use the correct paths and binary name #20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| CARGO_TERM_COLOR: always | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: joostvdg/git-next-tag-rust | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy, rustfmt | |
| - name: Cache dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.cargo/cache | |
| ~/.cargo/registry | |
| target/ | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Check formatting | |
| run: cargo fmt --all -- --check | |
| - name: Run clippy | |
| run: cargo clippy --all-targets --all-features -- -D warnings | |
| - name: Build | |
| run: cargo build --verbose | |
| - name: Run tests | |
| run: cargo test --verbose | |
| - name: Generate coverage report | |
| run: | | |
| cargo install cargo-tarpaulin | |
| cargo tarpaulin --out xml --output-dir coverage/ | |
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@v5 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| scans: | |
| name: Scans | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Cache dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.cargo/cache | |
| ~/.cargo/registry | |
| target/ | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Install cargo-audit | |
| run: cargo install cargo-audit | |
| - name: Run security audit | |
| run: cargo audit | |
| - name: Install cargo-outdated | |
| run: cargo install cargo-outdated | |
| - name: Check for outdated dependencies | |
| run: cargo outdated --exit-code 1 | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| generate-version: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| major: ${{ steps.version.outputs.major }} | |
| minor: ${{ steps.version.outputs.minor }} | |
| patch: ${{ steps.version.outputs.patch }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Generate version | |
| id: version | |
| run: | | |
| # Get the latest tag or default to v0.0.0 | |
| LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0") | |
| echo "Latest tag: $LATEST_TAG" | |
| # Extract major.minor.patch | |
| VERSION=${LATEST_TAG#v} | |
| IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION" | |
| # Increment patch version | |
| PATCH=$((PATCH + 1)) | |
| NEW_VERSION="$MAJOR.$MINOR.$PATCH" | |
| echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT | |
| echo "major=$MAJOR" >> $GITHUB_OUTPUT | |
| echo "minor=$MINOR" >> $GITHUB_OUTPUT | |
| echo "patch=$PATCH" >> $GITHUB_OUTPUT | |
| echo "Generated version: $NEW_VERSION" | |
| build-macos-arm64: | |
| runs-on: macos-15 | |
| needs: [generate-version] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Add Mac ARM64 target | |
| run: rustup target add aarch64-apple-darwin | |
| - name: Build Mac ARM64 | |
| run: cargo build --release --target aarch64-apple-darwin --bin git-next-tag | |
| - name: Prepare Mac ARM64 artifact | |
| run: | | |
| mkdir -p dist | |
| cp target/aarch64-apple-darwin/release/git-next-tag dist/git-next-tag-macos-arm64 | |
| - name: Upload Mac ARM64 artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cli-binary-macos-arm64 | |
| path: dist/ | |
| build-artifacts: | |
| runs-on: ubuntu-latest | |
| needs: [generate-version] | |
| outputs: | |
| version: ${{ needs.generate-version.outputs.version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install cross | |
| run: cargo install cross | |
| - name: Build Linux AMD64 | |
| run: cross build --release --target x86_64-unknown-linux-gnu | |
| - name: Build Windows AMD64 | |
| run: cross build --release --target x86_64-pc-windows-gnu | |
| - name: Prepare artifacts | |
| run: | | |
| mkdir -p dist | |
| cp target/x86_64-unknown-linux-gnu/release/git-next-tag dist/git-next-tag-linux-amd64 | |
| cp target/x86_64-pc-windows-gnu/release/git-next-tag.exe dist/git-next-tag-windows-amd64.exe | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cli-binaries | |
| path: dist/ | |
| build-and-push: | |
| needs: [scans, test, security-scan, generate-version] | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| attestations: write | |
| outputs: | |
| image-digest: ${{ steps.build.outputs.digest }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=raw,value=latest | |
| type=raw,value=${{ needs.generate-version.outputs.version }} | |
| type=sha,prefix={{branch}}- | |
| - name: Build and push Docker image | |
| id: build | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: docker/alpine/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Sign container image | |
| run: | | |
| cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} | |
| - name: Generate SLSA attestation | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| subject-digest: ${{ steps.build.outputs.digest }} | |
| image-security-scan: | |
| needs: [build-and-push] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Run Trivy vulnerability scanner on image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push.outputs.image-digest }} | |
| format: 'sarif' | |
| output: 'trivy-image-results.sarif' | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-image-results.sarif' | |
| - name: Run Snyk container scan | |
| uses: snyk/actions/docker@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push.outputs.image-digest }} | |
| args: --severity-threshold=high | |
| create-release: | |
| needs: [generate-version, build-and-push, image-security-scan, build-artifacts, build-macos-arm64] | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Create Git tag | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git tag -a "v${{ needs.generate-version.outputs.version }}" -m "Release v${{ needs.generate-version.outputs.version }}" | |
| git push origin "v${{ needs.generate-version.outputs.version }}" | |
| - name: Create GitHub release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: v${{ needs.generate-version.outputs.version }} | |
| release_name: Release v${{ needs.generate-version.outputs.version }} | |
| body: | | |
| ## Changes | |
| - Automated release v${{ needs.generate-version.outputs.version }} | |
| ## Container Image | |
| - `${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.generate-version.outputs.version }}` | |
| - `${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push.outputs.image-digest }}` | |
| draft: false | |
| prerelease: false | |
| - name: Download Linux/Windows build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: cli-binaries | |
| path: dist/ | |
| - name: Download Mac ARM64 build artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: cli-binary-macos-arm64 | |
| path: dist/ | |
| - name: Generate checksums | |
| run: | | |
| cd dist | |
| sha256sum git-next-tag-linux-amd64 git-next-tag-windows-amd64.exe git-next-tag-macos-arm64 > checksums.txt | |
| - name: Upload release assets | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| tag_name: v${{ needs.generate-version.outputs.version }} | |
| files: | | |
| dist/git-next-tag-linux-amd64 | |
| dist/git-next-tag-windows-amd64.exe | |
| dist/git-next-tag-macos-arm64 | |
| dist/checksums.txt |