chore(sec): pin github deps to shas (#1444) #105
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| jobs: | |
| release-check: | |
| name: Check if version changed | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| ref: main | |
| persist-credentials: false | |
| - name: Use Node.js from nvmrc | |
| uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 | |
| with: | |
| node-version-file: ".nvmrc" | |
| - name: Check if version has been updated | |
| id: check | |
| uses: EndBug/version-check@d17247dd94ca7b39d0b0691399be8d7c510622c9 # latest | |
| outputs: | |
| publish: ${{ steps.check.outputs.changed }} | |
| release: | |
| name: Release | |
| needs: release-check | |
| if: ${{ needs.release-check.outputs.publish == 'true' }} | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| ref: main | |
| - name: Use Node.js from nvmrc | |
| uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 | |
| with: | |
| node-version-file: ".nvmrc" | |
| registry-url: "https://registry.npmjs.org" | |
| - name: Set up Go for desktop build | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version: ^1.23.x | |
| cache-dependency-path: desktop/go.sum | |
| id: go | |
| - name: Get version | |
| id: package-version | |
| uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 | |
| - name: Install | |
| run: npm ci | |
| - name: Build | |
| run: | | |
| npm run build-desktop | |
| - name: Tag commit and push | |
| id: tag_version | |
| uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| custom_tag: ${{ steps.package-version.outputs.current-version }} | |
| - name: Create Archives | |
| run: | | |
| zip -r "desktop-${{ steps.package-version.outputs.current-version }}" desktop/bin/ | |
| - name: Build Release Notes | |
| id: release_notes | |
| run: | | |
| RELEASE_NOTES_PATH="${PWD}/release_notes.txt" | |
| ./build/release-notes.js > ${RELEASE_NOTES_PATH} | |
| echo "release_notes=${RELEASE_NOTES_PATH}" >> $GITHUB_OUTPUT | |
| - name: Create GitHub Release | |
| id: create_regular_release | |
| uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag: ${{ steps.tag_version.outputs.new_tag }} | |
| name: ${{ steps.tag_version.outputs.new_tag }} | |
| bodyFile: ${{ steps.release_notes.outputs.release_notes }} | |
| artifacts: "desktop-${{ steps.package-version.outputs.current-version }}.zip" | |
| allowUpdates: true | |
| draft: false | |
| prerelease: false |