Build and Draft Release #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Purpose: Build, sign, and check a draft release | |
| name: Build and Draft Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| # checkov:skip=CKV_GHA_7:Manual inputs are desired. | |
| releaseName: | |
| description: "Release Name" | |
| required: true | |
| type: string | |
| # Note: This is NOT the ACTUAL release version for ScubaGear. | |
| # That value is found in ScubaGear.psd1. | |
| # This is only used for things like the release file name. | |
| # Yes, this is a disconnect that violates DRY. | |
| version: | |
| description: "Release Version (e.g., 1.2.4)" | |
| required: true | |
| type: string | |
| runQuickCheck: | |
| description: "Run a quick check of release" | |
| required: false | |
| type: boolean | |
| default: true | |
| permissions: read-all | |
| jobs: | |
| build-and-draft: | |
| name: Build and Draft Release | |
| runs-on: windows-latest | |
| environment: Development | |
| # TODO get rid of this env variable | |
| # env: | |
| # RELEASE_VERSION: ${{ inputs.version }} | |
| permissions: | |
| id-token: write | |
| contents: write | |
| defaults: | |
| run: | |
| shell: powershell | |
| # This condition prevents duplicate runs. | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| path: repo | |
| - name: Install Azure Signing Tool | |
| run: | | |
| # Source the function | |
| . repo/utils/workflow/Build-SignRelease.ps1 | |
| Install-AzureSigningTool | |
| # OpenID Connect (OIDC) login to Azure Public Cloud with AzPowershell | |
| - name: Login to Azure | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| enable-AzPSSession: true | |
| - name: Get Key Vault info | |
| id: key-vault-info | |
| run: | | |
| $KeyVaultInfo = ${{ secrets.SCUBA_KEY_VAULT_PROD}} | ConvertFrom-Json | |
| echo "KeyVaultUrl=$($KeyVaultInfo.KeyVault.URL)" >> $env:GITHUB_OUTPUT | |
| echo "KeyVaultCertificateName=$($KeyVaultInfo.KeyVault.CertificateName)" >> $env:GITHUB_OUTPUT | |
| - name: Sign Module | |
| run: | | |
| # Source the function | |
| . repo/utils/workflow/Build-SignRelease.ps1 | |
| New-ModuleSignature ` | |
| -AzureKeyVaultUrl ${{ steps.key-vault-info.outputs.KeyVaultUrl }} ` | |
| -CertificateName ${{ steps.key-vault-info.outputs.KeyVaultCertificateName }} ` | |
| -ReleaseVersion ${{ inputs.version }} | |
| - name: Create Release | |
| uses: softprops/action-gh-release@v1 | |
| id: create-release | |
| with: | |
| draft: true | |
| prerelease: false | |
| name: ${{ inputs.releaseName }} | |
| tag_name: v${{ inputs.version }} | |
| files: ScubaGear-${{ inputs.version }}.zip | |
| generate_release_notes: true | |
| fail_on_unmatched_files: true | |
| - name: Download Release | |
| uses: dsaltares/fetch-gh-release-asset@1.1.1 | |
| if: ${{ inputs.runQuickCheck }} | |
| with: | |
| version: ${{ steps.create-release.outputs.id}} | |
| file: "ScubaGear-${{ inputs.version }}.zip" | |
| - name: Quick Check Release | |
| if: ${{ inputs.runQuickCheck }} | |
| run: | | |
| # Note: Cannot move this code to a function in the utils/workflow folder | |
| # because the Sign Module code above relocates that folder | |
| Expand-Archive -Path "ScubaGear-${{ inputs.version }}.zip" | |
| Get-ChildItem | |
| Set-Location -Path "ScubaGear-${{ inputs.version }}" | |
| Import-Module -Name .\PowerShell\ScubaGear\ScubaGear.psd1 | |
| Invoke-SCuBA -Version |