opengrep/.github/workflows/rolling-release.yml at main · CodeArsenalCommunity/opengrep · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
name: rolling-release
on:
  workflow_dispatch:
    inputs:
      tag:
        description: the tag to use
        required: true
        type: string

permissions:
  contents: write
  id-token: write  # for Cosign keyless

jobs:

  build-linux-x86:
    uses: ./.github/workflows/build-test-core-x86.yml

  build-linux-aarch64:
    uses: ./.github/workflows/build-test-core-aarch64.yml

  build-osx-arm64:
    uses: ./.github/workflows/build-test-osx.yml

  build-osx-x86:
    uses: ./.github/workflows/build-test-osx.yml
    with:
      arch: x86_64

  build-windows-x86:
    uses: ./.github/workflows/build-test-windows-x86.yml

  build-manylinux-binary-x86:
    needs: build-linux-x86
    uses: ./.github/workflows/build-manylinux-binary.yml

  build-manylinux-binary-aarch64:
    needs: build-linux-aarch64
    uses: ./.github/workflows/build-manylinux-binary.yml
    with:
      arch: aarch64

  build-musllinux-binary-x86:
    needs: build-linux-x86
    uses: ./.github/workflows/build-musllinux-binary.yml

  build-musllinux-binary-aarch64:
    needs: build-linux-aarch64
    uses: ./.github/workflows/build-musllinux-binary.yml
    with:
      arch: aarch64

  build-osx-binary-arm64:
    needs: build-osx-arm64
    uses: ./.github/workflows/build-osx-binary.yml

  build-osx-binary-x86:
    needs: build-osx-x86
    uses: ./.github/workflows/build-osx-binary.yml
    with:
      arch: x86_64

  build-windows-binary-x86:
    needs: build-windows-x86
    uses: ./.github/workflows/build-windows-binary-x86.yml

  release:
    runs-on: ubuntu-latest

    needs:
      - build-linux-x86 # redundant
      - build-linux-aarch64 # redundant
      - build-manylinux-binary-x86
      - build-manylinux-binary-aarch64
      - build-musllinux-binary-x86
      - build-musllinux-binary-aarch64
      - build-osx-arm64 # redundant
      - build-osx-binary-arm64
      - build-osx-x86 # redundant
      - build-osx-binary-x86
      - build-windows-x86 # redundant
      - build-windows-binary-x86

    steps:
      - name: Download All Artifacts
        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
        with:
          # merge-multiple: true
          path: artifacts/

      - name: Display structure of downloaded files
        run: ls -R

      - name: Prepare wheels and binaries
        run: |
          pushd artifacts/

          unzip -j ./manylinux-x86-wheel/dist.zip "*.whl"
          unzip -j ./osx-arm64-wheel/dist.zip "*.whl"

          unzip ./opengrep_manylinux_binary_x86_64/opengrep.zip -d ./opengrep_manylinux_binary_x86_64
          pushd opengrep_manylinux_binary_x86_64; mv opengrep opengrep_manylinux_x86; popd
          ls -l opengrep_manylinux_binary_x86_64

          unzip ./opengrep_manylinux_binary_aarch64/opengrep.zip -d ./opengrep_manylinux_binary_aarch64
          pushd opengrep_manylinux_binary_aarch64; mv opengrep opengrep_manylinux_aarch64; popd
          ls -l opengrep_manylinux_binary_aarch64

          unzip ./opengrep_musllinux_binary_x86_64/opengrep.zip -d ./opengrep_musllinux_binary_x86_64
          pushd opengrep_musllinux_binary_x86_64; mv opengrep opengrep_musllinux_x86; popd
          ls -l opengrep_musllinux_binary_x86_64

          unzip ./opengrep_musllinux_binary_aarch64/opengrep.zip -d ./opengrep_musllinux_binary_aarch64
          pushd opengrep_musllinux_binary_aarch64; mv opengrep opengrep_musllinux_aarch64; popd
          ls -l opengrep_musllinux_binary_aarch64

          unzip ./opengrep_osx_binary_arm64/opengrep.zip -d ./opengrep_osx_binary_arm64
          pushd opengrep_osx_binary_arm64; mv opengrep opengrep_osx_arm64; popd
          ls -l opengrep_osx_binary_arm64

          unzip ./opengrep_osx_binary_x86/opengrep.zip -d ./opengrep_osx_binary_x86
          pushd opengrep_osx_binary_x86; mv opengrep opengrep_osx_x86; popd
          ls -l opengrep_osx_binary_x86

          pushd opengrep_windows_binary_x86; mv opengrep.exe opengrep_windows_x86.exe; popd

          popd

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3

      - name: Sign all binaries in artifacts
        run: |
          files_to_sign=(
            artifacts/opengrep_manylinux_binary_x86_64/opengrep_manylinux_x86
            artifacts/opengrep_manylinux_binary_aarch64/opengrep_manylinux_aarch64
            artifacts/opengrep_musllinux_binary_x86_64/opengrep_musllinux_x86
            artifacts/opengrep_musllinux_binary_aarch64/opengrep_musllinux_aarch64
            artifacts/opengrep_osx_binary_arm64/opengrep_osx_arm64
            artifacts/opengrep_osx_binary_x86/opengrep_osx_x86
            artifacts/opengrep_windows_binary_x86/opengrep_windows_x86.exe)
            for bin in "${files_to_sign[@]}"; do
            echo "Signing $bin..."
            cosign sign-blob \
              --yes \
              --output-signature "$bin.sig" \
              --output-certificate "$bin.cert" \
              "$bin"
          done


      - name: Create or Update Rolling Release
        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2
        with:
          tag_name: ${{ inputs.tag }}
          name: Release from `${{ github.ref_name }}`
          draft: true
          prerelease: true
          generate_release_notes: true
          files: |
            artifacts/opengrep_manylinux_binary_x86_64/opengrep_manylinux_x86
            artifacts/opengrep_manylinux_binary_x86_64/opengrep_manylinux_x86.cert
            artifacts/opengrep_manylinux_binary_x86_64/opengrep_manylinux_x86.sig
            artifacts/opengrep_manylinux_binary_aarch64/opengrep_manylinux_aarch64
            artifacts/opengrep_manylinux_binary_aarch64/opengrep_manylinux_aarch64.cert
            artifacts/opengrep_manylinux_binary_aarch64/opengrep_manylinux_aarch64.sig
            artifacts/opengrep_musllinux_binary_x86_64/opengrep_musllinux_x86
            artifacts/opengrep_musllinux_binary_x86_64/opengrep_musllinux_x86.cert
            artifacts/opengrep_musllinux_binary_x86_64/opengrep_musllinux_x86.sig
            artifacts/opengrep_musllinux_binary_aarch64/opengrep_musllinux_aarch64
            artifacts/opengrep_musllinux_binary_aarch64/opengrep_musllinux_aarch64.cert
            artifacts/opengrep_musllinux_binary_aarch64/opengrep_musllinux_aarch64.sig
            artifacts/opengrep_osx_binary_arm64/opengrep_osx_arm64
            artifacts/opengrep_osx_binary_arm64/opengrep_osx_arm64.cert
            artifacts/opengrep_osx_binary_arm64/opengrep_osx_arm64.sig
            artifacts/opengrep_osx_binary_x86/opengrep_osx_x86
            artifacts/opengrep_osx_binary_x86/opengrep_osx_x86.cert
            artifacts/opengrep_osx_binary_x86/opengrep_osx_x86.sig
            artifacts/opengrep_windows_binary_x86/opengrep_windows_x86.exe
            artifacts/opengrep_windows_binary_x86/opengrep_windows_x86.exe.cert
            artifacts/opengrep_windows_binary_x86/opengrep_windows_x86.exe.sig
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}