Skip to content
Release

Release v0.153.0 #254

Sign in to view logs

Release v0.153.0

Release v0.153.0 #254

Workflow file for this run

.github/workflows/release.yaml at 644061f
name: Release
on:
push:
tags:
- "v*"
permissions:
contents: write
packages: write
id-token: write
attestations: write
security-events: write
jobs:
github-release:
runs-on: "ubuntu-24.04-64cores"
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
image-digest: ${{ steps.image.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
submodules: recursive
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: "1.26.1"
cache: true
- run: "go mod download"
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version-file: ".nvmrc"
cache: "npm"
- name: Update npm
run: npm i -g npm@11.8.0
- name: Install dependencies
run: npm ci
- name: Install Cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
with:
cosign-release: "v3.0.4"
- name: Initialize Cosign TUF root
run: cosign initialize
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
with:
platforms: all
- name: Log in to GitHub Container Registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
with:
distribution: goreleaser
version: "~> v2"
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
- name: Scan Docker image with Trivy
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
with:
image-ref: "ghcr.io/getprobo/probo:${{ github.ref_name }}"
format: "sarif"
output: "trivy-results.sarif"
exit-code: 1
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
if: always()
with:
sarif_file: "trivy-results.sarif"
- name: Generate SBOM
uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 #v0.22.1
with:
path: ./
format: cyclonedx-json
output-file: sbom.json
- name: Run vulnerability scan
uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 #v7.3.1
with:
sbom: "sbom.json"
fail-build: true
severity-cutoff: critical
- name: Generate subject for attestation
id: hash
run: |
set -euo pipefail
(
cd dist
find . -type f -name '*.tar.gz' -o -name '*.zip' | while read file; do
echo "$(sha256sum "$file" | head -c 64) $file"
done
) > checksums.txt
echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Attest SBOM
uses: actions/attest-sbom@v3
with:
subject-path: "dist/*.tar.gz, dist/*.zip"
sbom-path: "sbom.json"
- name: Attest build provenance
uses: actions/attest-build-provenance@v3
with:
subject-path: "dist/*.tar.gz, dist/*.zip"
- name: Get image digest
id: image
run: |
echo "Getting image digest..."
DIGEST=$(docker buildx imagetools inspect ghcr.io/getprobo/probo:${{ github.ref_name }} --format '{{json .Manifest.Digest}}' | jq -r)
echo "Successfully retrieved digest: $DIGEST"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Attest Docker image SBOM
uses: actions/attest-sbom@v3
with:
subject-name: "ghcr.io/getprobo/probo"
subject-digest: ${{ steps.image.outputs.digest }}
sbom-path: "sbom.json"
- name: Upload SBOM as artifact
uses: actions/upload-artifact@v6
with:
name: sbom
path: |
sbom.json
checksums.txt
retention-days: 30
npm-release:
runs-on: "ubuntu-24.04-64cores"
permissions:
contents: read
id-token: write
attestations: write
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
submodules: recursive
- uses: actions/setup-node@v6
with:
node-version-file: ".nvmrc"
cache: "npm"
registry-url: "https://registry.npmjs.org"
scope: "@probo"
- run: npm install -g npm@latest
- run: npm ci
- run: npm --workspace @probo/n8n-nodes-probo run build
- name: Set package version from git tag
run: |
VERSION="${GITHUB_REF_NAME#v}"
npm --workspace @probo/n8n-nodes-probo version "$VERSION" --no-git-tag-version
- uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 #v0.22.1
with:
path: ./packages/n8n-node
format: cyclonedx-json
output-file: packages/n8n-node/sbom.json
- uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 #v7.3.1
with:
path: ./packages/n8n-node
fail-build: true
severity-cutoff: critical
- name: Generate checksums for dist files
id: checksum
run: |
cd packages/n8n-node/dist
find . -type f | while read file; do
echo "$(sha256sum "$file" | head -c 64) $file"
done > ../checksums.txt
echo "hashes=$(cat ../checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
- run: npm --workspace @probo/n8n-nodes-probo publish --access public --dry-run
- run: npm --workspace @probo/n8n-nodes-probo publish --access public
- uses: actions/attest-sbom@v3
with:
subject-path: "packages/n8n-node/dist/**"
sbom-path: "packages/n8n-node/sbom.json"
- uses: actions/attest-build-provenance@v3
with:
subject-path: "packages/n8n-node/dist/**"
- uses: actions/upload-artifact@v6
with:
name: npm-sbom
path: |
packages/n8n-node/sbom.json
packages/n8n-node/checksums.txt
retention-days: 30