security: add minimumReleaseAge (7d) #19
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| verify: | |
| if: github.event_name != 'push' || !contains(github.event.head_commit.message, '[skip ci]') | |
| name: Verify CLI | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Vite+ | |
| uses: voidzero-dev/setup-vp@v1 | |
| with: | |
| node-version-file: ".node-version" | |
| cache: true | |
| - name: Verify repository | |
| run: vp run verify | |
| - name: Smoke test packed install surface | |
| run: vp run smoke:pack | |
| release: | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' && !contains(github.event.head_commit.message, '[skip ci]') | |
| name: Release CLI | |
| needs: | |
| - verify | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| permissions: | |
| contents: write | |
| issues: write | |
| pull-requests: write | |
| outputs: | |
| new_release_published: ${{ steps.semantic.outputs.new_release_published }} | |
| new_release_git_tag: ${{ steps.semantic.outputs.new_release_git_tag }} | |
| new_release_version: ${{ steps.semantic.outputs.new_release_version }} | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Vite+ | |
| uses: voidzero-dev/setup-vp@v1 | |
| with: | |
| node-version-file: ".node-version" | |
| cache: true | |
| - name: Build package | |
| run: vp pack | |
| - name: Release package | |
| id: semantic | |
| uses: cycjimmy/semantic-release-action@v6 | |
| with: | |
| extra_plugins: | | |
| @semantic-release/commit-analyzer | |
| @semantic-release/release-notes-generator | |
| @semantic-release/npm | |
| @semantic-release/github | |
| @semantic-release/git | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| build-unix-binaries: | |
| if: needs.release.outputs.new_release_published == 'true' | |
| name: Build ${{ matrix.os }} release assets | |
| needs: | |
| - release | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 30 | |
| permissions: | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| asset_os: linux | |
| asset_arch: amd64 | |
| - os: macos-latest | |
| asset_os: darwin | |
| asset_arch: arm64 | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check out release tag | |
| run: git checkout ${{ needs.release.outputs.new_release_git_tag }} | |
| - name: Set up Vite+ | |
| uses: voidzero-dev/setup-vp@v1 | |
| with: | |
| node-version-file: ".node-version" | |
| cache: true | |
| - name: Build SEA binary | |
| run: vp run build:sea | |
| - name: Verify SEA binary | |
| run: vp run verify:sea | |
| - name: Package release assets | |
| shell: pwsh | |
| run: | | |
| $version = "${{ needs.release.outputs.new_release_version }}" | |
| $assetBase = "putio-cli-$version-${{ matrix.asset_os }}-${{ matrix.asset_arch }}" | |
| $releaseDir = ".artifacts/release" | |
| New-Item -ItemType Directory -Force -Path $releaseDir | Out-Null | |
| $binaryPath = ".artifacts/sea/putio" | |
| $stageDir = "$releaseDir/stage" | |
| New-Item -ItemType Directory -Force -Path $stageDir | Out-Null | |
| Copy-Item $binaryPath "$stageDir/putio" | |
| tar -czf "$releaseDir/$assetBase.tar.gz" -C $stageDir putio | |
| Remove-Item -Recurse -Force $stageDir | |
| $assetPath = "$releaseDir/$assetBase.tar.gz" | |
| $hash = (Get-FileHash -Algorithm SHA256 $assetPath).Hash.ToLower() | |
| "$hash $(Split-Path $assetPath -Leaf)" | Out-File "$assetPath.sha256" -Encoding ascii -NoNewline | |
| - name: Generate SHA-256 checksums | |
| shell: pwsh | |
| run: Get-ChildItem .artifacts/release | |
| - name: Upload binary assets to the GitHub release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ needs.release.outputs.new_release_git_tag }} | |
| files: | | |
| .artifacts/release/* | |
| build-windows-binary: | |
| if: needs.release.outputs.new_release_published == 'true' | |
| name: Build windows-latest release assets | |
| needs: | |
| - release | |
| runs-on: windows-latest | |
| timeout-minutes: 30 | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check out release tag | |
| run: git checkout ${{ needs.release.outputs.new_release_git_tag }} | |
| - name: Set up Vite+ | |
| uses: voidzero-dev/setup-vp@v1 | |
| with: | |
| node-version-file: ".node-version" | |
| cache: true | |
| - name: Build SEA binary | |
| run: vp run build:sea | |
| - name: Verify SEA binary | |
| run: vp run verify:sea | |
| - name: Package release assets | |
| shell: pwsh | |
| run: | | |
| $version = "${{ needs.release.outputs.new_release_version }}" | |
| $assetBase = "putio-cli-$version-windows-amd64" | |
| $releaseDir = ".artifacts/release" | |
| New-Item -ItemType Directory -Force -Path $releaseDir | Out-Null | |
| $binaryPath = ".artifacts/sea/putio.exe" | |
| Compress-Archive -Path $binaryPath -DestinationPath "$releaseDir/$assetBase.zip" -Force | |
| $assetPath = "$releaseDir/$assetBase.zip" | |
| $hash = (Get-FileHash -Algorithm SHA256 $assetPath).Hash.ToLower() | |
| "$hash $(Split-Path $assetPath -Leaf)" | Out-File "$assetPath.sha256" -Encoding ascii -NoNewline | |
| - name: Generate SHA-256 checksums | |
| shell: pwsh | |
| run: Get-ChildItem .artifacts/release | |
| - name: Upload binary assets to the GitHub release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ needs.release.outputs.new_release_git_tag }} | |
| files: | | |
| .artifacts/release/* | |
| update-homebrew-tap: | |
| if: needs.release.outputs.new_release_published == 'true' | |
| name: Update Homebrew tap | |
| needs: | |
| - release | |
| - build-unix-binaries | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Release to Homebrew tap | |
| uses: Justintime50/homebrew-releaser@v3 | |
| with: | |
| homebrew_owner: putdotio | |
| homebrew_tap: homebrew-tap | |
| github_token: ${{ secrets.HOMEBREW_TAP_TOKEN }} | |
| commit_owner: semantic-release-bot | |
| commit_email: ui@put.io | |
| branch: main | |
| formula_folder: Formula | |
| install: 'bin.install "putio"' | |
| test: | | |
| output = shell_output("#{bin}/putio version") | |
| assert_match "putio", output | |
| assert_match version.to_s, output | |
| target_darwin_arm64: true | |
| target_linux_amd64: true | |
| skip_checksum: true |