devMachine/release.yml at main · kpeacocke/devMachine · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
name: Release

on:
  push:
    branches:
      - main
  workflow_dispatch:
    inputs:
      release_type:
        description: 'Release type (major, minor, patch)'
        required: false
        type: choice
        options:
          - auto
          - major
          - minor
          - patch
        default: auto

permissions:
  contents: write
  pull-requests: write
  security-events: write

jobs:
  test:
    name: Run All Tests
    runs-on: windows-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup PowerShell 7
        uses: actions/setup-powershell@v1

      - name: Install Pester
        shell: pwsh
        run: |
          Install-Module -Name Pester -Force -SkipPublisherCheck -Scope CurrentUser

      - name: Run syntax validation tests
        shell: pwsh
        run: |
          Invoke-Pester -Path ./tests/syntax-validation.Tests.ps1 -Output Detailed

      - name: Run Windows Pester tests
        shell: pwsh
        run: |
          Invoke-Pester -Path ./tests/pester.Windows.Tests.ps1 -Output Detailed

      - name: Install shellcheck
        run: |
          choco install shellcheck -y

      - name: Validate bash scripts
        shell: pwsh
        run: |
          $bashScripts = Get-ChildItem -Path ./scripts/wsl -Filter *.sh -Recurse
          $failed = $false
          foreach ($script in $bashScripts) {
            Write-Host "Checking $($script.FullName)..."
            shellcheck $script.FullName
            if ($LASTEXITCODE -ne 0) {
              $failed = $true
            }
          }
          if ($failed) {
            throw "Bash syntax validation failed"
          }

  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Upload Trivy results to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

  release:
    name: Create Release
    needs: [test, security-scan]
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install semantic-release
        run: |
          npm install -g semantic-release@23 \
            @semantic-release/changelog@6 \
            @semantic-release/git@10 \
            @semantic-release/github@10 \
            conventional-changelog-conventionalcommits@7

      - name: Configure Git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

      - name: Run semantic-release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: npx semantic-release

      - name: Clean up CHANGELOG duplicates
        run: |
          python3 << 'EOF'
          import re
          from pathlib import Path

          changelog = Path('CHANGELOG.md')
          if not changelog.exists():
              exit(0)

          content = changelog.read_text(encoding='utf-8')

          # Split by main header
          parts = content.split('# Changelog')

          if len(parts) <= 2:
              # No duplicates
              exit(0)

          # Keep only the first occurrence (the one semantic-release maintains)
          # First part is before first header (empty), second is the good content
          clean_content = '# Changelog' + parts[1]

          # Write back
          changelog.write_text(clean_content, encoding='utf-8')
          print("Cleaned up CHANGELOG duplicates")
          EOF

          # Commit if changes were made
          if ! git diff --quiet CHANGELOG.md; then
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git add CHANGELOG.md
            git commit -m "chore: clean up CHANGELOG duplicates [skip ci]"
            git push
          fi

      - name: Get latest tag
        id: get_tag
        run: |
          LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
          if [ -z "$LATEST_TAG" ]; then
            echo "No release created"
            echo "created=false" >> $GITHUB_OUTPUT
          else
            echo "tag=$LATEST_TAG" >> $GITHUB_OUTPUT
            echo "version=${LATEST_TAG#v}" >> $GITHUB_OUTPUT
            echo "created=true" >> $GITHUB_OUTPUT
          fi

      - name: Checkout latest tag
        if: steps.get_tag.outputs.created == 'true'
        run: |
          git fetch --tags
          git checkout ${{ steps.get_tag.outputs.tag }}

      - name: Create release archives
        if: steps.get_tag.outputs.created == 'true'
        run: |
          mkdir -p release-artifacts
          TAG=${{ steps.get_tag.outputs.tag }}

          # Create Windows scripts archive
          zip -r release-artifacts/devMachine-windows-scripts-${TAG}.zip \
            scripts/windows/*.ps1 \
            setup-machine.ps1 \
            README.md \
            LICENSE

          # Create WSL scripts archive
          zip -r release-artifacts/devMachine-wsl-scripts-${TAG}.zip \
            scripts/wsl/*.sh \
            README.md \
            LICENSE

          # Create complete archive
          zip -r release-artifacts/devMachine-complete-${TAG}.zip \
            scripts/ \
            tests/ \
            setup-machine.ps1 \
            README.md \
            LICENSE \
            SECURITY.md \
            CONTRIBUTING.md \
            CODE_OF_CONDUCT.md \
            CHANGELOG.md

      - name: Generate checksums
        if: steps.get_tag.outputs.created == 'true'
        run: |
          cd release-artifacts
          sha256sum *.zip > checksums-${{ steps.get_tag.outputs.tag }}.txt

      - name: Upload release assets
        if: steps.get_tag.outputs.created == 'true'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG=${{ steps.get_tag.outputs.tag }}
          gh release upload $TAG release-artifacts/*.zip release-artifacts/checksums-*.txt

      - name: Upload artifacts
        if: steps.get_tag.outputs.created == 'true'
        uses: actions/upload-artifact@v4
        with:
          name: release-artifacts-${{ steps.get_tag.outputs.tag }}
          path: release-artifacts/
          retention-days: 90