Skip to content

deps: update module github.com/google/cel-go to v0.22.1 #4727

deps: update module github.com/google/cel-go to v0.22.1

deps: update module github.com/google/cel-go to v0.22.1 #4727

Workflow file for this run

name: CI
on:
push:
branches:
- main
- release
pull_request:
branches:
- main
- release
env:
GO_VERSION: "1.23.3"
GOLANGCI_LINT_VERSION: "v1.60.1"
HELM_VERSION: "3.15.4"
KUBECONFORM_VERSION: "0.6.7"
KUBERNETES_API_VERSION: "1.27.0"
NODE_VERSION: "22.7"
RUBY_VERSION: "3.2"
COSIGN_VERSION: "v2.4.0"
CYCLONEDX_GOMOD_VERSION: "v1.7.0"
DOCUMENTATION_URL: "https://dadrus.github.io/heimdall/"
permissions: read-all
jobs:
check-changes:
runs-on: ubuntu-24.04
outputs:
code_changed: ${{steps.code-changes.outputs.count > 0}}
test_data_changed: ${{steps.test-data-changes.outputs.count > 0}}
image_config_changed: ${{steps.image-config-changes.outputs.count > 0}}
helm_chart_changed: ${{steps.helm-chart-changes.outputs.count > 0}}
docs_changed: ${{steps.docs-changes.outputs.count > 0}}
ci_config_changed: ${{steps.ci-changes.outputs.count > 0}}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Check code changes
id: code-changes
uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2
with:
PATTERNS: |
*.go
**/*.go
schema/*.json
FILES: |
go.mod
go.sum
- name: Check test data changes
id: test-data-changes
uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2
with:
PATTERNS: |
cmd/**/*.yaml
internal/**/*.yaml
- name: Check container image config changes
id: image-config-changes
uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2
with:
PATTERNS: |
docker/Dockerfile
- name: Check helm chart changes
id: helm-chart-changes
uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2
with:
PATTERNS: |
charts/**
- name: Check documentation changes
id: docs-changes
uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2
with:
PATTERNS: |
docs/**
- name: Check CI settings changes
id: ci-changes
uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2
with:
PATTERNS: |
.github/workflows/*.yaml
check-licenses:
runs-on: ubuntu-24.04
needs:
- check-changes
if: >
needs.check-changes.outputs.code_changed == 'true' ||
needs.check-changes.outputs.ci_config_changed == 'true'
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Set up Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "${{ env.GO_VERSION }}"
- name: Get google/go-licenses package
run: go install github.com/google/[email protected]
- name: Check the licenses
run: go-licenses check --disallowed_types=forbidden,restricted,reciprocal,permissive,unknown .
lint-code:
runs-on: ubuntu-24.04
permissions:
pull-requests: write
needs:
- check-changes
if: >
needs.check-changes.outputs.code_changed == 'true' ||
needs.check-changes.outputs.ci_config_changed == 'true'
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- name: Review code
uses: reviewdog/action-golangci-lint@7708105983c614f7a2725e2172908b7709d1c3e4 # v2.6.2
with:
go_version: "${{ env.GO_VERSION }}"
golangci_lint_version: "${{ env.GOLANGCI_LINT_VERSION }}"
reporter: github-pr-review
fail_on_error: true
lint-api:
runs-on: ubuntu-24.04
needs:
- check-changes
if: >
needs.check-changes.outputs.docs_changed == 'true' ||
needs.check-changes.outputs.ci_config_changed == 'true'
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install Redocly CLI
run: npm i -g @redocly/[email protected]
- name: Run Redocly Lint
run: redocly lint
lint-dockerfiles:
runs-on: ubuntu-24.04
permissions:
pull-requests: write
needs:
- check-changes
if: >
needs.check-changes.outputs.image_config_changed == 'true' ||
needs.check-changes.outputs.ci_config_changed == 'true'
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Run hadolint
uses: reviewdog/action-hadolint@73fec8b28091e5082c19df69815dd749d97b882a # v1.46.0
with:
reporter: github-pr-review
reviewdog_flags: -fail-level=error
lint-helm-chart:
runs-on: ubuntu-24.04
needs:
- check-changes
if: >
needs.check-changes.outputs.helm_chart_changed == 'true' ||
needs.check-changes.outputs.ci_config_changed == 'true'
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Setup k8s tools
uses: yokawasa/action-setup-kube-tools@9e25a4277af127b60011c95b6ed2da7e3b3613b1 # v0.11.2
with:
setup-tools: |
helm
kubeconform
helm: '${{ env.HELM_VERSION }}'
kubeconform: '${{ env.KUBECONFORM_VERSION }}'
- name: Helm Lint
run: helm lint ./charts/heimdall
- name: Kubeconform decision mode deployment
run: |
helm template ./charts/heimdall > decision-config.yaml
kubeconform --skip RuleSet -kubernetes-version ${{ env.KUBERNETES_API_VERSION }} decision-config.yaml
- name: Kubeconform proxy mode deployment
run: |
helm template --set operationMode=proxy ./charts/heimdall > proxy-config.yaml
kubeconform --skip RuleSet -kubernetes-version ${{ env.KUBERNETES_API_VERSION }} proxy-config.yaml
unittest-helm-chart:
runs-on: ubuntu-24.04
needs:
- check-changes
if: >
needs.check-changes.outputs.helm_chart_changed == 'true' ||
needs.check-changes.outputs.ci_config_changed == 'true'
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Setup k8s tools
uses: yokawasa/action-setup-kube-tools@9e25a4277af127b60011c95b6ed2da7e3b3613b1 # v0.11.2
with:
setup-tools: |
helm
kubeconform
helm: '${{ env.HELM_VERSION }}'
kubeconform: '${{ env.KUBECONFORM_VERSION }}'
- name: Install Helm Unittest
run: helm plugin install --version v0.6.0 https://github.com/helm-unittest/helm-unittest.git
- name: Run tests
run: |
helm unittest ./charts/heimdall
test:
runs-on: ubuntu-24.04
needs:
- check-changes
if: >
needs.check-changes.outputs.code_changed == 'true' ||
needs.check-changes.outputs.test_data_changed == 'true' ||
needs.check-changes.outputs.ci_config_changed == 'true'
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Set up Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "${{ env.GO_VERSION }}"
- name: Test
run: go test -v -coverprofile=coverage.cov -coverpkg=./... ./...
- name: Code Coverage
uses: codecov/codecov-action@05f5a9cfad807516dbbef9929c4a42df3eb78766 # v5.0.3
with:
files: coverage.cov
verbose: true
token: ${{ secrets.CODECOV_TOKEN }}
prepare-release:
runs-on: ubuntu-24.04
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/release'
permissions:
pull-requests: write
contents: write
outputs:
release_created: ${{ steps.release_prepare.outputs.release_created }}
tag_name: ${{ steps.release_prepare.outputs.tag_name }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Prepare Release
id: release_prepare
uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
with:
target-branch: ${{ github.ref_name }}
build-binaries:
runs-on: ubuntu-24.04
needs:
- test
- prepare-release
if: always() && needs.prepare-release.outputs.release_created == false && needs.test.result == 'success'
strategy:
matrix:
# build and publish in parallel: linux/amd64, linux/arm64, windows/amd64, darwin/amd64, darwin/arm64
goos: [ linux, windows, darwin ]
goarch: [ amd64, arm64, arm ]
exclude:
- goarch: arm
goos: darwin
- goarch: arm
goos: windows
- goarch: arm64
goos: windows
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Set up Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "${{ env.GO_VERSION }}"
- name: Build
run: CGO_ENABLED=0 GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build -trimpath -ldflags="-buildid= -w -s -X github.com/dadrus/heimdall/version.Version=${{ github.sha }}" -o ./build/
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: github.ref == 'refs/heads/main'
with:
name: build-result-${{ matrix.goos }}-${{ matrix.goarch }}
path: ./build/*
retention-days: 30
release-binaries:
runs-on: ubuntu-24.04
needs:
- prepare-release
if: needs.prepare-release.outputs.release_created
permissions:
contents: write
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "${{ env.GO_VERSION }}"
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
cosign-release: "${{ env.COSIGN_VERSION }}"
- name: Install CycloneDX gomod
run: go install github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected]
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
with:
version: "${{ env.CYCLONEDX_GOMOD_VERSION }}"
args: app -licenses -assert-licenses -json -std -output CycloneDX-SBOM.json -main .
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
with:
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# this job builds container images for PRs, as well as publishes these on merges to main
build-dev-container-images:
runs-on: ubuntu-24.04
permissions:
packages: write
id-token: write
needs:
- test
- check-changes
- prepare-release
if: >
github.ref == 'refs/heads/main' &&
needs.prepare-release.outputs.release_created == false &&
(needs.test.result == 'success' || (needs.test.result == 'skipped' && needs.check-changes.outputs.image_config_changed == 'true'))
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Install Cosign
if: github.ref == 'refs/heads/main'
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
cosign-release: "${{ env.COSIGN_VERSION }}"
- name: Set up Go # required as the sbom generator is compiled using go < 1.21
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "${{ env.GO_VERSION }}"
- name: Generate SBOM
if: github.ref == 'refs/heads/main'
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
with:
version: "${{ env.CYCLONEDX_GOMOD_VERSION }}"
args: app -licenses -assert-licenses -json -std -output CycloneDX-SBOM.json -main .
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Collect container meta-info
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: ${{ github.repository }}
labels: |
org.opencontainers.image.version=${{ github.sha }}
org.opencontainers.image.documentation=${{ env.DOCUMENTATION_URL }}
- name: Build images
if: github.ref != 'refs/heads/main'
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
file: ./docker/Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm
push: false
build-args: VERSION=${{ github.sha }}
tags: ${{ github.repository }}:local
- name: Login to DockerHub
if: github.ref == 'refs/heads/main'
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub
if: github.ref == 'refs/heads/main'
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push dev images to container registry
if: github.ref == 'refs/heads/main'
id: publish-image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
file: ./docker/Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm
push: true
build-args: VERSION=${{ github.sha }}
labels: ${{ steps.meta.outputs.labels }}
tags: |
${{ github.repository }}:dev
${{ github.repository }}:dev-${{ github.sha }}
ghcr.io/${{ github.repository }}:dev
ghcr.io/${{ github.repository }}:dev-${{ github.sha }}
# DockerHub
- name: Sign the image published in DockerHub
if: steps.publish-image.conclusion == 'success'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_REPOSITORY: ${{ github.repository }}-signatures
run: cosign sign --yes ${{ github.repository }}@${{ steps.publish-image.outputs.digest }}
- name: Attest and attach SBOM to the image published in DockerHub
if: steps.publish-image.conclusion == 'success'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_REPOSITORY: ${{ github.repository }}-sbom
run: cosign attest --yes --predicate CycloneDX-SBOM.json --type cyclonedx ${{ github.repository }}@${{ steps.publish-image.outputs.digest }}
# GHCR
- name: Sign the image published in GitHub
if: steps.publish-image.conclusion == 'success'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_REPOSITORY: ghcr.io/${{ github.repository }}-signatures
run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.publish-image.outputs.digest }}
- name: Attest and attach SBOM to the image published in GitHub
if: steps.publish-image.conclusion == 'success'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_REPOSITORY: ghcr.io/${{ github.repository }}-sbom
run: cosign attest --yes --predicate CycloneDX-SBOM.json --type cyclonedx ghcr.io/${{ github.repository }}@${{ steps.publish-image.outputs.digest }}
# this job releases container images
release-container-images:
if: needs.prepare-release.outputs.release_created
runs-on: ubuntu-24.04
permissions:
packages: write
id-token: write
needs:
- prepare-release
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Prepare image version
id: image-version
run: |
export version=$(echo ${{ needs.prepare-release.outputs.tag_name }} | sed 's/v//g')
echo "result=$version" >> $GITHUB_OUTPUT
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
cosign-release: "${{ env.COSIGN_VERSION }}"
- name: Set up Go # required as the sbom generator is compiled using go < 1.21
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "${{ env.GO_VERSION }}"
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
with:
version: "${{ env.CYCLONEDX_GOMOD_VERSION }}"
args: app -licenses -assert-licenses -json -std -output CycloneDX-SBOM.json -main .
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Login to DockerHub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Collect Docker meta-info
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: ${{ github.repository }}
labels: |
org.opencontainers.image.version=${{ steps.image-version.outputs.result }}
org.opencontainers.image.documentation=${{ env.DOCUMENTATION_URL }}
- name: Build and push images to container registry
id: publish-image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
file: ./docker/Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm
push: true
build-args: VERSION=${{ needs.prepare-release.outputs.tag_name }}
labels: ${{ steps.meta.outputs.labels }}
tags: |
${{ github.repository }}:latest
${{ github.repository }}:${{ steps.image-version.outputs.result }}
ghcr.io/${{ github.repository }}:latest
ghcr.io/${{ github.repository }}:${{ steps.image-version.outputs.result }}
# DockerHub
- name: Sign the image published in DockerHub
if: steps.publish-image.conclusion == 'success'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_REPOSITORY: ${{ github.repository }}-signatures
run: cosign sign --yes ${{ github.repository }}@${{ steps.publish-image.outputs.digest }}
- name: Attest and attach SBOM to the image published in DockerHub
if: steps.publish-image.conclusion == 'success'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_REPOSITORY: ${{ github.repository }}-sbom
run: cosign attest --yes --predicate CycloneDX-SBOM.json --type cyclonedx ${{ github.repository }}@${{ steps.publish-image.outputs.digest }}
- name: Update DockerHub repository description & readme
uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: ${{ github.repository }}
short-description: ${{ github.event.repository.description }}
readme-filepath: ./DockerHub-README.md
# GHCR
- name: Sign the image published in GitHub
if: steps.publish-image.conclusion == 'success'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_REPOSITORY: ghcr.io/${{ github.repository }}-signatures
run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.publish-image.outputs.digest }}
- name: Attest and attach SBOM to the image published in GitHub
if: steps.publish-image.conclusion == 'success'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_REPOSITORY: ghcr.io/${{ github.repository }}-sbom
run: cosign attest --yes --predicate CycloneDX-SBOM.json --type cyclonedx ghcr.io/${{ github.repository }}@${{ steps.publish-image.outputs.digest }}
release-helm-chart:
runs-on: ubuntu-24.04
permissions:
contents: write
needs:
- prepare-release
- release-container-images
if: needs.prepare-release.outputs.release_created
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Prepare image version
id: image-version
run: |
export version=$(echo ${{ needs.prepare-release.outputs.tag_name }} | sed 's/v//g')
echo "result=$version" >> $GITHUB_OUTPUT
- name: Publish Helm Chart
uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
target_dir: charts
linting: off
app_version: ${{ steps.image-version.outputs.result }}
build-dev-documentation:
runs-on: ubuntu-24.04
permissions:
contents: write
needs:
- prepare-release
- check-changes
if: >
github.ref == 'refs/heads/main' &&
needs.prepare-release.outputs.release_created == false &&
(needs.check-changes.outputs.docs_changed == 'true' || needs.check-changes.outputs.ci_config_changed == 'true')
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
submodules: true # Fetch Hugo themes (true OR recursive)
fetch-depth: 0 # Fetch all history for .GitInfo and .Lastmod
- name: Setup Hugo
uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
with:
hugo-version: 0.100.1
extended: true
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Setup ruby
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
with:
ruby-version: ${{ env.RUBY_VERSION }}
- name: Install asciidoctor
run: gem install asciidoctor asciidoctor-diagram asciidoctor-html5s rouge
- name: Install dependencies
working-directory: ./docs
run: npm install
- name: Update version string to dev version
uses: jacobtomlinson/gha-find-replace@2ff30f644d2e0078fc028beb9193f5ff0dcad39e # v3
with:
find: "x-current-version"
replace: "dev"
regex: false
include: docs/**
- name: Build documentation
working-directory: ./docs
run: hugo --minify -d ./public
- name: Deploy documentation
if: github.ref == 'refs/heads/main'
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs/public
destination_dir: dev
release-documentation:
runs-on: ubuntu-24.04
permissions:
contents: write
id-token: write
pull-requests: write
needs:
- prepare-release
if: needs.prepare-release.outputs.release_created
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
submodules: true # Fetch Hugo themes (true OR recursive)
fetch-depth: 0 # Fetch all history for .GitInfo and .Lastmod
- name: Setup Hugo
uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
with:
hugo-version: 0.100.1
extended: true
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Setup ruby
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
with:
ruby-version: ${{ env.RUBY_VERSION }}
- name: Install asciidoctor
run: gem install asciidoctor asciidoctor-diagram asciidoctor-html5s rouge
- name: Install dependencies
working-directory: ./docs
run: npm install
- name: Update version string to new released version
uses: jacobtomlinson/gha-find-replace@2ff30f644d2e0078fc028beb9193f5ff0dcad39e # v3
with:
find: "x-current-version"
replace: "${{ needs.prepare-release.outputs.tag_name }}"
regex: false
include: docs/**
- name: Update uri for redirecting to new version
uses: jacobtomlinson/gha-find-replace@2ff30f644d2e0078fc028beb9193f5ff0dcad39e # v3
with:
find: "x-released-version"
replace: "${{ needs.prepare-release.outputs.tag_name }}"
regex: false
include: docs/**
- name: Prepare image version
id: image-version
run: |
export version=$(echo ${{ needs.prepare-release.outputs.tag_name }} | sed 's/v//g')
echo "result=$version" >> $GITHUB_OUTPUT
- name: Update used image tags to the released version
uses: jacobtomlinson/gha-find-replace@2ff30f644d2e0078fc028beb9193f5ff0dcad39e # v3
with:
find: "heimdall:dev"
replace: "heimdall:${{ steps.image-version.outputs.result }}"
regex: false
include: docs/**
- name: Build documentation
working-directory: ./docs
run: hugo --minify -d ./public
- name: Update versions JSON document
id: update-version-json
run: |
cat ./docs/versions/data.json | jq '. + [{ "version": "${{ needs.prepare-release.outputs.tag_name }}", "path": "/heimdall/${{ needs.prepare-release.outputs.tag_name }}" }]' | tee ./docs/versions/data.json
- name: Deploy documentation
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs/public
destination_dir: ${{ needs.prepare-release.outputs.tag_name }}
- name: Deploy redirect to new released version
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs/redirect
keep_files: true
- name: Deploy versions JSON document
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs/versions
keep_files: true
- name: Setup GitSign
uses: chainguard-dev/actions/setup-gitsign@5abab7fb71a583802343c1b2a14e6a29b79323b8 # main
- name: Create a PR for the updated versions JSON document
if: steps.update-version-json.outcome == 'success'
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
title: 'chore(${{ github.ref_name }}): Update to data.json to include the new released documentation version'
commit-message: 'chore(${{ github.ref_name }}): Update to data.json to include the new released documentation version'
body: >
data.json updated by the release-documentation job to include the entry
referencing the released ${{ needs.prepare-release.outputs.tag_name }} documentation version
add-paths: |
docs/versions/*.json
sign-commits: true