Merge pull request #715 from onflow/improvement/release-gha

Release process improvements

Author: devbugging

.github/workflows/build-release.yaml

@@ -1,47 +1,41 @@
 name: Build Release
 
 on:
-  push:
-    tags:
-      - "v*"
+  release:
+    types: [created]
 
 jobs:
-  security:
+  releases-matrix:
+    name: Release Go Binary
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # build and publish in parallel: linux/386, linux/amd64, linux/arm64, windows/386, windows/amd64, darwin/amd64, darwin/arm64
+        goos: [ linux, windows, darwin ]
+        goarch: [ amd64, arm64 ]
+        exclude:
+          - goarch: arm64
+            goos: windows
     steps:
-      - uses: actions/checkout@master
-      - name: Run Snyk to check for vulnerabilities
+      - uses: actions/checkout@v3
+      - name: Codebase security check
         continue-on-error: true
         uses: snyk/actions/golang@master
         with:
           go-version: '1.19'
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-go@v1
-        with:
-          go-version: '1.19'
-      - name: Build Binaries
-        run: make versioned-binaries
+      - uses: wangyoucao577/go-release-action@v1.33
         env:
           MIXPANEL_PROJECT_TOKEN: ${{ secrets.MIXPANEL_PROJECT_TOKEN }}
-      - name: Uploading Binaries
-        uses: google-github-actions/upload-cloud-storage@main
-        with:
-          credentials: ${{ secrets.FLOW_HOSTING_PROD_SA }}
-          path: ./cmd/flow/
-          glob: 'flow-*'
-          destination: flow-cli/
-          parent: false
-      - name: Update Version
-        uses: google-github-actions/upload-cloud-storage@main
+          APP_VERSION: $(basename ${GITHUB_REF})
+          BUILD_TIME: $(date --iso-8601=seconds)
+          VERSION: ${{github.ref_name}}
+          COMMIT: ${{ github.sha }}
         with:
-          credentials: ${{ secrets.FLOW_HOSTING_PROD_SA }}
-          path: ./
-          glob: 'version.txt'
-          destination: flow-cli/
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          goos: ${{ matrix.goos }}
+          goarch: ${{ matrix.goarch }}
+          goversion: "1.19"
+          project_path: "./cmd/flow"
+          ldflags: -X "build.commit=${{ env.COMMIT }}" -X "build.semver=${{ env.VERSION }}" -X "util.MIXPANEL_PROJECT_TOKEN=${{ env.MIXPANEL_PROJECT_TOKEN }}"

.github/workflows/publish-release.yml

@@ -5,18 +5,8 @@ on:
     types: [published]
 
 jobs:
-  security:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@master
-      - name: Run Snyk to check for vulnerabilities
-        continue-on-error: true
-        uses: snyk/actions/golang@master
-        with:
-          go-version: '1.19'
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
   homebrew:
+      if: github.event_name == 'release' && github.event.action == 'published' # skip for pre-release
       name: Bump Homebrew formula
       runs-on: ubuntu-latest
       steps:

.github/security_scan.yaml .github/workflows/security_scan.yaml.github/security_scan.yaml renamed to .github/workflows/security_scan.yaml

@@ -1,10 +1,6 @@
 name: Security Scanner
 on:
-  pull_request:
   push:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 4 * * *" # run once a day at 4 AM
 jobs:
   scan:
     name: gitleaks
@@ -22,9 +18,9 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Running govulncheck
-        uses: Templum/govulncheck-action@latest
+        uses: Templum/govulncheck-action@v0.0.7
         with:
-          go-version: 1.18
+          go-version: 1.19
           vulncheck-version: latest
           package: ./...
           github-token: ${{ secrets.GITHUB_TOKEN }}

install.ps1

@@ -32,11 +32,13 @@ Set-ItemProperty HKCU:\Console VirtualTerminalLevel -Type DWORD 1
 
 $ErrorActionPreference = "Stop"
 
-$baseURL = "https://storage.googleapis.com/flow-cli"
-$versionURL ="https://raw.githubusercontent.com/onflow/flow-cli/master/version.txt"
+$repo = "onflow/flow-cli"
+$versionURL = "https://api.github.com/repos/$repo/releases/latest"
+$assetsURL = "https://github.com/$repo/releases/download"
 
 if (!$version) {
-    $version = (Invoke-WebRequest -Uri "$versionURL" -UseBasicParsing).Content.Trim()
+    $q = (Invoke-WebRequest -Uri "$versionURL" -UseBasicParsing) | ConvertFrom-Json
+    $version = $q.tag_name
 }
 
 Write-Output("Installing version {0} ..." -f $version)
@@ -45,7 +47,11 @@ New-Item -ItemType Directory -Force -Path $directory | Out-Null
 
 $progressPreference = 'silentlyContinue'
 
-Invoke-WebRequest -Uri "$baseURL/flow-x86_64-windows-$version" -UseBasicParsing -OutFile "$directory\flow.exe"
+Invoke-WebRequest -Uri "$assetsURL/$version/flow-cli-$version-windows-amd64.zip" -UseBasicParsing -OutFile "$directory\flow.zip"
+
+Expand-Archive -Path "$directory\flow.zip" -DestinationPath "$directory"
+
+Move-Item -Path "$directory\flow-cli.exe" -Destination "$directory\flow.exe" -Force
 
 if ($addToPath) {
     Write-Output "Adding to PATH ..."

install.sh

@@ -3,8 +3,8 @@
 # Exit as soon as any command fails
 set -e
 
-BASE_URL="https://storage.googleapis.com/flow-cli"
-CLI_GIT_URL="https://raw.githubusercontent.com/onflow/flow-cli/master/version.txt"
+REPO="onflow/flow-cli"
+ASSETS_URL="https://github.com/$REPO/releases/download/"
 # The version to download, set by get_version (defaults to args[1])
 VERSION="$1"
 # The architecture string, set by get_architecture
@@ -47,7 +47,7 @@ get_architecture() {
             return 1
             ;;
     esac
-    _arch="${_cputype}-${_ostype}"
+    _arch="${_ostype}-${_cputype}"
     ARCH="${_arch}"
     TARGET_PATH="${_targetpath}"
 }
@@ -56,7 +56,7 @@ get_architecture() {
 get_version() {
   if [ -z "$VERSION" ]
   then
-    VERSION=$(curl -s "$CLI_GIT_URL")
+    VERSION=$(curl -s "https://api.github.com/repos/$REPO/releases/latest" | grep -E 'tag_name' | cut -d '"' -f 4)
   fi
 }
 
@@ -71,21 +71,21 @@ main() {
   echo "Downloading version $VERSION ..."
 
   tmpfile=$(mktemp 2>/dev/null || mktemp -t flow)
-
-  url="$BASE_URL/flow-$ARCH-$VERSION"
-  curl --progress-bar "$url" -o $tmpfile
+  url="$ASSETS_URL$VERSION/flow-cli-$VERSION-$ARCH.tar.gz"
+  curl -L --progress-bar "$url" -o $tmpfile
 
   # Ensure we don't receive a not found error as response.
-  if grep -q "The specified key does not exist" $tmpfile
+  if grep -q "Not Found" $tmpfile
   then
     echo "Version $VERSION could not be found"
     exit 1
   fi
 
-  chmod +x $tmpfile
-
   [ -d $TARGET_PATH ] || mkdir -p $TARGET_PATH
-  mv $tmpfile $TARGET_PATH/flow
+
+  tar -xf $tmpfile -C $TARGET_PATH
+  mv $TARGET_PATH/flow-cli $TARGET_PATH/flow
+  chmod +x $TARGET_PATH/flow
 
   echo "Successfully installed the Flow CLI to $TARGET_PATH."
   echo "Make sure $TARGET_PATH is in your \$PATH environment variable."