diff --git a/.github/actions/bootstrap/action.yaml b/.github/actions/bootstrap/action.yaml index 4034f2e2..cd54c442 100644 --- a/.github/actions/bootstrap/action.yaml +++ b/.github/actions/bootstrap/action.yaml @@ -75,9 +75,10 @@ runs: python-version: ${{ inputs.python-version }} - name: Install poetry - uses: abatilo/actions-poetry@v2.2.0 - with: - poetry-version: ${{ inputs.poetry-version }} + shell: bash + run: | + pipx install poetry==${{ inputs.poetry-version }} + poetry self add "poetry-dynamic-versioning[plugin]" - name: Cache Poetry virtualenv uses: actions/cache@v3 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 89dbc004..5186164b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -53,7 +53,7 @@ jobs: echo "Nightly Quality Gate Status: ${{ steps.nightly-quality-gate.conclusion }}" false - release: + tag: needs: - quality-gate runs-on: ubuntu-20.04 @@ -69,6 +69,48 @@ jobs: # in order to properly resolve the version from git fetch-depth: 0 + - name: Tag release + run: | + git tag ${{ github.event.inputs.version }} + git push origin --tags + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + release-pypi: + needs: + - tag + runs-on: ubuntu-20.04 + environment: release + permissions: + contents: read + steps: + - uses: actions/checkout@v3 + with: + # in order to properly resolve the version from git + fetch-depth: 0 + + - name: Bootstrap environment + uses: ./.github/actions/bootstrap + + - name: Publish to PyPI + run: make ci-publish-pypi + env: + POETRY_PYPI_TOKEN_PYPI: ${{ secrets.VUNNEL_PYPI_TOKEN }} + + release-docker: + needs: + - tag + runs-on: ubuntu-20.04 + environment: release + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v3 + with: + # in order to properly resolve the version from git + fetch-depth: 0 + - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -77,19 +119,31 @@ jobs: echo ${{ secrets.GITHUB_TOKEN }} | oras login ghcr.io --username ${{ github.actor }} --password-stdin echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io --username ${{ github.actor }} --password-stdin - - name: Tag release - run: | - git tag ${{ github.event.inputs.version }} - git push origin --tags - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Promote commit image to release run: | make ci-promote-release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + release-github: + needs: + - tag + runs-on: ubuntu-20.04 + environment: release + permissions: + contents: read + packages: write + issues: read + pull-requests: read + steps: + - uses: actions/checkout@v3 + with: + # in order to properly resolve the version from git + fetch-depth: 0 + + - name: Bootstrap environment + uses: ./.github/actions/bootstrap + - name: Create github release run: | make changelog diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml index d9ed04fc..fba829a6 100644 --- a/.github/workflows/validations.yaml +++ b/.github/workflows/validations.yaml @@ -15,8 +15,6 @@ jobs: runs-on: ubuntu-20.04 permissions: contents: read - # package write permission is needed for publishing commit images - packages: write steps: - uses: actions/checkout@v3 with: @@ -39,11 +37,35 @@ jobs: - name: Build assets run: poetry run make build + Publish-PreProd: + runs-on: ubuntu-20.04 + needs: [Validations] + if: github.ref == 'refs/heads/main' + permissions: + contents: read + # package write permission is needed for publishing commit images + packages: write + steps: + - uses: actions/checkout@v3 + with: + # in order to properly resolve the version from git + fetch-depth: 0 + + - name: Bootstrap environment + uses: ./.github/actions/bootstrap + - name: Login to ghcr.io - if: github.ref == 'refs/heads/main' run: | echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io --username ${{ github.actor }} --password-stdin + - name: Build assets + run: poetry run make build + - name: Publish commit image - if: github.ref == 'refs/heads/main' run: make ci-publish-commit + + - name: Publish to test PyPI + run: make ci-publish-testpypi + env: + # note: "..._TESTPYPI" suffix should match the name of the testpypi repository (see the Makefile target) + POETRY_PYPI_TOKEN_TESTPYPI: ${{ secrets.TEST_PYPI_TOKEN }} diff --git a/Makefile b/Makefile index ec7a28ac..15f9e43b 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,7 @@ GRYPE_DB_PATH ?= ../grype-db CRANE = $(TEMP_DIR)/crane CHRONICLE = $(TEMP_DIR)/chronicle GLOW = $(TEMP_DIR)/glow +PUBLISH_CMD = poetry publish --build -n # Tool versions ################################# CHRONICLE_VERSION = v0.6.0 @@ -123,8 +124,12 @@ unit: virtual-env-check ## Run unit tests ## Build-related targets ################################# +.PHONY: check-build-deps +check-build-deps: + @poetry self show plugins | grep poetry-dynamic-versioning || echo "install poetry-dynamic-versioning plugin with 'poetry plugin add poetry-dynamic-versioning[plugin]'" + .PHONY: build -build: ## Run build assets +build: check-build-deps ## Run build assets git fetch --tags rm -rf dist poetry build @@ -149,6 +154,15 @@ ci-promote-release: ci-check $(CRANE) tag $(IMAGE_NAME):$(COMMIT_TAG) $(PACKAGE_VERSION) $(CRANE) tag $(IMAGE_NAME):$(COMMIT_TAG) latest +.PHONY: ci-publish-testpypi +ci-publish-testpypi: clean-dist check-build-deps + poetry config repositories.testpypi https://test.pypi.org/legacy/ + $(PUBLISH_CMD) -r testpypi + +.PHONY: ci-publish-pypi +ci-publish-pypi: ci-check clean-dist check-build-deps + $(PUBLISH_CMD) + .PHONY: changelog changelog: @$(CHRONICLE) -vvv -n . --version-file VERSION > CHANGELOG.md @@ -159,6 +173,12 @@ release: @.github/scripts/trigger-release.sh +## Cleanup ################################# + +.PHONY: clean-dist +clean-dist: + rm -rf dist + ## Halp! ################################# .PHONY: help diff --git a/README.md b/README.md index a74a0519..2e8be3c3 100644 --- a/README.md +++ b/README.md @@ -20,10 +20,7 @@ Supported data sources: With pip: ```bash -pip install git+https://github.com/anchore/vunnel@main - -# or use a git tag -pip install git+https://github.com/anchore/vunnel@v0.1.0 +pip install vunnel ``` With docker: @@ -31,10 +28,10 @@ With docker: ```bash docker run \ --rm -it \ - -v $(pwd)/data:/data \ # keep the processed data on the host - -v $(pwd)/.vunnel.yaml:/.vunnel.yaml # if you have a vunnel config - ghcr.io/anchore/vunnel:latest # a git tag can be used as the version - run nvd # arguments for vunnel + -v $(pwd)/data:/data \ + -v $(pwd)/.vunnel.yaml:/.vunnel.yaml \ + ghcr.io/anchore/vunnel:latest \ + run nvd ``` Where: - the `data` volume keeps the processed data on the host diff --git a/RELEASE.md b/RELEASE.md index dc042a50..bab091ac 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -8,11 +8,12 @@ There are two times when assets are released: - when a new commit reaches main: - a new `ghcr.io/anchore/vunnel:[GIT-COMMIT]` docker image is published + - a build is published to the [testpypi project](https://test.pypi.org/project/vunnel/) - when a release is triggered: - the commit on main is tagged with the given version - - the existing commit-based image is additionally tagged as `ghcr.io/anchore/vunnel:[VERSION]` - + - the existing commit-based image is additionally tagged as `ghcr.io/anchore/vunnel:[VERSION]` and `ghcr.io/anchore/vunnel:latest` + - a build is published to the [pypi project](https://pypi.org/project/vunnel/) ## Creating a new release diff --git a/pyproject.toml b/pyproject.toml index 4af2c28d..0c041497 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -138,7 +138,7 @@ fail_under = 80 [tool.poetry-dynamic-versioning] enable = true vcs = "git" -metadata = true +metadata = false style = "semver" dirty = true