Skip to content

chore(deps): bump python-semantic-release in the python-packages grou… #55

chore(deps): bump python-semantic-release in the python-packages grou…

chore(deps): bump python-semantic-release in the python-packages grou… #55

Workflow file for this run

name: Release
on:
push:
branches: master
tags:
- 'v*'
paths:
- '.github/workflows/release.yml'
- 'api/*.py'
- 'pyproject.toml'
- 'Dockerfile'
jobs:
release:
name: Release
if: |
github.actor != 'dependabot[bot]' &&
github.actor != 'github-actions[bot]' &&
github.actor != 'protected-auto-commits[bot]'
runs-on: ubuntu-latest
concurrency: release
permissions:
id-token: write
contents: write
issues: write
pull-requests: write
outputs:
new_release_version: ${{ steps.semantic.outputs.version }}
steps:
- name: GitHub App Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.GH_APP_ID }}
private-key: ${{ secrets.GH_PRIVATE_KEY }}
- name: Checkout Repo
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
cache: "pip"
- name: Cache Dependencies
uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install Dependencies
run: |
python -m pip install --upgrade pip
pip install python-semantic-release
- name: Setup Git
run: |
git fetch origin
git reset --hard origin/${{ github.ref_name }}
- name: Semantic Release
uses: python-semantic-release/[email protected]
id: semantic
with:
github_token: ${{ steps.app-token.outputs.token }}
docker:
name: Docker
runs-on: ubuntu-latest
if: needs.semantic-release.outputs.new_release_version != ''
permissions:
contents: read
attestations: write
id-token: write
packages: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
needs: release
steps:
- name: GitHub App Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.GH_APP_ID }}
private-key: ${{ secrets.GH_PRIVATE_KEY }}
- name: Checkout Repo
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
token: ${{ steps.app-token.outputs.token }}
- name: Install CoSign
if: github.event_name != 'pull_request'
uses: sigstore/[email protected]
with:
cosign-release: 'v2.4.0'
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get latest Release
id: get_latest_release
run: |
latest_release=$(gh release list --limit 1 --json tagName --jq '.[0].tagName')
echo "LATEST_RELEASE=${latest_release}" >> $GITHUB_ENV
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker Metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards
ghcr.io/${{ github.repository_owner }}/Wakatime-Leaderboards
tags: |
type=raw,value=master
type=raw,value=${{ env.LATEST_RELEASE }}
- name: Build & Push Docker Image
id: push
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
secrets: |
GITHUB_TOKEN=${{ steps.app-token.outputs.token }}
- name: Sign the published Docker Image
if: ${{ github.event_name != 'pull_request' }}
env:
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.push.outputs.digest }}
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
- name: Generate Artifact Attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ghcr.io/${{ github.repository_owner }}/Wakatime-Leaderboards
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Docker Scout Scan
uses: docker/[email protected]
with:
command: quickview, cves
image: ${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards:master
write-comment: true
github-token: ${{ secrets.GITHUB_TOKEN }}
sarif-file: docker-scout-results.sarif
- name: Upload Scout Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: docker-scout-results
path: docker-scout-results.sarif
cleanup:
runs-on: ubuntu-latest
needs: docker
name: Cleanup
permissions:
contents: read
packages: write
steps:
- name: Checkout Repo
uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Delete Old Docker Hub Tags
run: |
echo "Fetching Docker Hub tags..."
tags=$(curl -s -H "Authorization: Bearer ${{ secrets.DOCKER_TOKEN }}" "https://hub.docker.com/v2/repositories/${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards/tags" | jq -r '.results[].name')
echo "Tags found in Docker Hub:"
echo "$tags"
latest_tag=$(echo "$tags" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -rV | head -n 1)
echo "Latest semantic version tag is $latest_tag"
for tag in $tags; do
if [[ "$tag" != "master" && "$tag" != "$latest_tag" ]]; then
echo "Deleting tag $tag from Docker Hub"
curl -X DELETE -H "Authorization: Bearer ${{ secrets.DOCKER_TOKEN }}" "https://hub.docker.com/v2/repositories/${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards/tags/$tag/"
else
echo "Keeping tag $tag"
fi
done
- name: Delete Old GHCR Tags
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO_OWNER: ${{ github.repository_owner }}
PACKAGE_NAME: "wakatime-leaderboards"
run: |
echo "Fetching GHCR tags..."
page=1
all_tags=""
while true; do
tags=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \
"https://api.github.com/user/packages/container/$PACKAGE_NAME/versions?per_page=100&page=$page" | jq -r '.[].metadata.container.tags[]')
if [ -z "$tags" ]; then
break
fi
all_tags="$all_tags $tags"
((page++))
done
echo "Tags found in GHCR:"
echo "$all_tags"
latest_tag=$(echo "$all_tags" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -rV | head -n 1)
echo "Latest semantic version tag is $latest_tag"
for tag in $all_tags; do
if [[ "$tag" != "master" && "$tag" != "$latest_tag" ]]; then
echo "Deleting tag $tag from GHCR"
version_id=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \
"https://api.github.com/user/packages/container/$PACKAGE_NAME/versions" | \
jq -r ".[] | select(.metadata.container.tags[] == \"$tag\") | .id")
if [ -n "$version_id" ]; then
curl -X DELETE -H "Authorization: Bearer $GITHUB_TOKEN" \
"https://api.github.com/user/packages/container/$PACKAGE_NAME/versions/$version_id"
else
echo "Warning: Could not find version ID for tag $tag"
fi
else
echo "Keeping tag $tag"
fi
done