.TAG }}
files: |
./sbom.xml
./*.tar.gz
./*.zip
./${{ steps.license-files.outputs.LICENSE_ERROR_FILE }}
homebrew:
name: Bump homebrew-core formula
needs: release-please
runs-on: ubuntu-latest
# Only run on non-forked flagd releases
if: ${{ github.repository_owner == 'open-feature' && needs.release-please.outputs.flagd_tag_name }}
steps:
- uses: mislav/bump-homebrew-formula-action@v2
with:
formula-name: flagd
# https://github.com/mislav/bump-homebrew-formula-action/issues/58
formula-path: Formula/f/flagd.rb
tag-name: ${{ needs.release-please.outputs.flagd_tag_name }}
download-url: https://github.com/${{ github.repository }}.git
commit-message: |
{{formulaName}} ${{ needs.release-please.outputs.flagd_version }}
Created by https://github.com/mislav/bump-homebrew-formula-action
env:
COMMITTER_TOKEN: ${{ secrets.COMMITTER_TOKEN }}