Skip to content

CID-3008: grant write to action to create tag #11

CID-3008: grant write to action to create tag

CID-3008: grant write to action to create tag #11

name: Publish Package to ghcr.io
on:
pull_request:
types: [closed]
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
release_draft:
permissions:
contents: write
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: release-drafter/release-drafter@v5
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
build:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
attestations: write
id-token: write
environment: ghcr:leanix-github-agent
if: github.event.pull_request.merged
steps:
- name: Tag next version
id: tag-action
uses: K-Phoen/semver-release-action@master
with:
release_branch: main
release_strategy: tag
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Publish Release Draft
uses: actions/github-script@v6.4.1
if: (steps.tag-action.outputs.tag != '')
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const tag = "${{ steps.tag-action.outputs.tag }}";
const { data: releases } = await github.rest.repos.listReleases({
owner: context.repo.owner,
repo: context.repo.repo
});
const draftRelease = releases.find(release => release.tag_name === tag && release.draft === true);
if (!draftRelease) {
console.log(`No draft release found for tag ${tag}`);
return;
}
await github.rest.repos.updateRelease({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: draftRelease.id,
draft: false
});
console.log(`Published draft release for tag ${tag}`);
- name: Checkout
uses: actions/checkout@v3
if: (steps.tag-action.outputs.tag != '')
- name: Setup Java
uses: actions/setup-java@v3
if: (steps.tag-action.outputs.tag != '')
with:
distribution: 'temurin'
java-version: '21'
- name: Build with Gradle
uses: gradle/gradle-build-action@v2
if: (steps.tag-action.outputs.tag != '')
continue-on-error: false
with:
arguments: build
- name: Log in to the Container registry
uses: docker/login-action@v3.2.0
if: (steps.tag-action.outputs.tag != '')
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5.5.1
if: (steps.tag-action.outputs.tag != '')
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
id: push
uses: docker/build-push-action@v5.3.0
if: (steps.tag-action.outputs.tag != '')
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag-action.outputs.tag }}
labels: ${{ steps.meta.outputs.labels }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
if: (steps.tag-action.outputs.tag != '')
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true