Build, Attest and Release #12

Workflow file for this run

.github/workflows/release.yml at bc9fa83

	name: Build, Attest and Release

	on:
	workflow_dispatch:
	inputs:
	version:
	description: "Version to release (vX.Y.Z format)"
	required: true
	default: "v0.1.0"
	prerelease:
	description: "Is this a pre-release?"
	type: boolean
	default: false
	push:
	tags:
	- "v*"

	permissions:
	contents: write
	attestations: write
	id-token: write
	packages: read
	security-events: write
	issues: write
	pull-requests: write

	jobs:
	prepare:
	name: Prepare Release
	runs-on: ubuntu-latest
	outputs:
	version: ${{ steps.get-version.outputs.version }}
	is_prerelease: ${{ github.event.inputs.prerelease \|\| 'false' }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
	with:
	egress-policy: audit

	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0

	- name: Get version
	id: get-version
	run: \|
	if [[ "${{ github.event_name }}" == "push" ]]; then
	VERSION=${GITHUB_REF#refs/tags/}
	else
	VERSION=${{ github.event.inputs.version }}
	fi
	echo "version=${VERSION}" >> $GITHUB_OUTPUT
	echo "Version: ${VERSION}"

	- name: Setup display and dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y xvfb libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev libnss3 libxss1 libasound2t64 libxtst6 xauth
	sudo mkdir -p /var/run/dbus
	sudo dbus-daemon --system --fork

	- name: Setup Node.js
	uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
	with:
	node-version: "20"
	cache: "npm"

	- name: Cache dependencies
	uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
	with:
	path: ~/.npm
	key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
	restore-keys: \|
	${{ runner.os }}-node-

	- name: Cache Cypress binary
	uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
	with:
	path: ~/.cache/Cypress
	key: cypress-${{ runner.os }}-${{ hashFiles('**/package.json') }}

	- name: Install dependencies
	run: npm ci

	- name: Set Version for release
	if: github.event_name == 'workflow_dispatch'
	run: \|
	PLAIN_VERSION="${{ github.event.inputs.version }}"
	# Remove 'v' prefix if present
	PLAIN_VERSION="${PLAIN_VERSION#v}"
	npm version $PLAIN_VERSION --no-git-tag-version

	- uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
	if: github.event_name == 'workflow_dispatch'
	with:
	commit_message: "chore(release): bump version to ${{ github.event.inputs.version }}"
	tagging_message: "${{ github.event.inputs.version }}"

	- name: Run unit tests with coverage
	run: xvfb-run --auto-servernum npm run test:ci

	- name: Verify Cypress
	run: npx cypress verify

	- name: Start app and run Cypress tests
	run: \|
	xvfb-run --auto-servernum --server-args="-screen 0 1280x720x24" npm run test:e2e
	env:
	CYPRESS_VIDEO: false

	- name: Install GraphViz
	run: \|
	sudo apt-get update
	sudo apt-get install -y graphviz

	# Run tests with coverage
	- name: Run tests with coverage
	run: npm run coverage

	# Create coverage directory in docs
	- name: Prepare coverage directory
	run: mkdir -p docs/coverage docs/dependencies

	# Generate documentation bundle
	- name: Generate Coverage
	run: npm run docs:bundle


	- name: Create combined index page
	run: \|
	cat > docs/documentation.html << EOF
	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>CIA Compliance Manager Documentation</title>
	<style>
	body {
	font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif;
	line-height: 1.6;
	color: #333;
	max-width: 1100px;
	margin: 0 auto;
	padding: 20px;
	}
	header {
	text-align: center;
	margin-bottom: 2rem;
	padding-bottom: 1rem;
	border-bottom: 1px solid #eaeaea;
	}
	h1 { margin-top: 0; color: #0366d6; }
	h2 { color: #0366d6; margin-top: 2rem; }
	.cards {
	display: grid;
	grid-template-columns: repeat(auto-fill, minmax(300px, 1fr));
	gap: 1rem;
	}
	.card {
	border: 1px solid #e1e4e8;
	border-radius: 6px;
	padding: 1.5rem;
	background: white;
	box-shadow: 0 1px 3px rgba(0,0,0,0.12);
	transition: transform 0.3s ease, box-shadow 0.3s ease;
	}
	.card:hover {
	transform: translateY(-4px);
	box-shadow: 0 5px 15px rgba(0,0,0,0.1);
	}
	.card h3 {
	margin-top: 0;
	margin-bottom: 1rem;
	color: #0366d6;
	}
	.card p {
	margin-bottom: 1rem;
	color: #586069;
	}
	.card a {
	display: inline-block;
	padding: 0.5rem 1rem;
	border-radius: 4px;
	background: #0366d6;
	color: white;
	text-decoration: none;
	}
	.card a:hover {
	background: #024ea4;
	}
	footer {
	margin-top: 3rem;
	padding-top: 1rem;
	border-top: 1px solid #eaeaea;
	text-align: center;
	font-size: 0.9rem;
	color: #586069;
	}
	</style>
	</head>
	<body>
	<header>
	<h1>CIA Compliance Manager Documentation</h1>
	<p>Comprehensive documentation for the CIA (Confidentiality, Integrity, Availability) Compliance Manager</p>
	</header>

	<div class="cards">

	<div class="card">
	<h3>Project Architecture</h3>
	<p>C4 model diagrams and other architectural documentation.</p>
	<a href="https://github.com/Hack23/cia-compliance-manager/blob/main/docs/architecture/ARCHITECTURE.md">View Architecture</a>
	</div>

	<div class="card">
	<h3>API Documentation</h3>
	<p>Detailed API reference for all components, types, and functions used in the application.</p>
	<a href="https://github.com/Hack23/cia-compliance-manager/blob/main/docs/api/globals.md">View API Docs</a>
	</div>

	<div class="card">
	<h3>Unit Test</h3>
	<p>Visual representation of unit test and results of the codebase.</p>
	<a href="https://hack23.github.io/cia-compliance-manager/test-results/">Test Results</a>
	<p>Unit testing strategy ,Unit tests verify that the application works correctly from a functional perspective.</p>
	<a href="https://github.com/Hack23/cia-compliance-manager/blob/main/docs/UnitTestPlan.md">View Unit Test Plan</a>
	</div>

	<div class="card">
	<h3>Unit Test Code Coverage</h3>
	<p>Test coverage reports showing how much of the codebase is covered by tests.</p>
	<a href="https://hack23.github.io/cia-compliance-manager/coverage/index.html">View Coverage Report</a>
	</div>

	<div class="card">
	<h3>E2E System Test</h3>
	<p>Test reports showing result .</p>
	<a href="https://hack23.github.io/cia-compliance-manager/cypress/mochawesome/index.html">View Test Report</a>
	<p>(E2E) testing strategy ,E2E tests verify that the application works correctly from a user's perspective.</p>
	<a href="https://github.com/Hack23/cia-compliance-manager/blob/main/docs/E2ETestPlan.md">View E2E Test Plan</a>
	</div>

	</div>

	<h2>Documentation Overview</h2>
	<p>
	This documentation is automatically generated from the source code and documentation files in the repository.
	It includes API reference, type definitions, architecture diagrams, and more to help you understand the
	CIA Compliance Manager codebase.
	</p>

	<footer>
	<p>Generated on $(date) \| <a href="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/Hack23/cia-compliance-manager">GitHub Repository</a></p>
	</footer>
	</body>
	</html>
	EOF

	- name: Merge e2e test report
	run: npm run test:e2ereportmerge

	- name: Generate e2e html report
	run: npm run test:e2ereporthtmlall

	# Only deploy on push to main, not PRs
	- name: Deploy to GitHub Pages
	uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3
	with:
	folder: docs
	target-folder: docs
	branch: main
	clean: false


	build:
	name: Build Release Package
	needs: [prepare]
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
	with:
	egress-policy: audit

	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0
	# Use GITHUB_REF directly for tag events
	ref: ${{ github.event_name == 'push' && github.ref \|\| github.event_name == 'workflow_dispatch' && github.event.inputs.version \|\| '' }}

	- name: Setup Node.js
	uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
	with:
	node-version: "20"
	cache: "npm"

	- name: Cache dependencies
	uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
	with:
	path: ~/.npm
	key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
	restore-keys: \|
	${{ runner.os }}-node-

	- name: Install dependencies
	run: npm ci

	- name: Build application
	run: npm run build
	env:
	VITE_APP_VERSION: ${{ needs.prepare.outputs.version }}

	- name: Create artifacts directory
	run: \|
	mkdir -p release-artifacts
	# Use build directory instead of dist to match vite config
	cd build
	zip -r ../cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip .

	- name: Upload build artifact
	uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
	with:
	name: build-artifacts
	path: \|
	build/
	cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip
	if-no-files-found: error

	- name: Generate SBOM
	uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
	id: sbom
	with:
	format: spdx-json
	output-file: cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json
	artifact-name: cia-compliance-manager-${{ needs.prepare.outputs.version }}

	- name: Generate artifact attestation
	uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
	id: attest
	with:
	subject-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip
	subject-digest-algorithm: sha256
	bundle-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl

	- name: Copy artifact attestation for zip
	run: cp ${{ steps.attest.outputs.bundle-path }} cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl

	- name: Generate SBOM attestation
	id: attestsbom
	uses: actions/attest-sbom@115c3be05ff3974bcbd596578934b3f9ce39bf68 # v2.2.0
	with:
	subject-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip
	sbom-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json

	- name: Copy SBOM attestation for zip
	run: cp ${{ steps.attestsbom.outputs.bundle-path }} cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl

	- name: Upload security artifacts
	uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
	with:
	name: security-artifacts
	path: \|
	cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json
	cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl
	cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl
	if-no-files-found: error

	release:
	name: Create Release
	needs: [prepare, build]
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
	with:
	egress-policy: audit

	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0
	# Use GITHUB_REF directly for tag events
	ref: ${{ github.event_name == 'push' && github.ref \|\| github.event_name == 'workflow_dispatch' && github.event.inputs.version \|\| '' }}

	- name: Download build artifacts
	uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
	with:
	name: build-artifacts
	path: artifacts/build

	- name: Download security artifacts
	uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
	with:
	name: security-artifacts
	path: artifacts/security

	- name: Draft Release Notes
	id: release-drafter
	uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
	with:
	version: ${{ needs.prepare.outputs.version }}
	tag: ${{ needs.prepare.outputs.version }}
	name: CIA Compliance Manager ${{ needs.prepare.outputs.version }}
	publish: false
	prerelease: ${{ needs.prepare.outputs.is_prerelease }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Create GitHub Release
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	with:
	tag: ${{ needs.prepare.outputs.version }}
	name: CIA Compliance Manager ${{ needs.prepare.outputs.version }}
	body: ${{ steps.release-drafter.outputs.body }}
	generateReleaseNotes: true
	draft: false
	prerelease: ${{ needs.prepare.outputs.is_prerelease }}
	artifacts: \|
	artifacts/build/cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip
	artifacts/security/cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json
	artifacts/security/cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl
	artifacts/security/cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Remove old version of APP
	run: rm -rf docs/index.html.html assets

	- name: Deploy new version of APP
	run: unzip -o artifacts/build/cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip -d docs/

	- name: Deploy APP To GitHub Pages
	uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3
	with:
	folder: docs
	target-folder: docs
	branch: main
	clean: false

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Build, Attest and Release #12

Workflow file

Build, Attest and Release #12

Uh oh!

Jobs

Run details

Workflow file for this run