Merge pull request #12 from Boyeep/chore/add-community-files #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*.*.*" | |
| permissions: | |
| contents: read | |
| jobs: | |
| verify: | |
| name: Verify Release Commit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: npm | |
| cache-dependency-path: | | |
| package-lock.json | |
| frontend/package-lock.json | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| cache-dependency-path: backend/pyproject.toml | |
| - name: Install root tooling | |
| run: npm ci | |
| - name: Install frontend dependencies | |
| run: npm ci | |
| working-directory: frontend | |
| - name: Install backend dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install -e ./backend[dev] | |
| - name: Verify generated API types | |
| run: npm run check:contract | |
| - name: Run release verification | |
| run: npm run check | |
| publish-images: | |
| name: Publish GHCR Images | |
| needs: verify | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| attestations: write | |
| artifact-metadata: write | |
| outputs: | |
| backend-attestation-url: ${{ steps.attest-backend.outputs.attestation-url }} | |
| frontend-attestation-url: ${{ steps.attest-frontend.outputs.attestation-url }} | |
| backend-digest: ${{ steps.push-backend.outputs.digest }} | |
| frontend-digest: ${{ steps.push-frontend.outputs.digest }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set lowercase owner | |
| id: vars | |
| run: echo "owner=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT" | |
| shell: bash | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker metadata for backend | |
| id: meta-backend | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend | |
| tags: | | |
| type=ref,event=tag | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| - name: Docker metadata for frontend | |
| id: meta-frontend | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend | |
| tags: | | |
| type=ref,event=tag | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| - name: Build and push backend image | |
| id: push-backend | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ./backend | |
| file: ./backend/Dockerfile | |
| target: runner | |
| push: true | |
| tags: ${{ steps.meta-backend.outputs.tags }} | |
| labels: ${{ steps.meta-backend.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Generate backend provenance attestation | |
| id: attest-backend | |
| uses: actions/attest@v4 | |
| with: | |
| subject-name: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend | |
| subject-digest: ${{ steps.push-backend.outputs.digest }} | |
| push-to-registry: true | |
| - name: Build and push frontend image | |
| id: push-frontend | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ./frontend | |
| file: ./frontend/Dockerfile | |
| target: runner | |
| push: true | |
| tags: ${{ steps.meta-frontend.outputs.tags }} | |
| labels: ${{ steps.meta-frontend.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Generate frontend provenance attestation | |
| id: attest-frontend | |
| uses: actions/attest@v4 | |
| with: | |
| subject-name: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend | |
| subject-digest: ${{ steps.push-frontend.outputs.digest }} | |
| push-to-registry: true | |
| github-release: | |
| name: Publish GitHub Release | |
| needs: publish-images | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set lowercase owner | |
| id: vars | |
| run: echo "owner=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT" | |
| shell: bash | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Prepare release asset directory | |
| run: mkdir -p dist/release-assets | |
| shell: bash | |
| - name: Generate source SBOM asset | |
| uses: anchore/sbom-action@v0.20.9 | |
| with: | |
| path: . | |
| format: spdx-json | |
| syft-version: v1.41.2 | |
| output-file: dist/release-assets/repo-source-${{ github.ref_name }}.spdx.json | |
| upload-artifact: false | |
| upload-release-assets: false | |
| - name: Generate backend image SBOM asset | |
| uses: anchore/sbom-action@v0.20.9 | |
| with: | |
| image: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend@${{ needs.publish-images.outputs.backend-digest }} | |
| format: spdx-json | |
| syft-version: v1.41.2 | |
| output-file: dist/release-assets/backend-runner-${{ github.ref_name }}.spdx.json | |
| upload-artifact: false | |
| upload-release-assets: false | |
| - name: Generate frontend image SBOM asset | |
| uses: anchore/sbom-action@v0.20.9 | |
| with: | |
| image: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend@${{ needs.publish-images.outputs.frontend-digest }} | |
| format: spdx-json | |
| syft-version: v1.41.2 | |
| output-file: dist/release-assets/frontend-runner-${{ github.ref_name }}.spdx.json | |
| upload-artifact: false | |
| upload-release-assets: false | |
| - name: Publish release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| generate_release_notes: true | |
| append_body: true | |
| files: | | |
| dist/release-assets/repo-source-${{ github.ref_name }}.spdx.json | |
| dist/release-assets/backend-runner-${{ github.ref_name }}.spdx.json | |
| dist/release-assets/frontend-runner-${{ github.ref_name }}.spdx.json | |
| body: | | |
| ## Published Images | |
| - `ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend:${{ github.ref_name }}` | |
| - `ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend:${{ github.ref_name }}` | |
| ## Provenance Attestations | |
| - Backend image: ${{ needs.publish-images.outputs.backend-attestation-url }} | |
| - Frontend image: ${{ needs.publish-images.outputs.frontend-attestation-url }} | |
| ## Attached SBOM Assets | |
| - `repo-source-${{ github.ref_name }}.spdx.json` | |
| - `backend-runner-${{ github.ref_name }}.spdx.json` | |
| - `frontend-runner-${{ github.ref_name }}.spdx.json` | |
| ## Verification | |
| ```bash | |
| docker login ghcr.io | |
| gh attestation verify oci://ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend:${{ github.ref_name }} -R ${{ github.repository }} | |
| gh attestation verify oci://ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend:${{ github.ref_name }} -R ${{ github.repository }} | |
| ``` |