fix(ci): permissions for adding the tag #121
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test, Build and Deploy wasm-oidc-plugin | |
on: | |
push: | |
branches: | |
- main | |
env: | |
CARGO_TERM_COLOR: always | |
jobs: | |
cargo-deny: | |
runs-on: ubuntu-latest | |
container: | |
image: antonengelhardt/rust-docker-tools | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Rust version | |
run: rustc --version && cargo --version | |
- name: Cargo Deny | |
uses: EmbarkStudios/cargo-deny-action@v1 | |
clippy: | |
runs-on: ubuntu-latest | |
container: | |
image: antonengelhardt/rust-docker-tools | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up cargo cache | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cargo/bin/ | |
~/.cargo/registry/index/ | |
~/.cargo/registry/cache/ | |
~/.cargo/git/db/ | |
target/ | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
- name: Rust version | |
run: rustc --version && cargo --version | |
- name: Clippy | |
run: cargo clippy --release --all-targets --target=wasm32-wasi -- -D warnings | |
fmt: | |
runs-on: ubuntu-latest | |
container: | |
image: antonengelhardt/rust-docker-tools | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Rust version | |
run: rustc --version && cargo --version | |
- name: Fmt | |
run: cargo fmt -- --check | |
test: | |
runs-on: ubuntu-latest | |
container: | |
image: antonengelhardt/rust-docker-tools | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up cargo cache | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cargo/bin/ | |
~/.cargo/registry/index/ | |
~/.cargo/registry/cache/ | |
~/.cargo/git/db/ | |
target/ | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
- name: Rust version | |
run: rustc --version && cargo --version | |
- name: Test | |
run: cargo test --workspace | |
build: | |
runs-on: ubuntu-latest | |
container: | |
image: ghcr.io/antonengelhardt/rust-docker-tools | |
needs: [cargo-deny, clippy, fmt, test] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up cargo cache | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cargo/bin/ | |
~/.cargo/registry/index/ | |
~/.cargo/registry/cache/ | |
~/.cargo/git/db/ | |
target/ | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
- name: Build wasm-oidc-plugin | |
run: | | |
cargo build --target wasm32-wasi --release | |
- name: Upload plugin as artifact | |
uses: actions/upload-artifact@v2 | |
with: | |
name: plugin | |
path: target/wasm32-wasi/release/wasm_oidc_plugin.wasm | |
docker-image: | |
needs: [cargo-deny, clippy, fmt, test] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Login | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
- name: Pull previous image to cache | |
run: docker pull antonengelhardt/wasm-oidc-plugin:latest | |
- name: Push to Docker Hub | |
uses: docker/build-push-action@v2 | |
with: | |
context: . | |
push: true | |
tags: antonengelhardt/wasm-oidc-plugin:latest | |
ghcr-image: | |
runs-on: ubuntu-latest | |
needs: [cargo-deny, clippy, fmt, test] | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Login | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push to GHCR | |
run: | | |
docker pull ghcr.io/antonengelhardt/wasm-oidc-plugin:latest # Pull the image to cache | |
docker build -t ghcr.io/antonengelhardt/wasm-oidc-plugin:latest . | |
docker push ghcr.io/antonengelhardt/wasm-oidc-plugin:latest | |
deploy-demo: | |
needs: ghcr-image | |
environment: demo | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions-hub/kubectl@master | |
env: | |
KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }} | |
with: | |
args: rollout restart deployment wasm-oidc-plugin -n wasm-oidc-plugin | |
trigger-release: | |
needs: [docker-image, ghcr-image] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Get most recent merged PR and calculate the next tag | |
id: get_pr | |
run: | | |
MOST_RECENTLY_MERGED_PR=$(curl -s -H 'Accept: application/vnd.github.v3+json' "https://api.github.com/repos/antonengelhardt/wasm-oidc-plugin/pulls?state=closed" | \ | |
jq '[.[] | select(.merged_at != null)] | max_by(.merged_at)') | |
PR_NUMBER=$(echo $MOST_RECENTLY_MERGED_PR | jq -r '.number') | |
LABELS=$(curl -s -H 'Accept: application/vnd.github.v3+json' "https://api.github.com/repos/antonengelhardt/wasm-oidc-plugin/issues/$PR_NUMBER" | jq -r '.labels[].name') | |
# Set SEMVER_BUMP based on the presence of labels | |
if [[ $LABELS == *"major"* ]]; then | |
SEMVER_BUMP="major" | |
elif [[ $LABELS == *"minor"* ]]; then | |
SEMVER_BUMP="minor" | |
elif [[ $LABELS == *"bug"* ]]; then | |
SEMVER_BUMP="patch" | |
elif [[ $LABELS == *"patch"* ]]; then | |
SEMVER_BUMP="patch" | |
else | |
SEMVER_BUMP="none" | |
exit 0 # exit if no labels are found, which means no version bump is required | |
fi | |
# Output the SEMVER_BUMP value | |
echo "SEMVER_BUMP is set to: $SEMVER_BUMP" | |
# LATEST_TAG=$(git describe --tags --abbrev=0) | |
LATEST_TAG=$(curl "https://api.github.com/repos/antonengelhardt/wasm-oidc-plugin/tags" | jq -r '.[0].name') | |
# Function to bump version numbers | |
bump_version() { | |
local IFS=. | |
local -a parts=($1) | |
case "$2" in | |
major) | |
((parts[0]++)) | |
parts[1]=0 | |
parts[2]=0 | |
;; | |
minor) | |
((parts[1]++)) | |
parts[2]=0 | |
;; | |
patch) | |
((parts[2]++)) | |
;; | |
*) | |
echo "Error: Unknown version bump type '$2'" | |
exit 1 | |
;; | |
esac | |
echo "${parts[0]}.${parts[1]}.${parts[2]}" | |
} | |
current_version=${LATEST_TAG:1} | |
# Bump the version based on the SEMVER_BUMP | |
new_version=$(bump_version "$current_version" "$SEMVER_BUMP") | |
# Append 'v' prefix if required to maintain the same version format | |
NEW_TAG="v$new_version" | |
echo "New tag after bump is: $NEW_TAG" | |
echo "NEW_TAG=$NEW_TAG" >> $GITHUB_ENV | |
- name: Create a tag on main | |
run: | | |
git checkout origin/main | |
git config user.email "github-actions[bot]@users.noreply.github.com" | |
git config user.name "github-actions[bot]" | |
git tag ${{ env.NEW_TAG }} | |
git push origin ${{ env.NEW_TAG }} |