docs: add json extension for generated sbom #208
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI on Main | |
on: | |
push: | |
branches: | |
- main | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: false | |
jobs: | |
compute-next-semantic-version: | |
permissions: | |
id-token: "write" | |
contents: "write" # FIXME this should not require write permission. | |
uses: semantic-release-action/next-release-version/.github/workflows/next-release-version.yml@v4 | |
test: | |
name: Test Suite | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: dtolnay/rust-toolchain@stable | |
with: | |
toolchain: stable | |
components: rustfmt | |
- name: run cargo test | |
run: cargo test --all-features | |
create-new-release: | |
name: Create the new release as a draft | |
# If the version is empty, it means there is no new version to publish. | |
if: ${{ needs.compute-next-semantic-version.outputs.new-release-version != '' }} | |
permissions: | |
id-token: "write" | |
contents: "write" # This is required to create the GH release | |
runs-on: ubuntu-latest | |
needs: | |
- compute-next-semantic-version | |
env: | |
NEW_TAG: "v${{ needs.compute-next-semantic-version.outputs.new-release-version }}" | |
outputs: | |
release-id: ${{ steps.create-new-release.outputs.release-id }} | |
release-url: ${{ steps.create-new-release.outputs.release-url }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Check if a release already exists for that version | |
run: | | |
current_release=$( | |
curl -L \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ github.token }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ env.NEW_TAG }} | |
) | |
error_message=$(echo "$new_release" | jq ".message // empty") | |
if [[ -n "$error_message" ]]; then | |
echo "Could not verify if a release exist for ${{ env.NEW_TAG }}: $error_message" | |
exit 1 | |
fi | |
current_release_name=$(echo "$current_release" | jq ".name // empty") | |
if [[ -n "$current_release_name" ]]; then | |
echo "A release already exists for version ${{ env.NEW_TAG }}." | |
exit 1 | |
fi | |
- name: Create the new release | |
id: create-new-release | |
run: | | |
echo "Creating new release ${{ env.NEW_TAG }}" | |
release_payload=$(jq -n '{ | |
"tag_name": "${{ env.NEW_TAG }}", | |
"target_commitish": "${{ github.sha }}", | |
"name": "${{ env.NEW_TAG }}", | |
"prerelease": false, | |
"draft": true, | |
"generate_release_notes": true | |
}') | |
new_release=$(curl -L \ | |
-X POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ github.token }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
https://api.github.com/repos/${{ github.repository }}/releases \ | |
-d "$release_payload" | |
) | |
new_release_id=$(echo "$new_release" | jq ".id") | |
if [[ "$new_release_id" == "null" ]]; then | |
error_message=$(echo "$new_release" | jq ".message") | |
echo "Could not create new release: $error_message" | |
exit 1 | |
fi | |
echo "release-id=$new_release_id" >> "$GITHUB_OUTPUT" | |
echo "release-id = $new_release_id" | |
new_release_url="https://uploads.github.com/repos/${{ github.repository }}/releases/$new_release_id/assets" | |
echo "release-url=$new_release_url" >> "$GITHUB_OUTPUT" | |
echo "release-url = $new_release_url" | |
build-binary: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: "write" | |
contents: "write" # This is required to add artifacts to the GH release | |
needs: | |
- create-new-release | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install Nix | |
uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14 | |
- name: Build the artifact | |
run: | | |
nix develop .#musl -c cargo build --release | |
- name: Add artifact to the release | |
env: | |
binary_path: "nix2sbom-x86_64-unknown-linux-musl" | |
artifact_path: "./target/x86_64-unknown-linux-musl/release/nix2sbom" | |
run: | | |
checksum_path="${{ env.binary_path }}.sha256sum" | |
cp "$artifact_path" "$binary_path" | |
sha256sum "${{ env.binary_path }}" > "$checksum_path" | |
curl -L \ | |
-X POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ github.token }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
-H "Content-Type: application/octet-stream" \ | |
"${{ needs.create-new-release.outputs.release-url }}?name=${{ env.binary_path }}&label=${{ env.binary_path }}" \ | |
--data-binary "@${{ env.binary_path }}" | |
echo "Uploaded the artifact to the GitHub release" | |
curl -L \ | |
-X POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ github.token }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
-H "Content-Type: application/octet-stream" \ | |
"${{ needs.create-new-release.outputs.release-url }}?name=$checksum_path&label=$checksum_path" \ | |
--data-binary "@$checksum_path" | |
echo "Uploaded the artifact checksum to the GitHub release" | |
publish-github-release: | |
name: Publish (undraft) the release | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: "write" | |
contents: "write" | |
needs: | |
- create-new-release | |
- build-binary | |
steps: | |
- name: Publish the release | |
run: | | |
curl -L \ | |
-X PATCH \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ github.token }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
https://api.github.com/repos/${{ github.repository }}/releases/${{ needs.create-new-release.outputs.release-id }} \ | |
-d '{"draft": false}' | |
publish-flakehub-release: | |
# If the version is empty, it means there is no new version to publish. | |
if: ${{ needs.compute-next-semantic-version.outputs.new-release-version != '' }} | |
needs: | |
- test | |
- compute-next-semantic-version | |
- publish-github-release | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: "write" | |
contents: "read" | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14 | |
- run: | | |
: build the nix flake | |
nix build .# | |
- uses: DeterminateSystems/flakehub-push@8da9e38b7e77f2b0a8aa08a22e57cc5c6316ea72 # v5 | |
with: | |
visibility: "public" | |
rolling: false | |
tag: "v${{ needs.compute-next-semantic-version.outputs.new-release-version }}" |