Create automated Signed releases. (#2749)

LycheeOrg · Nov 27, 2024 · f8fedaa · f8fedaa
1 parent 23a900a
commit f8fedaa
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 25 deletions.
diff --git a/.github/release.yml b/.github/release.yml
@@ -0,0 +1,17 @@
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+    authors:
+      - octocat
+      - dependabot
+  categories:
+    - title: 🏕 Features
+      labels:
+        - '*'
+      exclude:
+        labels:
+          - dependencies
+    - title: 👒 Dependencies
+      labels:
+        - dependencies
diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml
@@ -151,7 +151,7 @@ jobs:
 
   createArtifact:
     name: 4️⃣ Build Artifact
-    if: github.ref == 'refs/heads/master'
+    if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
     needs:
       - phpstan
       - dist
@@ -191,7 +191,7 @@ jobs:
         run: |
           make clean dist
 
-      - name: Upload a Build Artifact
+      - name: Upload build artifact
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Lychee.zip
@@ -227,4 +227,45 @@ jobs:
 
           # The GitHub token used to make authenticated API requests. Default is
           # ${{ github.token }}
-          github-token: ${{ github.token }}
+          github-token: ${{ github.token }}
+
+
+  release:
+    name: 5️⃣ Release
+    if: startsWith(github.ref, 'refs/tags/')
+    needs:
+      - createArtifact
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    env:
+      extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip
+
+    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Download generated artifact 
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18
+        with:
+          name: Lychee.zip
+
+      # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+      - name: Sign release with a key
+        run: |
+          cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature Lychee.zip.asc Lychee.zip
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+
+      - name: Create release
+        uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
+        with:
+          files: |
+            Lychee.zip.asc
+            Lychee.zip
+          token: ${{ secrets.GITHUB_TOKEN }}
+          generate_release_notes: true
+          make_latest: true
+
diff --git a/.github/workflows/CICD_no_legacy.yml b/.github/workflows/CICD_no_legacy.yml
@@ -181,29 +181,18 @@ jobs:
           extensions: ${{ env.extensions }}
           coverage: none
 
-      - name: Install Composer dependencies
-        uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
-        with:
-          composer-options: --no-dev
-
       - name: Use Node.js 20
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
             node-version: 20
 
-      - name: Install
-        run: npm ci
-
-      - name: Compile Front-end
-        run: npm run build
-
       - name: Build Dist
         run: |
           make clean dist
 
       - name: Upload a Build Artifact
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
-          name: Lychee-Dist.zip
+          name: Lychee-No-Legacy.zip
           path: Lychee.zip
           if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`
diff --git a/.github/workflows/php_dist.yml b/.github/workflows/php_dist.yml
@@ -67,11 +67,6 @@ jobs:
           extensions: ${{ env.extensions }}
           tools: pecl, composer
 
-      - name: Install Composer dependencies
-        uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
-        with:
-          composer-options: --no-dev
-
       - name: Build Dist
         run: |
           make dist-clean

diff --git a/.github/workflows/php_no_legacy_dist.yml b/.github/workflows/php_no_legacy_dist.yml
@@ -71,11 +71,6 @@ jobs:
           extensions: ${{ env.extensions }}
           tools: pecl, composer
 
-      - name: Install Composer dependencies
-        uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
-        with:
-          composer-options: --no-dev
-
       - name: Build Dist
         run: |
           make dist-clean