diff --git a/.github/workflows/delivery.yml b/.github/workflows/delivery.yml index 67494ca..8ed44be 100644 --- a/.github/workflows/delivery.yml +++ b/.github/workflows/delivery.yml @@ -11,13 +11,15 @@ env: BRANCH_NAME: ${{ github.head_ref || github.ref_name }} jobs: - test: + release: if: github.event.pull_request.merged == true runs-on: ubuntu-latest steps: - name: Checkout Source Code uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} - name: Install Poetry run: pipx install poetry @@ -28,25 +30,55 @@ jobs: cache: "poetry" - name: Install Python Dependencies - run: poetry install + run: poetry install --no-ansi --without dev - name: Run End-to-End Tests run: poetry run pytest tests/e2e - - name: Bump Version - id: bump-version + - name: Configure GPG run: | - package_version="$(poetry version ${{ startsWith(env.BRANCH_NAME, 'bug') || startsWith(env.BRANCH_NAME, 'fix') && 'patch' || 'minor' }} --short)" - git config user.name ccc-service-account - git config user.email service@cloudcitycrafted.io - git commit -am "chore: Bump package version to v$package_version" - git push - echo "new-version=$package_version" >> $GITHUB_OUTPUT + mkdir -p "$HOME/.gnupg" + echo "default-cache-ttl 21600" >> "$HOME/.gnupg/gpg-agent.conf" + echo "allow-preset-passphrase" >> "$HOME/.gnupg/gpg-agent.conf" + find "$HOME/.gnupg" -type f -exec chmod 600 {} \; + find "$HOME/.gnupg" -type d -exec chmod 700 {} \; + gpg-connect-agent RELOADAGENT /bye + + - name: Configure Git + id: configure-git + env: + GPG_PRIVATE_KEY: ${{ secrets.SERVICE_ACCOUNT_GPG_PRIVATE_KEY }} + GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.SERVICE_ACCOUNT_GPG_PASSPHRASE }} + SERVICE_ACCOUNT_USERNAME: ${{ vars.SERVICE_ACCOUNT_USERNAME }} + SERVICE_ACCOUNT_EMAIL_ADDRESS: ${{ vars.SERVICE_ACCOUNT_EMAIL_ADDRESS }} + run: | + echo "$GPG_PRIVATE_KEY" | gpg --import --pinentry-mode loopback --passphrase "$GPG_PRIVATE_KEY_PASSPHRASE" + key_metadata=$(gpg --with-colons --with-keygrip --list-secret-keys $SERVICE_ACCOUNT_EMAIL_ADDRESS) + key_id=$(echo "$key_metadata" | awk -F: 'NR == 1 { print $5 }') + key_fingerprint=$(echo "$key_metadata" | awk -F: 'NR == 2 { print $10 }') + key_grip=$(echo "$key_metadata" | awk -F: 'NR == 3 { print $10 }') + echo "$GPG_PRIVATE_KEY_PASSPHRASE" | "$(gpgconf --list-dirs libexecdir)"/gpg-preset-passphrase --preset $key_grip - - name: Build Package - run: poetry build + git config --global user.name $SERVICE_ACCOUNT_USERNAME + git config --global user.email $SERVICE_ACCOUNT_EMAIL_ADDRESS + git config --global user.signingkey $key_id + git config --global commit.gpgsign true + git config --global tag.gpgsign true + + echo "gpg-key-fingerprint=$key_fingerprint" >> $GITHUB_OUTPUT - name: Create GitHub Release - run: gh release create --generate-notes --latest 'v${{ steps.bump-version.outputs.new-version }}' ./dist/*.tar.gz env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BUMP_TYPE: ${{ startsWith(env.BRANCH_NAME, 'bug') || startsWith(env.BRANCH_NAME, 'fix') && 'patch' || 'minor' }} + run: | + package_version="$(poetry version $BUMP_TYPE --short)" + poetry build + git commit -am "chore: Bump package version to v$package_version" --no-verify + git push + gh release create --generate-notes "v$package_version" "./dist/*$package_version0*" + + - name: Clean Up GPG Credentials + env: + GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.configure-git.outputs.gpg-key-fingerprint }} + run: echo $GPG_PRIVATE_KEY_FINGERPRINT | xargs gpg --batch --yes --delete-secret-and-public-keys diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 2d4c457..89b74b1 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -5,10 +5,6 @@ on: pull_request: - push: - branches: - - "main" - jobs: check: runs-on: ubuntu-latest