StegX/.github/workflows/release.yml at main · Delta-Sec/StegX · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
name: Release

on:
  push:
    tags:
      - "v*.*.*"
  workflow_dispatch:
    inputs:
      dry_run:
        description: "Build and smoke-test but do not upload"
        type: boolean
        default: true

permissions:
  contents: read

defaults:
  run:
    shell: bash

jobs:

  build:
    name: Build sdist + wheel + SBOM
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.meta.outputs.version }}
    steps:
      - name: Checkout (full history for setuptools-scm)
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          fetch-depth: 0

      - name: Set up Python
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
        with:
          python-version: "3.12"

      - name: Install build + twine + cyclonedx-bom
        run: |
          python -m pip install --upgrade pip
          pip install build twine 'cyclonedx-bom>=4,<7'

      - name: Build wheel + sdist
        run: python -m build

      - name: Validate distributions
        run: twine check dist/*

      - name: Install runtime deps for env-based SBOM fallback
        run: pip install -r requirements.txt

      - name: Generate CycloneDX SBOM (JSON + XML)
        run: |
          set -e
          python -m cyclonedx_py requirements \
              --of JSON --output-reproducible -o sbom.json requirements.txt
          python -m cyclonedx_py requirements \
              --of XML  --output-reproducible -o sbom.xml  requirements.txt

      - name: Extract release version
        id: meta
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          if [ "${GITHUB_REF_TYPE}" != "tag" ]; then
            VERSION=$(python -c "from importlib.metadata import version; print(version('stegx-cli'))" 2>/dev/null || echo "dev")
          fi
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "Releasing version: ${VERSION}"

      - name: Upload build artefacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: dist-and-sbom
          path: |
            dist/*
            sbom.json
            sbom.xml
          retention-days: 90

  pypi:
    name: Publish to PyPI (Trusted Publishing)
    runs-on: ubuntu-latest
    needs: build
    if: ${{ github.event_name == 'push' || !inputs.dry_run }}
    environment:
      name: pypi
      url: https://pypi.org/p/stegx-cli
    permissions:
      id-token: write
    steps:
      - name: Download build artefacts
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
        with:
          name: dist-and-sbom
          path: .

      - name: Publish to PyPI via OIDC
        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc
        with:
          packages-dir: dist
          skip-existing: true
          attestations: true
          verbose: true

  sign-and-release:
    name: Sigstore-sign + GitHub Release
    runs-on: ubuntu-latest
    needs: build
    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}
    permissions:
      contents: write
      id-token: write
    steps:
      - name: Checkout (for CHANGELOG.md release body)
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

      - name: Download build artefacts
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
        with:
          name: dist-and-sbom
          path: .

      - name: Sign distributions with sigstore
        uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46
        with:
          inputs: ./dist/*.whl ./dist/*.tar.gz

      - name: Create GitHub Release
        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8
        with:
          name: StegX ${{ needs.build.outputs.version }}
          tag_name: ${{ github.ref_name }}
          body_path: ${{ github.workspace }}/CHANGELOG.md
          files: |
            dist/*
            sbom.json
            sbom.xml
          generate_release_notes: true
          fail_on_unmatched_files: true

  docker:
    name: Publish Docker image (GHCR + Docker Hub)
    runs-on: ubuntu-latest
    needs: build
    if: ${{ github.event_name == 'push' || !inputs.dry_run }}
    permissions:
      contents: read
      packages: write
      id-token: write
    env:
      DOCKERHUB_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

      - name: Set up QEMU (multi-arch)
        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log in to Docker Hub
        if: env.DOCKERHUB_USERNAME != ''
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Compose image targets
        id: targets
        run: |
          set -e
          IMAGES="ghcr.io/${{ github.repository_owner }}/stegx"
          if [ -n "${DOCKERHUB_USERNAME}" ]; then
              IMAGES="${IMAGES}"$'\n'"docker.io/${DOCKERHUB_USERNAME}/stegx"
          fi
          {
            echo 'images<<EOF'
            echo "${IMAGES}"
            echo 'EOF'
          } >> "$GITHUB_OUTPUT"

      - name: Extract image metadata
        id: meta
        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
        with:
          images: ${{ steps.targets.outputs.images }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=ref,event=branch
            type=sha,format=short
            type=raw,value=latest,enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}

      - name: Build and push image (multi-arch)
        id: build
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
        with:
          context: .
          file: Dockerfile
          push: ${{ github.event_name == 'push' || !inputs.dry_run }}
          platforms: linux/amd64,linux/arm64
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          provenance: true
          sbom: true

      - name: Update Docker Hub Description
        uses: peter-evans/dockerhub-description@v4
        if: ${{ env.DOCKERHUB_USERNAME != '' && (github.event_name == 'push' || !inputs.dry_run) }}
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
          repository: ${{ vars.DOCKERHUB_USERNAME }}/stegx
          readme-filepath: ./README.md