chore(deps): update actions/checkout digest to df4cb1c (master) #9850
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| k6_version: | |
| description: 'The version of the release, it must use the semantic versioning format with the v prefix. It is a development release so it is suggested to append a build metadata (e.g. v0.38.0-dev).' | |
| required: true | |
| go_version: | |
| description: 'Go version for building binaries' | |
| default: '1.x' | |
| required: true | |
| push: | |
| branches: | |
| - master | |
| tags: | |
| - v* | |
| pull_request: | |
| paths-ignore: | |
| - 'docs/**' | |
| - 'release notes/**' | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| contents: read | |
| env: | |
| APP_NAME: "k6" | |
| DOCKER_IMAGE_ID: "us-docker.pkg.dev/grafanalabs-global/dockerhub-k6-prod-mirror/k6" | |
| GHCR_IMAGE_ID: ${{ github.repository }} | |
| DEFAULT_GO_VERSION: "1.26.x" | |
| jobs: | |
| configure: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| k6_version: ${{ steps.get_k6_version.outputs.k6_version }} | |
| go_version: ${{ steps.get_go_version.outputs.go_version }} | |
| sign_windows_artifacts: ${{ steps.determine_windows_signing.outputs.sign_windows_artifacts }} | |
| major: ${{ steps.classify_release.outputs.major }} | |
| is_prerelease: ${{ steps.classify_release.outputs.is_prerelease }} | |
| is_latest_stable: ${{ steps.classify_release.outputs.is_latest_stable }} | |
| is_latest_in_major: ${{ steps.classify_release.outputs.is_latest_in_major }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Get the k6 version | |
| id: get_k6_version | |
| env: | |
| INPUT_K6_VERSION: ${{ github.event.inputs.k6_version }} | |
| run: | | |
| set -x # Show exactly what commands are executed | |
| if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]] && [[ "${INPUT_K6_VERSION}" != "" ]]; then | |
| VERSION="${INPUT_K6_VERSION}" | |
| echo "Building custom dev build with version '${VERSION}' from manual workflow_dispatch..." | |
| elif [[ "${GITHUB_REF}" =~ ^refs/tags/v.+$ ]]; then | |
| VERSION="${GITHUB_REF##*/}" | |
| echo "Building real version tag '${GITHUB_REF}', parsed '${VERSION}' as the actual version..." | |
| else | |
| VERSION="$(git describe --tags --always --long --dirty)" | |
| echo "Building a non-version ref '${GITHUB_REF}', use '${VERSION}' as the version instead..." | |
| fi | |
| echo "VERSION=${VERSION}" | |
| echo "k6_version=${VERSION}" >> $GITHUB_OUTPUT | |
| - name: Get the used Go version | |
| id: get_go_version | |
| env: | |
| INPUT_GO_VERSION: ${{ github.event.inputs.go_version }} | |
| run: | | |
| set -x # Show exactly what commands are executed | |
| if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]] && [[ "${INPUT_GO_VERSION}" != "" ]]; then | |
| GO_VERSION="${INPUT_GO_VERSION}" | |
| echo "Using custom Go version '${GO_VERSION}' from manual workflow_dispatch..." | |
| else | |
| GO_VERSION="${DEFAULT_GO_VERSION}" | |
| echo "Using the default Go version '${GO_VERSION}'..." | |
| fi | |
| echo "GO_VERSION=${GO_VERSION}" | |
| echo "go_version=${GO_VERSION}" >> $GITHUB_OUTPUT | |
| # Secrets are unavailable when building from project forks, so this | |
| # will fail for external PRs, even if we wanted to do it. And we don't. | |
| # We are only going to sign packages that are built from the default branch | |
| # or a version tag, or manually triggered dev builds, so we have enough | |
| # assurance that package signing works, but don't sign every PR build. | |
| - name: Determine whether to sign the Windows artifacts | |
| id: determine_windows_signing | |
| env: | |
| SIGN_FILES: ${{ github.ref_name == github.event.repository.default_branch || startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch' }} | |
| run: | | |
| set -x # Show exactly what commands are executed | |
| if [[ "${SIGN_FILES}" == "true" ]]; then | |
| echo "Windows artifacts will be signed" | |
| sign_windows_artifacts="true" | |
| else | |
| echo "Windows artifacts will not be signed" | |
| sign_windows_artifacts="false" | |
| fi | |
| echo "sign_windows_artifacts=${sign_windows_artifacts}" >> ${GITHUB_OUTPUT} | |
| # Classify the release so we can decide whether this build should: | |
| # - move the Docker :latest tag (only the highest stable tag overall) | |
| # - move the Docker :vN floating major tag (any stable tag, per major) | |
| # - be marked as the GitHub "Latest release" or as a pre-release | |
| # This prevents pre-releases (e.g. -rc) and maintenance releases on | |
| # older majors (e.g. v1.x after v2.0.0 ships) from claiming "latest". | |
| - name: Classify release | |
| id: classify_release | |
| env: | |
| VERSION: ${{ steps.get_k6_version.outputs.k6_version }} | |
| run: | | |
| set -x | |
| MAJOR="" | |
| IS_PRERELEASE=false | |
| IS_LATEST_STABLE=false | |
| IS_LATEST_IN_MAJOR=false | |
| if [[ "${GITHUB_REF}" =~ ^refs/tags/v.+$ ]]; then | |
| MAJOR=$(echo "${VERSION}" | sed -E 's/^v([0-9]+).*/\1/') | |
| if [[ "${VERSION}" == *-* ]]; then | |
| IS_PRERELEASE=true | |
| fi | |
| # Highest stable tag in the repo (excludes anything with a | |
| # pre-release identifier like -rc, -beta, -dev). | |
| MAX_STABLE=$(git tag --sort=-v:refname | grep -vE '-' | head -n1 || true) | |
| if [[ "${IS_PRERELEASE}" == "false" && "${VERSION}" == "${MAX_STABLE}" ]]; then | |
| IS_LATEST_STABLE=true | |
| fi | |
| # Highest stable tag within this tag's major. Needed because | |
| # we can ship multiple bugfix releases on an older major | |
| # (e.g. v1.4.2 after v1.5.0 is already out on the v1 line): | |
| # only the newest one on that major should move :vN. | |
| MAX_STABLE_IN_MAJOR=$(git tag --sort=-v:refname \ | |
| | grep -vE '-' \ | |
| | grep -E "^v${MAJOR}\." \ | |
| | head -n1 || true) | |
| if [[ "${IS_PRERELEASE}" == "false" && "${VERSION}" == "${MAX_STABLE_IN_MAJOR}" ]]; then | |
| IS_LATEST_IN_MAJOR=true | |
| fi | |
| fi | |
| echo "major=${MAJOR}" >> ${GITHUB_OUTPUT} | |
| echo "is_prerelease=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT} | |
| echo "is_latest_stable=${IS_LATEST_STABLE}" >> ${GITHUB_OUTPUT} | |
| echo "is_latest_in_major=${IS_LATEST_IN_MAJOR}" >> ${GITHUB_OUTPUT} | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [configure] | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Install Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 | |
| with: | |
| go-version: ${{ needs.configure.outputs.go_version }} | |
| check-latest: true | |
| cache: false # against cache-poisoning | |
| - name: Install nfpm (dep and rpm package builder) | |
| run: | | |
| go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0 | |
| - name: Install goversioninfo (.syso file creator) | |
| run: | | |
| go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@v1.4.0 | |
| - name: Generate Windows binary metadata (.syso files) | |
| run: | | |
| IFS=. read -a version_parts <<< "${VERSION#v}" | |
| IFS=- read -a version_patch <<< "${version_parts[2]}" | |
| # Need a blank versioninfo.json for the CLI overrides to work. | |
| echo '{}' > versioninfo.json | |
| set -x | |
| goversioninfo -64 \ | |
| -platform-specific=true \ | |
| -charset="1200" \ | |
| -company="Raintank Inc. d.b.a. Grafana Labs" \ | |
| -copyright="© Raintank Inc. d.b.a. Grafana Labs. Licensed under AGPL." \ | |
| -description="A modern load testing tool, using Go and JavaScript" \ | |
| -icon=packaging/k6.ico \ | |
| -internal-name="k6" \ | |
| -original-name="k6.exe" \ | |
| -product-name="k6" \ | |
| -translation="0x0409" \ | |
| -ver-major="${version_parts[0]}" \ | |
| -ver-minor="${version_parts[1]}" \ | |
| -ver-patch="${version_patch[0]}" \ | |
| -special-build=$(IFS='-'; echo "${version_patch[*]:1}";) \ | |
| -product-version="${VERSION#v}" | |
| set +x | |
| ls -lah | grep -i syso | |
| - name: Build | |
| run: | | |
| go version | |
| ./build-release.sh "dist" "${VERSION}" | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 | |
| with: | |
| name: binaries | |
| path: dist/ | |
| retention-days: 7 | |
| build-docker: | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| needs: [configure] | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Build | |
| run: | | |
| docker buildx create \ | |
| --name multibuilder \ | |
| --platform linux/amd64,linux/arm64 \ | |
| --bootstrap --use | |
| docker buildx build \ | |
| --target release \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID . | |
| - name: Check | |
| run: | | |
| docker buildx build --load -t $DOCKER_IMAGE_ID . | |
| # Assert that simple cases works for the new built image | |
| docker run $DOCKER_IMAGE_ID version | |
| docker run $DOCKER_IMAGE_ID --help | |
| docker run $DOCKER_IMAGE_ID help | |
| docker run $DOCKER_IMAGE_ID run --help | |
| docker run $DOCKER_IMAGE_ID inspect --help | |
| - name: Login to GAR (Docker Hub mirror) | |
| if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v') }} | |
| uses: grafana/shared-workflows/actions/login-to-gar@c7ad5f57693ac858c698d95783685a9cbfd91223 # login-to-gar/v1.0.1 | |
| with: | |
| registry: us-docker.pkg.dev | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 | |
| env: | |
| GITHUB_ACTOR: ${{ github.actor }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| registry: ghcr.io | |
| username: ${{ env.GITHUB_ACTOR }} | |
| password: ${{ env.GITHUB_TOKEN }} | |
| if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v') }} | |
| - name: Publish k6:master images | |
| if: ${{ github.ref == 'refs/heads/master' }} | |
| run: | | |
| echo "Publish $GHCR_IMAGE_ID:master* images" | |
| docker buildx build --push \ | |
| --target release \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:master \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:master . | |
| docker buildx build --push \ | |
| --target with-browser \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:master-with-browser \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:master-with-browser . | |
| - name: Publish tagged version images | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
| run: | | |
| VERSION="${VERSION#v}" | |
| echo "Publish $GHCR_IMAGE_ID:$VERSION images" | |
| docker buildx build --push \ | |
| --target release \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:$VERSION \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:$VERSION . | |
| docker buildx build --push \ | |
| --target with-browser \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:$VERSION-with-browser \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:$VERSION-with-browser . | |
| # Move the floating major tag (e.g. :v1, :v2) only when this tag is | |
| # the highest stable tag on its major. Pre-releases never move it, | |
| # and a bugfix released on an older line within the same major | |
| # (e.g. v1.4.2 after v1.5.0) does not regress :vN. | |
| - name: Publish floating major tag | |
| if: ${{ needs.configure.outputs.is_latest_in_major == 'true' }} | |
| env: | |
| MAJOR: ${{ needs.configure.outputs.major }} | |
| run: | | |
| echo "Publish $GHCR_IMAGE_ID:v$MAJOR images" | |
| docker buildx build --push \ | |
| --target release \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:v$MAJOR \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:v$MAJOR . | |
| docker buildx build --push \ | |
| --target with-browser \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:v$MAJOR-with-browser \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:v$MAJOR-with-browser . | |
| # Only the highest stable tag in the repo gets :latest. Maintenance | |
| # releases on older majors (e.g. v1.x after v2.0.0 ships) and any | |
| # pre-release must not move :latest. | |
| - name: Publish :latest | |
| if: ${{ needs.configure.outputs.is_latest_stable == 'true' }} | |
| run: | | |
| echo "Publish $GHCR_IMAGE_ID:latest" | |
| docker buildx build --push \ | |
| --target release \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:latest \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:latest . | |
| docker buildx build --push \ | |
| --target with-browser \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:latest-with-browser \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:latest-with-browser . | |
| # Forks, PRs etc. won't actually sign the binary, but the workflow will run most of the same steps as | |
| # GitHub Actions workflows don't support conditional `needs` so we have to run the signing step unconditionally. | |
| sign-binaries: | |
| permissions: | |
| contents: read | |
| actions: read | |
| id-token: write # Required for Vault | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| environment: | |
| name: azure-trusted-signing | |
| runs-on: windows-latest | |
| defaults: | |
| run: | |
| shell: pwsh | |
| needs: [configure, build] | |
| outputs: | |
| binary_artifact_name: ${{ steps.assign-artifact-names.outputs.binary-artifact-name }} | |
| windows_binary_artifact_name: ${{ steps.assign-artifact-names.outputs.windows-binary-artifact-name }} | |
| steps: | |
| - name: Download binaries | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: binaries | |
| path: dist | |
| - name: Unzip Windows binary | |
| run: | | |
| Expand-Archive -Path ".\dist\k6-${env:VERSION}-windows-amd64.zip" -DestinationPath .\packaging\ | |
| - name: Upload artifact for Windows installer build | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 | |
| with: | |
| name: windows-binary | |
| path: 'packaging/k6-${{ env.VERSION }}-windows-amd64/k6.exe' | |
| retention-days: 7 | |
| if-no-files-found: error | |
| - name: Get secrets for Azure Trusted Signing | |
| uses: grafana/shared-workflows/actions/get-vault-secrets@a53fc80bc30b0a16a262520465db899fa3af08b7 # get-vault-secrets/v1.3.2 | |
| id: get-signing-secrets | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| export_env: false | |
| repo_secrets: | | |
| client-id=azure-trusted-signing:client-id | |
| subscription-id=azure-trusted-signing:subscription-id | |
| tenant-id=azure-trusted-signing:tenant-id | |
| - name: Sign Windows binary | |
| uses: grafana/shared-workflows/actions/azure-trusted-signing@fd75379254f1ff2d0a1f1c12b329a9008863ad82 # azure-trusted-signing/v1.0.2 | |
| id: sign-artifacts | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| application-description: 'Grafana k6' | |
| artifact-to-sign: 'windows-binary' | |
| azure-client-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).client-id }} | |
| azure-subscription-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).subscription-id }} | |
| azure-tenant-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).tenant-id }} | |
| signed-artifact-name: 'windows-binary-signed' | |
| - name: Download signed Windows binary | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| name: ${{ steps.sign-artifacts.outputs.artifact-name }} | |
| path: 'packaging/k6-${{ env.VERSION }}-windows-amd64' | |
| # Re-zip the signed Windows binary to replace the original unsigned version | |
| - name: Zip signed Windows binary | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| run: | | |
| Compress-Archive -Path ".\packaging\*" -DestinationPath ".\dist\k6-${env:VERSION}-windows-amd64.zip" -Force | |
| - name: Upload signed artifacts | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| name: binaries-signed | |
| path: dist/ | |
| retention-days: 7 | |
| if-no-files-found: error | |
| - name: Assign artifact name for Windows binary for installer build | |
| id: assign-artifact-names | |
| env: | |
| BINARY_ARTIFACT_NAME: ${{ needs.configure.outputs.sign_windows_artifacts == 'true' && 'binaries-signed' || 'binaries' }} | |
| WINDOWS_BINARY_ARTIFACT_NAME: ${{ needs.configure.outputs.sign_windows_artifacts == 'true' && steps.sign-artifacts.outputs.artifact-name || 'windows-binary' }} | |
| run: | | |
| echo "binary-artifact-name=${env:BINARY_ARTIFACT_NAME}" >> ${env:GITHUB_OUTPUT} | |
| echo "windows-binary-artifact-name=${env:WINDOWS_BINARY_ARTIFACT_NAME}" >> ${env:GITHUB_OUTPUT} | |
| package: | |
| permissions: | |
| contents: read | |
| actions: read | |
| runs-on: windows-latest | |
| defaults: | |
| run: | |
| shell: pwsh | |
| needs: [configure, build, sign-binaries] | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Install pandoc | |
| uses: crazy-max/ghaction-chocolatey@dff3862348493b11fba2fbc49147b6d2dfe09b66 # v4.0.0 | |
| with: | |
| args: install -y pandoc | |
| - name: Install wix tools | |
| run: | | |
| curl -Lso wix311-binaries.zip https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip | |
| Expand-Archive -Path .\wix311-binaries.zip -DestinationPath .\wix311\ | |
| echo "$pwd\wix311" | Out-File -FilePath $env:GITHUB_PATH -Append | |
| - name: Download Windows binary | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: ${{ needs.sign-binaries.outputs.windows_binary_artifact_name }} | |
| path: packaging | |
| - name: Create the MSI package | |
| run: | | |
| $env:VERSION = $env:VERSION -replace 'v(\d+\.\d+\.\d+).*','$1' | |
| pandoc -s -f markdown -t rtf -o packaging\LICENSE.rtf LICENSE.md | |
| cd .\packaging | |
| candle.exe -arch x64 "-dVERSION=${env:VERSION}" k6.wxs | |
| light.exe -ext WixUIExtension k6.wixobj | |
| - name: Rename MSI package | |
| # To keep it consistent with the other artifacts | |
| run: move "packaging\k6.msi" "packaging\k6-${env:VERSION}-windows-amd64.msi" | |
| - name: Upload Windows installer | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 | |
| with: | |
| name: binaries-windows | |
| path: | | |
| packaging/k6-*.msi | |
| retention-days: 7 | |
| if-no-files-found: error | |
| # Forks, PRs etc. won't actually sign the installer, but the workflow will run most of the same steps as | |
| # GitHub Actions workflows don't support conditional `needs` so we have to run the signing step unconditionally. | |
| sign-packages: | |
| permissions: | |
| actions: read | |
| contents: read | |
| id-token: write # Required for Vault | |
| environment: | |
| name: azure-trusted-signing | |
| outputs: | |
| artifact_name: ${{ steps.assign-artifact-name.outputs.artifact-name }} | |
| runs-on: windows-latest | |
| defaults: | |
| run: | |
| shell: pwsh | |
| needs: [configure, package] | |
| steps: | |
| - name: Download Windows artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| name: binaries-windows | |
| path: packaging | |
| - name: Get secrets for Azure Trusted Signing | |
| uses: grafana/shared-workflows/actions/get-vault-secrets@a53fc80bc30b0a16a262520465db899fa3af08b7 # get-vault-secrets/v1.3.2 | |
| id: get-signing-secrets | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| export_env: false | |
| repo_secrets: | | |
| client-id=azure-trusted-signing:client-id | |
| subscription-id=azure-trusted-signing:subscription-id | |
| tenant-id=azure-trusted-signing:tenant-id | |
| - name: Sign Windows installer | |
| uses: grafana/shared-workflows/actions/azure-trusted-signing@fd75379254f1ff2d0a1f1c12b329a9008863ad82 # azure-trusted-signing/v1.0.2 | |
| id: sign-artifacts | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| application-description: 'Grafana k6' | |
| artifact-to-sign: 'binaries-windows' | |
| azure-client-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).client-id }} | |
| azure-subscription-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).subscription-id }} | |
| azure-tenant-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).tenant-id }} | |
| signed-artifact-name: 'binaries-windows-signed' | |
| - name: Assign artifact name for Windows installer | |
| id: assign-artifact-name | |
| env: | |
| ARTIFACT_NAME: ${{ needs.configure.outputs.sign_windows_artifacts == 'true' && steps.sign-artifacts.outputs.artifact-name || 'binaries-windows' }} | |
| run: | | |
| echo "artifact-name=${env:ARTIFACT_NAME}" >> ${env:GITHUB_OUTPUT} | |
| publish-github: | |
| runs-on: ubuntu-latest | |
| needs: [configure, sign-binaries, sign-packages] | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') && github.event_name != 'workflow_dispatch' }} | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| permissions: | |
| actions: read | |
| contents: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Download binaries | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: ${{ needs.sign-binaries.outputs.binary_artifact_name }} | |
| path: dist | |
| - name: Download Windows binaries | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: ${{ needs.sign-packages.outputs.artifact_name }} | |
| path: dist | |
| - name: Generate checksum file | |
| run: cd dist && sha256sum * > "k6-${VERSION}-checksums.txt" | |
| - name: Anchore SBOM Action | |
| continue-on-error: true | |
| uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 | |
| with: | |
| artifact-name: k6-${{ env.VERSION }}-spdx.json | |
| upload-release-assets: false | |
| output-file: dist/k6-${{ env.VERSION }}-spdx.json | |
| - name: Create release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| IS_LATEST_STABLE: ${{ needs.configure.outputs.is_latest_stable }} | |
| IS_PRERELEASE: ${{ needs.configure.outputs.is_prerelease }} | |
| run: | | |
| set -x | |
| assets=() | |
| for asset in ./dist/*; do | |
| assets+=("$asset") | |
| done | |
| # --latest=false prevents pre-releases and maintenance releases on | |
| # older majors from being shown as the "Latest release" on GitHub. | |
| extra_args=( "--latest=${IS_LATEST_STABLE}" ) | |
| if [[ "${IS_PRERELEASE}" == "true" ]]; then | |
| extra_args+=( "--prerelease" ) | |
| fi | |
| gh release create "$VERSION" "${assets[@]}" \ | |
| --target "$GITHUB_SHA" \ | |
| -F "./release notes/${VERSION}.md" \ | |
| "${extra_args[@]}" | |
| submit-winget-manifest: | |
| needs: [configure, publish-github] | |
| runs-on: windows-2025 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Install WingetCreate | |
| shell: pwsh | |
| run: | | |
| Import-Module Appx -UseWindowsPowerShell | |
| $appxBundleFile = Join-Path ${env:RUNNER_TEMP} "wingetcreate.msixbundle" | |
| Invoke-WebRequest https://aka.ms/wingetcreate/latest/msixbundle -OutFile $appxBundleFile | |
| Add-AppxPackage $appxBundleFile | |
| - name: Get WinGet token | |
| uses: grafana/shared-workflows/actions/get-vault-secrets@a53fc80bc30b0a16a262520465db899fa3af08b7 # get-vault-secrets/v1.3.2 | |
| id: get-token | |
| with: | |
| export_env: false | |
| common_secrets: | | |
| token=winget-packages:token | |
| - name: Submit WinGet Manifest | |
| env: | |
| PACKAGE_ID: GrafanaLabs.k6 | |
| PACKAGE_VERSION: ${{ needs.configure.outputs.k6_version }} | |
| WINGET_CREATE_GITHUB_TOKEN: ${{ fromJSON(steps.get-token.outputs.secrets).token }} | |
| shell: pwsh | |
| run: | | |
| wingetcreate token --store | |
| wingetcreate update ${env:PACKAGE_ID} ` | |
| --urls "${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}/releases/download/${env:PACKAGE_VERSION}/k6-${env:PACKAGE_VERSION}-windows-amd64.msi" ` | |
| --version ${env:PACKAGE_VERSION}.TrimStart("v") ` | |
| --submit | |
| publish-packages: | |
| runs-on: ubuntu-latest | |
| needs: [configure, sign-binaries, sign-packages] | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') && github.event_name != 'workflow_dispatch' }} | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| permissions: | |
| actions: read | |
| contents: read | |
| packages: write | |
| id-token: write # Required for Vault | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Download binaries | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: ${{ needs.sign-binaries.outputs.binary_artifact_name }} | |
| path: dist | |
| - name: Download Windows binaries | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: ${{ needs.sign-packages.outputs.artifact_name }} | |
| path: dist | |
| - name: Rename binaries | |
| # To be consistent with the filenames used in dl.k6.io | |
| run: | | |
| mv "dist/k6-$VERSION-windows-amd64.msi" "dist/k6-$VERSION-amd64.msi" | |
| mv "dist/k6-$VERSION-linux-amd64.rpm" "dist/k6-$VERSION-amd64.rpm" | |
| mv "dist/k6-$VERSION-linux-amd64.deb" "dist/k6-$VERSION-amd64.deb" | |
| - uses: grafana/shared-workflows/actions/get-vault-secrets@a53fc80bc30b0a16a262520465db899fa3af08b7 # get-vault-secrets/v1.3.2 | |
| id: get-secrets | |
| with: | |
| export_env: false | |
| repo_secrets: | | |
| IAM_ROLE_ARN=deploy:packager-iam-role | |
| AWS_CF_DISTRIBUTION=cloudfront:AWS_CF_DISTRIBUTION | |
| PGP_SIGN_KEY_PASSPHRASE=pgp:PGP_SIGN_KEY_PASSPHRASE | |
| PGP_SIGN_KEY=pgp:PGP_SIGN_KEY | |
| S3_BUCKET=s3:AWS_S3_BUCKET | |
| - uses: grafana/shared-workflows/actions/aws-auth@85022085ed5314601c05d10e846de56bdd71e369 # aws-auth/v1.0.3 | |
| with: | |
| aws-region: "us-east-2" | |
| role-arn: ${{ fromJSON(steps.get-secrets.outputs.secrets).IAM_ROLE_ARN }} | |
| set-creds-in-environment: true | |
| - name: Setup docker compose environment | |
| env: | |
| AWS_CF_DISTRIBUTION: ${{ fromJSON(steps.get-secrets.outputs.secrets).AWS_CF_DISTRIBUTION }} | |
| PGP_SIGN_KEY_PASSPHRASE: ${{ fromJSON(steps.get-secrets.outputs.secrets).PGP_SIGN_KEY_PASSPHRASE }} | |
| PGP_SIGN_KEY: ${{ fromJSON(steps.get-secrets.outputs.secrets).PGP_SIGN_KEY }} | |
| S3_BUCKET: ${{ fromJSON(steps.get-secrets.outputs.secrets).S3_BUCKET }} | |
| run: | | |
| cat > packaging/.env <<EOF | |
| AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} | |
| AWS_CF_DISTRIBUTION="${AWS_CF_DISTRIBUTION}" | |
| AWS_DEFAULT_REGION=us-east-2 | |
| AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} | |
| AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} | |
| PGP_SIGN_KEY_PASSPHRASE=${PGP_SIGN_KEY_PASSPHRASE} | |
| S3_BUCKET=${S3_BUCKET} | |
| EOF | |
| echo "${PGP_SIGN_KEY}" > packaging/sign-key.gpg | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 | |
| env: | |
| GITHUB_ACTOR: ${{ github.actor }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| registry: ghcr.io | |
| username: ${{ env.GITHUB_ACTOR }} | |
| password: ${{ env.GITHUB_TOKEN }} | |
| - name: Publish packages | |
| run: | | |
| cd packaging | |
| docker compose pull packager | |
| docker compose run --rm packager |