mirror of
https://github.com/alibaba/open-code-review.git
synced 2026-07-09 17:28:58 +00:00
govulncheck flags GO-2026-5856 (Encrypted Client Hello privacy leak in crypto/tls), present in the Go standard library through go1.26.4 and fixed in go1.26.5. The CI and release workflows pin the golang:1.26.4 container image, so govulncheck fails with exit code 3 on every run. Bump both workflow images to golang:1.26.5.
231 lines
6.9 KiB
YAML
231 lines
6.9 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags: ['v*']
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: self-hosted
|
|
container:
|
|
image: golang:1.26.5
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- goos: linux
|
|
goarch: amd64
|
|
- goos: linux
|
|
goarch: arm64
|
|
- goos: darwin
|
|
goarch: amd64
|
|
- goos: darwin
|
|
goarch: arm64
|
|
- goos: windows
|
|
goarch: amd64
|
|
- goos: windows
|
|
goarch: arm64
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Trust workspace
|
|
run: git config --global --replace-all safe.directory '*'
|
|
|
|
- name: Build
|
|
env:
|
|
GOOS: ${{ matrix.goos }}
|
|
GOARCH: ${{ matrix.goarch }}
|
|
CGO_ENABLED: '0'
|
|
run: |
|
|
VERSION=${GITHUB_REF_NAME}
|
|
GIT_COMMIT=$(git rev-parse --short HEAD)
|
|
BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
|
|
LD_FLAGS="-s -w -X main.Version=${VERSION} -X main.GitCommit=${GIT_COMMIT} -X main.BuildDate=${BUILD_DATE}"
|
|
BIN_NAME=opencodereview-${{ matrix.goos }}-${{ matrix.goarch }}
|
|
if [ "${{ matrix.goos }}" = "windows" ]; then
|
|
BIN_NAME="${BIN_NAME}.exe"
|
|
fi
|
|
go build -ldflags "${LD_FLAGS}" -o "${BIN_NAME}" ./cmd/opencodereview
|
|
echo "bin_name=${BIN_NAME}" >> $GITHUB_ENV
|
|
|
|
- uses: actions/upload-artifact@v4
|
|
with:
|
|
name: binary-${{ matrix.goos }}-${{ matrix.goarch }}
|
|
path: ${{ env.bin_name }}
|
|
|
|
release:
|
|
needs: build
|
|
runs-on: self-hosted
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
container:
|
|
image: ubuntu:24.04
|
|
steps:
|
|
- name: Install git
|
|
run: apt-get update && apt-get install -y git
|
|
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Trust workspace
|
|
run: git config --global --replace-all safe.directory '*'
|
|
|
|
- name: Generate release notes from commits
|
|
id: notes
|
|
shell: bash
|
|
run: |
|
|
CURRENT_TAG="${GITHUB_REF_NAME}"
|
|
PREV_TAG=$(git describe --tags --abbrev=0 "${CURRENT_TAG}^" 2>/dev/null || echo "")
|
|
|
|
if [ -z "$PREV_TAG" ]; then
|
|
RANGE="$CURRENT_TAG"
|
|
else
|
|
RANGE="${PREV_TAG}..${CURRENT_TAG}"
|
|
fi
|
|
|
|
FEATS=""
|
|
FIXES=""
|
|
REFACTORS=""
|
|
DOCS=""
|
|
OTHERS=""
|
|
|
|
while IFS= read -r line; do
|
|
msg="${line#* }"
|
|
case "$msg" in
|
|
feat*) FEATS="${FEATS}- ${msg}
|
|
";;
|
|
fix*) FIXES="${FIXES}- ${msg}
|
|
";;
|
|
refactor*) REFACTORS="${REFACTORS}- ${msg}
|
|
";;
|
|
docs*) DOCS="${DOCS}- ${msg}
|
|
";;
|
|
*) OTHERS="${OTHERS}- ${msg}
|
|
";;
|
|
esac
|
|
done < <(git log --oneline --no-merges "$RANGE")
|
|
|
|
{
|
|
echo "body<<RELEASE_NOTES_EOF"
|
|
if [ -n "$FEATS" ]; then
|
|
printf '## 🚀 Features\n\n%s\n' "$FEATS"
|
|
fi
|
|
if [ -n "$FIXES" ]; then
|
|
printf '## 🐛 Bug Fixes\n\n%s\n' "$FIXES"
|
|
fi
|
|
if [ -n "$REFACTORS" ]; then
|
|
printf '## 🔧 Refactoring\n\n%s\n' "$REFACTORS"
|
|
fi
|
|
if [ -n "$DOCS" ]; then
|
|
printf '## 📖 Documentation\n\n%s\n' "$DOCS"
|
|
fi
|
|
if [ -n "$OTHERS" ]; then
|
|
printf '## Other Changes\n\n%s\n' "$OTHERS"
|
|
fi
|
|
if [ -n "$PREV_TAG" ]; then
|
|
printf '\n**Full Changelog**: https://github.com/%s/compare/%s...%s\n' "$GITHUB_REPOSITORY" "$PREV_TAG" "$CURRENT_TAG"
|
|
fi
|
|
echo "RELEASE_NOTES_EOF"
|
|
} >> "$GITHUB_OUTPUT"
|
|
|
|
- uses: actions/download-artifact@v4
|
|
with:
|
|
pattern: binary-*
|
|
merge-multiple: true
|
|
|
|
- name: Generate checksums
|
|
run: sha256sum opencodereview-* | sort > sha256sum.txt
|
|
|
|
- name: Create GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
body: ${{ steps.notes.outputs.body }}
|
|
files: |
|
|
opencodereview-*
|
|
sha256sum.txt
|
|
|
|
- name: Attest release artifacts
|
|
uses: actions/attest-build-provenance@v2
|
|
with:
|
|
subject-path: |
|
|
opencodereview-*
|
|
sha256sum.txt
|
|
|
|
npm-publish:
|
|
needs: release
|
|
runs-on: self-hosted
|
|
container:
|
|
image: node:24
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Trust workspace
|
|
run: git config --global --replace-all safe.directory '*'
|
|
|
|
- name: Install jq
|
|
run: apt-get update && apt-get install -y jq
|
|
|
|
- uses: actions/download-artifact@v4
|
|
with:
|
|
pattern: binary-*
|
|
merge-multiple: true
|
|
|
|
- name: Configure npm registry
|
|
run: echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc
|
|
env:
|
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
|
|
- name: Publish platform packages
|
|
run: |
|
|
VERSION="${GITHUB_REF_NAME#v}"
|
|
PLATFORMS="darwin-arm64:opencodereview-darwin-arm64:opencodereview
|
|
darwin-x64:opencodereview-darwin-amd64:opencodereview
|
|
linux-arm64:opencodereview-linux-arm64:opencodereview
|
|
linux-x64:opencodereview-linux-amd64:opencodereview
|
|
win32-arm64:opencodereview-windows-arm64.exe:opencodereview.exe
|
|
win32-x64:opencodereview-windows-amd64.exe:opencodereview.exe"
|
|
|
|
for entry in $PLATFORMS; do
|
|
platform_dir="${entry%%:*}"
|
|
rest="${entry#*:}"
|
|
dist_binary="${rest%%:*}"
|
|
dest_name="${rest#*:}"
|
|
pkg_dir="./npm/$platform_dir"
|
|
mkdir -p "$pkg_dir/bin"
|
|
cp "$dist_binary" "$pkg_dir/bin/$dest_name"
|
|
chmod 755 "$pkg_dir/bin/$dest_name" 2>/dev/null || true
|
|
|
|
jq --arg v "$VERSION" '.version = $v' "$pkg_dir/package.json" > "$pkg_dir/package.json.tmp"
|
|
mv "$pkg_dir/package.json.tmp" "$pkg_dir/package.json"
|
|
|
|
pkg_name=$(jq -r '.name' "$pkg_dir/package.json")
|
|
already=$(npm view "${pkg_name}@${VERSION}" version 2>/dev/null || true)
|
|
if [ "$already" = "$VERSION" ]; then
|
|
echo "Skip: ${pkg_name}@${VERSION} already published"
|
|
else
|
|
npm publish "$pkg_dir" --access public
|
|
echo "Published: ${pkg_name}@${VERSION}"
|
|
fi
|
|
done
|
|
env:
|
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
|
|
- name: Inject version and optionalDependencies
|
|
run: |
|
|
VERSION="${GITHUB_REF_NAME#v}"
|
|
jq --arg v "$VERSION" '
|
|
.version = $v |
|
|
.optionalDependencies |= with_entries(.value = $v)
|
|
' package.json > package.json.tmp && mv package.json.tmp package.json
|
|
|
|
- name: Publish to npm
|
|
run: npm publish --access public
|
|
env:
|
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|