Build, Attest and Release #14

Workflow file for this run

.github/workflows/release.yml at d7d02e7

	name: Build, Attest and Release

	on:
	workflow_dispatch:
	inputs:
	version:
	description: "Version to release (vX.Y.Z format)"
	required: true
	default: "v0.1.0"
	prerelease:
	description: "Is this a pre-release?"
	type: boolean
	default: false
	push:
	tags:
	- "v*"

	permissions:
	contents: write
	attestations: write
	id-token: write
	packages: read
	security-events: write
	issues: write
	pull-requests: write

	jobs:
	prepare:
	name: Prepare Release
	runs-on: ubuntu-latest
	outputs:
	version: ${{ steps.get-version.outputs.version }}
	is_prerelease: ${{ github.event.inputs.prerelease \|\| 'false' }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
	with:
	egress-policy: audit

	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0

	- name: Get version
	id: get-version
	run: \|
	if [[ "${{ github.event_name }}" == "push" ]]; then
	VERSION=${GITHUB_REF#refs/tags/}
	else
	VERSION=${{ github.event.inputs.version }}
	fi
	echo "version=${VERSION}" >> $GITHUB_OUTPUT
	echo "Version: ${VERSION}"

	- name: Setup display and dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y xvfb libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev libnss3 libxss1 libasound2t64 libxtst6 xauth
	sudo mkdir -p /var/run/dbus
	sudo dbus-daemon --system --fork

	- name: Setup Node.js
	uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
	with:
	node-version: "20"
	cache: "npm"

	- name: Cache dependencies
	uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
	with:
	path: ~/.npm
	key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
	restore-keys: \|
	${{ runner.os }}-node-

	- name: Cache Cypress binary
	uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
	with:
	path: ~/.cache/Cypress
	key: cypress-${{ runner.os }}-${{ hashFiles('**/package.json') }}

	- name: Install dependencies
	run: npm ci

	- name: Set Version for release
	if: github.event_name == 'workflow_dispatch'
	run: \|
	PLAIN_VERSION="${{ github.event.inputs.version }}"
	# Remove 'v' prefix if present
	PLAIN_VERSION="${PLAIN_VERSION#v}"
	npm version $PLAIN_VERSION --no-git-tag-version

	- uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
	if: github.event_name == 'workflow_dispatch'
	with:
	commit_message: "chore(release): bump version to ${{ github.event.inputs.version }}"
	tagging_message: "${{ github.event.inputs.version }}"

	- name: Run unit tests with coverage
	run: xvfb-run --auto-servernum npm run test:ci

	- name: Verify Cypress
	run: npx cypress verify

	- name: Start app and run Cypress tests
	run: \|
	xvfb-run --auto-servernum --server-args="-screen 0 1280x720x24" npm run test:e2e
	env:
	CYPRESS_VIDEO: false

	- name: Install GraphViz
	run: \|
	sudo apt-get update
	sudo apt-get install -y graphviz

	# Run tests with coverage
	- name: Run tests with coverage
	run: npm run coverage

	# Create coverage directory in docs
	- name: Prepare coverage directory
	run: mkdir -p docs/coverage docs/dependencies

	# Generate documentation bundle
	- name: Generate Coverage
	run: npm run docs:bundle

	- name: Merge e2e test report
	run: npm run test:e2ereportmerge

	- name: Generate e2e html report
	run: npm run test:e2ereporthtmlall

	# Only deploy on push to main, not PRs
	- name: Deploy to GitHub Pages
	uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3
	with:
	folder: docs
	target-folder: docs
	branch: main
	clean: false


	build:
	name: Build Release Package
	needs: [prepare]
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
	with:
	egress-policy: audit

	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0
	# Use GITHUB_REF directly for tag events
	ref: ${{ github.event_name == 'push' && github.ref \|\| github.event_name == 'workflow_dispatch' && github.event.inputs.version \|\| '' }}

	- name: Setup Node.js
	uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
	with:
	node-version: "20"
	cache: "npm"

	- name: Cache dependencies
	uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
	with:
	path: ~/.npm
	key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
	restore-keys: \|
	${{ runner.os }}-node-

	- name: Install dependencies
	run: npm ci

	- name: Build application
	run: npm run build
	env:
	VITE_APP_VERSION: ${{ needs.prepare.outputs.version }}

	- name: Create artifacts directory
	run: \|
	mkdir -p release-artifacts
	# Use build directory instead of dist to match vite config
	cd build
	zip -r ../cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip .

	- name: Upload build artifact
	uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
	with:
	name: build-artifacts
	path: \|
	build/
	cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip
	if-no-files-found: error

	- name: Generate SBOM
	uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
	id: sbom
	with:
	format: spdx-json
	output-file: cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json
	artifact-name: cia-compliance-manager-${{ needs.prepare.outputs.version }}

	- name: Generate artifact attestation
	uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
	id: attest
	with:
	subject-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip
	subject-digest-algorithm: sha256
	bundle-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl

	- name: Copy artifact attestation for zip
	run: cp ${{ steps.attest.outputs.bundle-path }} cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl

	- name: Generate SBOM attestation
	id: attestsbom
	uses: actions/attest-sbom@115c3be05ff3974bcbd596578934b3f9ce39bf68 # v2.2.0
	with:
	subject-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip
	sbom-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json

	- name: Copy SBOM attestation for zip
	run: cp ${{ steps.attestsbom.outputs.bundle-path }} cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl

	- name: Upload security artifacts
	uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
	with:
	name: security-artifacts
	path: \|
	cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json
	cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl
	cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl
	if-no-files-found: error

	release:
	name: Create Release
	needs: [prepare, build]
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
	with:
	egress-policy: audit

	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0
	# Use GITHUB_REF directly for tag events
	ref: ${{ github.event_name == 'push' && github.ref \|\| github.event_name == 'workflow_dispatch' && github.event.inputs.version \|\| '' }}

	- name: Download build artifacts
	uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
	with:
	name: build-artifacts
	path: artifacts/build

	- name: Download security artifacts
	uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
	with:
	name: security-artifacts
	path: artifacts/security

	- name: Draft Release Notes
	id: release-drafter
	uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
	with:
	version: ${{ needs.prepare.outputs.version }}
	tag: ${{ needs.prepare.outputs.version }}
	name: CIA Compliance Manager ${{ needs.prepare.outputs.version }}
	publish: false
	prerelease: ${{ needs.prepare.outputs.is_prerelease }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Create GitHub Release
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	with:
	tag: ${{ needs.prepare.outputs.version }}
	name: CIA Compliance Manager ${{ needs.prepare.outputs.version }}
	body: ${{ steps.release-drafter.outputs.body }}
	generateReleaseNotes: true
	draft: false
	prerelease: ${{ needs.prepare.outputs.is_prerelease }}
	artifacts: \|
	artifacts/build/cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip
	artifacts/security/cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json
	artifacts/security/cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl
	artifacts/security/cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Remove old version of APP
	run: rm -rf docs/index.html.html assets

	- name: Deploy new version of APP
	run: unzip -o artifacts/build/cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip -d docs/

	- name: Deploy APP To GitHub Pages
	uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3
	with:
	folder: docs
	target-folder: docs
	branch: main
	clean: false

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Build, Attest and Release #14

Workflow file

Build, Attest and Release #14

Uh oh!

Jobs

Run details

Workflow file for this run