PHPC-2384, PHPC-2399, PHPC-2400: Publish SSDLC assets on release #1584
Conversation
alcaeus
force-pushed
the
publish-ssdlc-assets-on-release
branch
from
d36da66 to
03dbe44
Compare
| @@ -41,7 +41,7 @@ runs: | |||
| - name: Enable Developer Command Prompt | |||
| uses: ilammy/msvc-dev-cmd@v1 | |||
| with: | |||
| arch: ${{ matrix.arch }} | |||
| arch: ${{ inputs.arch }} | |||
There was a problem hiding this comment.
This happened to "just work" before, but broke down once the action was used in a job that didn't use the matrix strategy. Took me longer to figure out than I care to admit...
| @@ -140,7 +140,8 @@ function get_next_minor_version(array $versions): array | |||
| ]; | |||
| } | |||
|
|
|||
| if ($argc !== 2) { | |||
| // Allow 2 arguments as the bump-version action always passes a version number, even when not needed | |||
| if (! in_array($argc, [2, 3])) { | |||
There was a problem hiding this comment.
The version bump script always passes the version number as an argument, so I decided to allow an additional argument without using it.
alcaeus
changed the title
alcaeus
changed the title
| arch: ${{ matrix.arch }} | ||
| ts: ${{ matrix.ts }} | ||
| upload_release_asset: true | ||
| secrets: inherit |
There was a problem hiding this comment.
| - name: "Upload release artifacts" | ||
| run: gh release upload ${{ github.ref_name }} ${{ env.PACKAGE_FILE }} ${{ env.PACKAGE_FILE }}.sig | ||
| continue-on-error: true |
There was a problem hiding this comment.
Was the removal of continue-on-error: true intentional?
There was a problem hiding this comment.
It was. I put it there initially because any tag build would trigger the package workflow, regardless of whether there was a GitHub release to go with it. With the change, the package workflow is only triggered from the release workflow, so if the upload fails we want to be alerted instead of the workflow run passing as if nothing went wrong.
| # Use get-version as a dummy as a version_bump_script is required | ||
| # We run the bump script manually earlier so we can sanity-check the version number and print nice output | ||
| version_bump_script: "./bin/update-release-version.php get-version" | ||
| commit_template: 'Package ${VERSION}' |
There was a problem hiding this comment.
I noted that bump-version/action.yml uses envsubst. Does that guarantee that we won't get any unexpected substitutions on the following line when COMMIT_MESSAGE=$COMMIT_MESSAGE is run?
I realize this is unlikely given the values we'd use for commit_template.
There was a problem hiding this comment.
I'll bring this up with @blink1073, but I don't think so.
There was a problem hiding this comment.
As I understand it, it is only substituting what you have in the commit template, so VERSION in this case.
There was a problem hiding this comment.
Ah, I was misunderstanding and thought that the COMMIT_MESSAGE= line might inadvertently perform another substitution if a $VAR string remained after envsubst (e.g. malformed $VERSION value).
But it's clear that $COMMIT_MESSAGE is the only substitution happening there. And that line is the standard snippet to append to the GitHub environment. Sorry for the noise.
|
|
||
| - name: "Set summary" | ||
| run: | | ||
| echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY | ||
| echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY | ||
|
|
||
| static-analysis: | ||
| needs: prepare-release |
There was a problem hiding this comment.
Noted that jobs.<job_id>.needs accepts either a string or array. I was confused at first because you used an array for a single value in build-windows-package.yml.
.github/workflows/release.yml
Outdated
| - name: "Upload SBOM as release artifact" | ||
| run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json | ||
| # Silk currently errors out when downloading the SBOM. Don't let this fail the entire build | ||
| continue-on-error: true |
There was a problem hiding this comment.
Noted this is also in place for "Download SBOM file from Silk".
Is this expected to be permanent to make the release process resilient to Silk outages?
There was a problem hiding this comment.
Yes, although I've only added it here since the inventory asset group for PHPC didn't have an SBOM Lite file associated with it. It works now but forgot to remove this.
Edit: this is removed now.
This PR fixes the following issues:
In order to have all resources available when we publish SSDLC assets, it is necessary to run the static analysis and release packaging workflows as part of the release workflow. Through this we can ensure that up-to-date code scanning results are available for export, and that we can fetch all generated files to add them to the authorised publication document.
Along with the necessary changes to publish all assets, I've also made a couple of improvements related to the release process:
secure-checkoutaction from drivers-github-toolsFor a sample workflow run, see this example in my fork. Note that I've only built Windows packages for a single version to reduce resource usage.