probo/.github/workflows/release.yaml at 644061f465a27dd04f112176e10488917f236762 · getprobo/probo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
name: Release

on:
  push:
    tags:
      - "v*"

permissions:
  contents: write
  packages: write
  id-token: write
  attestations: write
  security-events: write

jobs:
  github-release:
    runs-on: "ubuntu-24.04-64cores"
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
      image-digest: ${{ steps.image.outputs.digest }}
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          submodules: recursive

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: "1.26.1"
          cache: true

      - run: "go mod download"

      - name: Set up Node.js
        uses: actions/setup-node@v6
        with:
          node-version-file: ".nvmrc"
          cache: "npm"

      - name: Update npm
        run: npm i -g npm@11.8.0

      - name: Install dependencies
        run: npm ci

      - name: Install Cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
        with:
          cosign-release: "v3.0.4"

      - name: Initialize Cosign TUF root
        run: cosign initialize

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
        with:
          platforms: all

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        with:
          distribution: goreleaser
          version: "~> v2"
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}

      - name: Scan Docker image with Trivy
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          image-ref: "ghcr.io/getprobo/probo:${{ github.ref_name }}"
          format: "sarif"
          output: "trivy-results.sarif"
          exit-code: 1
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
        if: always()
        with:
          sarif_file: "trivy-results.sarif"

      - name: Generate SBOM
        uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 #v0.22.1
        with:
          path: ./
          format: cyclonedx-json
          output-file: sbom.json

      - name: Run vulnerability scan
        uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 #v7.3.1
        with:
          sbom: "sbom.json"
          fail-build: true
          severity-cutoff: critical

      - name: Generate subject for attestation
        id: hash
        run: |
          set -euo pipefail
          (
            cd dist
            find . -type f -name '*.tar.gz' -o -name '*.zip' | while read file; do
              echo "$(sha256sum "$file" | head -c 64)  $file"
            done
          ) > checksums.txt
          echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Attest SBOM
        uses: actions/attest-sbom@v3
        with:
          subject-path: "dist/*.tar.gz, dist/*.zip"
          sbom-path: "sbom.json"

      - name: Attest build provenance
        uses: actions/attest-build-provenance@v3
        with:
          subject-path: "dist/*.tar.gz, dist/*.zip"

      - name: Get image digest
        id: image
        run: |
          echo "Getting image digest..."
          DIGEST=$(docker buildx imagetools inspect ghcr.io/getprobo/probo:${{ github.ref_name }} --format '{{json .Manifest.Digest}}' | jq -r)
          echo "Successfully retrieved digest: $DIGEST"
          echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"

      - name: Attest Docker image SBOM
        uses: actions/attest-sbom@v3
        with:
          subject-name: "ghcr.io/getprobo/probo"
          subject-digest: ${{ steps.image.outputs.digest }}
          sbom-path: "sbom.json"

      - name: Upload SBOM as artifact
        uses: actions/upload-artifact@v6
        with:
          name: sbom
          path: |
            sbom.json
            checksums.txt
          retention-days: 30

  npm-release:
    runs-on: "ubuntu-24.04-64cores"
    permissions:
      contents: read
      id-token: write
      attestations: write
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          submodules: recursive

      - uses: actions/setup-node@v6
        with:
          node-version-file: ".nvmrc"
          cache: "npm"
          registry-url: "https://registry.npmjs.org"
          scope: "@probo"

      - run: npm install -g npm@latest
      - run: npm ci
      - run: npm --workspace @probo/n8n-nodes-probo run build
      - name: Set package version from git tag
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          npm --workspace @probo/n8n-nodes-probo version "$VERSION" --no-git-tag-version

      - uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 #v0.22.1
        with:
          path: ./packages/n8n-node
          format: cyclonedx-json
          output-file: packages/n8n-node/sbom.json

      - uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 #v7.3.1
        with:
          path: ./packages/n8n-node
          fail-build: true
          severity-cutoff: critical

      - name: Generate checksums for dist files
        id: checksum
        run: |
          cd packages/n8n-node/dist
          find . -type f | while read file; do
            echo "$(sha256sum "$file" | head -c 64)  $file"
          done > ../checksums.txt
          echo "hashes=$(cat ../checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT"

      - run: npm --workspace @probo/n8n-nodes-probo publish --access public --dry-run
      - run: npm --workspace @probo/n8n-nodes-probo publish --access public

      - uses: actions/attest-sbom@v3
        with:
          subject-path: "packages/n8n-node/dist/**"
          sbom-path: "packages/n8n-node/sbom.json"

      - uses: actions/attest-build-provenance@v3
        with:
          subject-path: "packages/n8n-node/dist/**"

      - uses: actions/upload-artifact@v6
        with:
          name: npm-sbom
          path: |
            packages/n8n-node/sbom.json
            packages/n8n-node/checksums.txt
          retention-days: 30