-
Notifications
You must be signed in to change notification settings - Fork 28
240 lines (218 loc) · 9.59 KB
/
release.yml
File metadata and controls
240 lines (218 loc) · 9.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
on:
release:
types:
- published
workflow_dispatch:
inputs:
dry_run:
description: 'Dry run (skip publish, only show npm tag)'
type: boolean
default: true
release_tag:
description: 'Release tag to test (e.g., 1.2.3)'
required: true
release_description:
description: 'Release description for Update Center (e.g., "Support new feature")'
required: true
prerelease:
description: 'Mark as prerelease (publishes to npm "next" tag instead of "latest")'
type: boolean
default: false
skip_latest:
description: 'Skip updating "latest" tag (use for older version patches)'
type: boolean
default: false
slack_channel:
description: 'Slack channel for release notification'
type: string
default: 'ask-squad-web'
jobs:
publish:
environment: release
permissions:
contents: read
id-token: write # required for OIDC (npm Trusted Publisher) and SonarSource/vault-action-wrapper
runs-on: github-ubuntu-latest-s
env:
RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
RELEASE_NAME: ${{ github.event.release.name || inputs.release_tag }}
BUILD_NAME: 'sonar-scanner-npm'
ARTIFACTORY_REPOSITORY_NAME: 'sonarsource-npm-public-releases'
DRY_RUN: ${{ inputs.dry_run || false }}
steps:
- name: Validate release description
id: description
env:
RELEASE_BODY: ${{ github.event.release.body }}
INPUT_DESCRIPTION: ${{ inputs.release_description }}
run: |
# Use input description for manual trigger, otherwise extract from release body
if [ -n "$INPUT_DESCRIPTION" ]; then
DESCRIPTION="$INPUT_DESCRIPTION"
else
# Extract description from release body (line starting with "Description:")
DESCRIPTION=$(echo "$RELEASE_BODY" | grep -i "^Description:" | sed 's/^[Dd]escription:[[:space:]]*//')
fi
if [ -z "$DESCRIPTION" ]; then
echo "::error::Release body must contain a 'Description:' line for the Update Center entry."
echo "::error::Example format:"
echo "::error:: Description: Support new authentication method"
echo "::error::"
echo "::error:: ## What's Changed"
echo "::error:: * PR details..."
exit 1
fi
echo "description=$DESCRIPTION" >> $GITHUB_OUTPUT
echo "Extracted description: $DESCRIPTION"
- name: Fetch the secrets
if: ${{ !inputs.dry_run }}
id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: development/artifactory/token/SonarSource-sonar-scanner-npm-promoter access_token | promoter_access_token;
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 24
- name: Setup the registries
if: ${{ !inputs.dry_run }}
run: |
npm config set //repox.jfrog.io/artifactory/api/npm/:_authToken=${{ fromJSON(steps.secrets.outputs.vault).promoter_access_token }}
- name: Build the package
if: ${{ !inputs.dry_run }}
run: |
npm ci
npm run license
npx tsc
npx pmg --entries=build/**/*.js --output=build/package.json --version=${RELEASE_TAG}
cp LICENSE build
cp README.md build
- name: Install JFrog CLI
if: ${{ !inputs.dry_run }}
uses: SonarSource/jfrog-setup-wrapper@v3
- name: Publish the package to Artifactory
if: ${{ !inputs.dry_run }}
run: |
jfrog config add repox --url https://repox.jfrog.io --access-token ${{ fromJSON(steps.secrets.outputs.vault).promoter_access_token }}
jfrog config use repox
jfrog npm-config --repo-resolve npm --repo-deploy $ARTIFACTORY_REPOSITORY_NAME
cd build
jfrog npm publish --build-name $BUILD_NAME --build-number $RELEASE_TAG
jfrog rt build-add-git $BUILD_NAME $RELEASE_TAG
jfrog rt build-publish $BUILD_NAME $RELEASE_TAG
jfrog rt build-promote --status released $BUILD_NAME $RELEASE_TAG $ARTIFACTORY_REPOSITORY_NAME
- name: Determine npm tag
id: npm-tag
env:
IS_PRERELEASE: ${{ github.event.release.prerelease || inputs.prerelease }}
HAS_SKIP_LATEST: ${{ contains(github.event.release.body, '[skip-latest]') || inputs.skip_latest }}
run: |
if [ "$IS_PRERELEASE" == "true" ]; then
echo "tag=next" >> $GITHUB_OUTPUT
elif [ "$HAS_SKIP_LATEST" == "true" ]; then
# Extract major version for the tag (e.g., "1.2.3" -> "release-1.x")
MAJOR=$(echo "$RELEASE_TAG" | sed 's/^v//' | cut -d. -f1)
echo "tag=release-${MAJOR}.x" >> $GITHUB_OUTPUT
else
echo "tag=latest" >> $GITHUB_OUTPUT
fi
- name: Show npm tag (dry run)
if: ${{ inputs.dry_run }}
run: |
echo "========================================"
echo "DRY RUN - Would publish with:"
echo " Release tag: $RELEASE_TAG"
echo " npm tag: ${{ steps.npm-tag.outputs.tag }}"
echo "========================================"
- name: Publish the package to npm
if: ${{ !inputs.dry_run }}
run: |
cd build
# Publish as @sonar/scan (primary package name)
npm publish --provenance --tag=${{ steps.npm-tag.outputs.tag }} --access=public
# Publish as sonarqube-scanner (legacy alias for backwards compatibility)
echo $(jq '.name = "sonarqube-scanner"' package.json) > package.json
npm publish --provenance --tag=${{ steps.npm-tag.outputs.tag }} --access=public
outputs:
description: ${{ steps.description.outputs.description }}
update-center:
needs: publish
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
env:
RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
steps:
- name: Fetch GitHub token
id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: development/github/token/SonarSource-sonar-scanner-npm-release-automation token | github_token;
- name: Checkout sonar-update-center-properties
uses: actions/checkout@v6
with:
repository: SonarSource/sonar-update-center-properties
token: ${{ fromJSON(steps.secrets.outputs.vault).github_token }}
path: update-center
- name: Checkout sonar-scanner-npm (for scripts)
uses: actions/checkout@v6
with:
path: sonar-scanner-npm
- name: Update scannernpm.properties
working-directory: update-center
run: |
bash ../sonar-scanner-npm/scripts/update-update-center.sh \
scannernpm.properties \
"${RELEASE_TAG}" \
"${{ needs.publish.outputs.description }}"
- name: Create Pull Request
id: create-pr
working-directory: update-center
env:
GH_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).github_token }}
run: |
BRANCH="scannernpm-${RELEASE_TAG}"
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git checkout -b "$BRANCH"
git add scannernpm.properties
git commit -m "Update SonarScanner for NPM to ${RELEASE_TAG}"
git push origin "$BRANCH"
PR_URL=$(gh pr create \
--title "Update SonarScanner for NPM to ${RELEASE_TAG}" \
--body "Automated PR to update SonarScanner for NPM to version ${RELEASE_TAG}.
Created by [sonar-scanner-npm release workflow](https://github.com/SonarSource/sonar-scanner-npm/actions/runs/${{ github.run_id }})." \
--base master)
echo "pr_url=$PR_URL" >> $GITHUB_OUTPUT
outputs:
pr_url: ${{ steps.create-pr.outputs.pr_url }}
notify:
needs: [publish, update-center]
permissions:
id-token: write
runs-on: ubuntu-latest
env:
RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
steps:
- name: Fetch Slack token
id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: development/kv/data/slack token | slack_token;
- name: Send Slack notification
uses: slackapi/slack-github-action@v3.0.2
with:
method: chat.postMessage
token: ${{ fromJSON(steps.secrets.outputs.vault).slack_token }}
errors: true
payload: |
{
"channel": "${{ inputs.slack_channel || 'ask-squad-web' }}",
"attachments": [
{
"color": "#36a64f",
"text": ":package: *SonarScanner for NPM ${{ env.RELEASE_TAG }}* has been released!\n\n<https://github.com/SonarSource/sonar-scanner-npm/releases/tag/${{ env.RELEASE_TAG }}|View Release> | <https://www.npmjs.com/package/@sonar/scan/v/${{ env.RELEASE_TAG }}|npm package>\n\n:clipboard: *Next steps to complete the release:*\n1. Merge the Update Center PR: <${{ needs.update-center.outputs.pr_url }}|sonar-update-center-properties PR>\n2. Run the <https://github.com/SonarSource/sonar-update-center-properties/actions/workflows/deploy.yml|Deploy workflow> to publish the Update Center JSON\n3. Run the <https://github.com/SonarSource/sonarqube-documentation/actions/workflows/generate-release-notes.yml|Generate Release Notes workflow> and merge the resulting PR"
}
]
}