Bump version to 2.0.6 #7
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Deploy | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| - 'v*.*.*-*' | |
| permissions: | |
| contents: read | |
| env: | |
| GO_VERSION: '1.25' | |
| jobs: | |
| resolve-env: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| environment: ${{ steps.resolve.outputs.environment }} | |
| base_url: ${{ steps.resolve.outputs.base_url }} | |
| version: ${{ steps.resolve.outputs.version }} | |
| binary_name: ${{ steps.resolve.outputs.binary_name }} | |
| steps: | |
| - name: Resolve environment from tag | |
| id: resolve | |
| run: | | |
| TAG="${GITHUB_REF#refs/tags/v}" | |
| if [[ "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "environment=prod" >> "$GITHUB_OUTPUT" | |
| echo "base_url=https://deepsource.com/cli" >> "$GITHUB_OUTPUT" | |
| echo "binary_name=deepsource" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "environment=dev" >> "$GITHUB_OUTPUT" | |
| echo "base_url=https://deepsource.one/cli" >> "$GITHUB_OUTPUT" | |
| echo "binary_name=deepsource-dev" >> "$GITHUB_OUTPUT" | |
| fi | |
| echo "version=${TAG}" >> "$GITHUB_OUTPUT" | |
| build-linux: | |
| needs: resolve-env | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - goarch: amd64 | |
| cc: x86_64-linux-gnu-gcc | |
| cxx: x86_64-linux-gnu-g++ | |
| - goarch: arm64 | |
| cc: aarch64-linux-gnu-gcc | |
| cxx: aarch64-linux-gnu-g++ | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install cross-compiler | |
| if: matrix.goarch == 'arm64' | |
| run: sudo apt-get update && sudo apt-get install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnu | |
| - name: Build | |
| env: | |
| CGO_ENABLED: '1' | |
| GOOS: linux | |
| GOARCH: ${{ matrix.goarch }} | |
| CC: ${{ matrix.cc }} | |
| CXX: ${{ matrix.cxx }} | |
| run: | | |
| BINARY_NAME="${{ needs.resolve-env.outputs.binary_name }}" | |
| cd cmd/deepsource && go build -tags static_all \ | |
| -ldflags "-X 'main.version=${{ needs.resolve-env.outputs.version }}' -X 'main.Date=$(date -u +%Y-%m-%d)' -X 'main.SentryDSN=${{ secrets.SENTRY_DSN }}' -X 'main.buildMode=${{ needs.resolve-env.outputs.environment }}'" \ | |
| -o "$BINARY_NAME" . | |
| - name: Package | |
| run: | | |
| BINARY_NAME="${{ needs.resolve-env.outputs.binary_name }}" | |
| ARCHIVE="${BINARY_NAME}_${{ needs.resolve-env.outputs.version }}_linux_${{ matrix.goarch }}.tar.gz" | |
| tar -czf "$ARCHIVE" -C cmd/deepsource "$BINARY_NAME" | |
| sha256sum "$ARCHIVE" > "${ARCHIVE}.sha256" | |
| echo "ARCHIVE=${ARCHIVE}" >> "$GITHUB_ENV" | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-linux-${{ matrix.goarch }} | |
| path: | | |
| ${{ needs.resolve-env.outputs.binary_name }}_*.tar.gz | |
| ${{ needs.resolve-env.outputs.binary_name }}_*.tar.gz.sha256 | |
| build-darwin: | |
| needs: resolve-env | |
| runs-on: macos-latest | |
| strategy: | |
| matrix: | |
| goarch: [amd64, arm64] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Build | |
| env: | |
| CGO_ENABLED: '1' | |
| GOOS: darwin | |
| GOARCH: ${{ matrix.goarch }} | |
| run: | | |
| BINARY_NAME="${{ needs.resolve-env.outputs.binary_name }}" | |
| cd cmd/deepsource && go build -tags static_all \ | |
| -ldflags "-X 'main.version=${{ needs.resolve-env.outputs.version }}' -X 'main.Date=$(date -u +%Y-%m-%d)' -X 'main.SentryDSN=${{ secrets.SENTRY_DSN }}' -X 'main.buildMode=${{ needs.resolve-env.outputs.environment }}'" \ | |
| -o "$BINARY_NAME" . | |
| - name: Codesign | |
| if: needs.resolve-env.outputs.environment == 'prod' | |
| env: | |
| APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| run: | | |
| # Import certificate | |
| CERT_PATH="$RUNNER_TEMP/certificate.p12" | |
| KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db" | |
| KEYCHAIN_PASSWORD="$(openssl rand -hex 16)" | |
| echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH" | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" | |
| security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" | |
| security import "$CERT_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" | |
| security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" | |
| security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain | |
| BINARY_NAME="${{ needs.resolve-env.outputs.binary_name }}" | |
| # Sign the binary | |
| codesign --force --options runtime \ | |
| --sign "Developer ID Application: DeepSource Corp" \ | |
| "cmd/deepsource/${BINARY_NAME}" | |
| - name: Notarize | |
| if: needs.resolve-env.outputs.environment == 'prod' | |
| env: | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }} | |
| run: | | |
| BINARY_NAME="${{ needs.resolve-env.outputs.binary_name }}" | |
| # Create zip for notarization | |
| ditto -c -k "cmd/deepsource/${BINARY_NAME}" notarize.zip | |
| xcrun notarytool submit notarize.zip \ | |
| --apple-id "$APPLE_ID" \ | |
| --team-id "$APPLE_TEAM_ID" \ | |
| --password "$APPLE_APP_PASSWORD" \ | |
| --wait | |
| - name: Verify signing | |
| if: needs.resolve-env.outputs.environment == 'prod' | |
| run: | | |
| BINARY_NAME="${{ needs.resolve-env.outputs.binary_name }}" | |
| codesign --verify --verbose "cmd/deepsource/${BINARY_NAME}" | |
| spctl --assess --type execute "cmd/deepsource/${BINARY_NAME}" || true | |
| - name: Package | |
| run: | | |
| BINARY_NAME="${{ needs.resolve-env.outputs.binary_name }}" | |
| ARCHIVE="${BINARY_NAME}_${{ needs.resolve-env.outputs.version }}_darwin_${{ matrix.goarch }}.tar.gz" | |
| tar -czf "$ARCHIVE" -C cmd/deepsource "$BINARY_NAME" | |
| shasum -a 256 "$ARCHIVE" > "${ARCHIVE}.sha256" | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-darwin-${{ matrix.goarch }} | |
| path: | | |
| ${{ needs.resolve-env.outputs.binary_name }}_*.tar.gz | |
| ${{ needs.resolve-env.outputs.binary_name }}_*.tar.gz.sha256 | |
| build-windows: | |
| needs: resolve-env | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install cross-compiler | |
| run: sudo apt-get update && sudo apt-get install -y gcc-mingw-w64-x86-64 | |
| - name: Build | |
| env: | |
| CGO_ENABLED: '1' | |
| GOOS: windows | |
| GOARCH: amd64 | |
| CC: x86_64-w64-mingw32-gcc | |
| CXX: x86_64-w64-mingw32-g++ | |
| run: | | |
| BINARY_NAME="${{ needs.resolve-env.outputs.binary_name }}" | |
| cd cmd/deepsource && go build -tags static_all \ | |
| -ldflags "-X 'main.version=${{ needs.resolve-env.outputs.version }}' -X 'main.Date=$(date -u +%Y-%m-%d)' -X 'main.SentryDSN=${{ secrets.SENTRY_DSN }}' -X 'main.buildMode=${{ needs.resolve-env.outputs.environment }}'" \ | |
| -o "${BINARY_NAME}.exe" . | |
| - name: Package | |
| run: | | |
| BINARY_NAME="${{ needs.resolve-env.outputs.binary_name }}" | |
| ARCHIVE="${BINARY_NAME}_${{ needs.resolve-env.outputs.version }}_windows_amd64.zip" | |
| zip "$ARCHIVE" -j "cmd/deepsource/${BINARY_NAME}.exe" | |
| sha256sum "$ARCHIVE" > "${ARCHIVE}.sha256" | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-windows-amd64 | |
| path: | | |
| ${{ needs.resolve-env.outputs.binary_name }}_*.zip | |
| ${{ needs.resolve-env.outputs.binary_name }}_*.zip.sha256 | |
| deploy: | |
| needs: [resolve-env, build-linux, build-darwin, build-windows] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: artifacts | |
| merge-multiple: true | |
| - name: Generate manifest | |
| run: | | |
| VERSION="${{ needs.resolve-env.outputs.version }}" | |
| BINARY_NAME="${{ needs.resolve-env.outputs.binary_name }}" | |
| BUILD_TIME="$(date -u +%Y-%m-%dT%H:%M:%SZ)" | |
| get_sha() { | |
| cat "artifacts/${1}.sha256" | awk '{print $1}' | |
| } | |
| cat > artifacts/manifest.json <<EOF | |
| { | |
| "version": "${VERSION}", | |
| "buildTime": "${BUILD_TIME}", | |
| "platforms": { | |
| "darwin_amd64": { | |
| "archive": "${BINARY_NAME}_${VERSION}_darwin_amd64.tar.gz", | |
| "sha256": "$(get_sha "${BINARY_NAME}_${VERSION}_darwin_amd64.tar.gz")" | |
| }, | |
| "darwin_arm64": { | |
| "archive": "${BINARY_NAME}_${VERSION}_darwin_arm64.tar.gz", | |
| "sha256": "$(get_sha "${BINARY_NAME}_${VERSION}_darwin_arm64.tar.gz")" | |
| }, | |
| "linux_amd64": { | |
| "archive": "${BINARY_NAME}_${VERSION}_linux_amd64.tar.gz", | |
| "sha256": "$(get_sha "${BINARY_NAME}_${VERSION}_linux_amd64.tar.gz")" | |
| }, | |
| "linux_arm64": { | |
| "archive": "${BINARY_NAME}_${VERSION}_linux_arm64.tar.gz", | |
| "sha256": "$(get_sha "${BINARY_NAME}_${VERSION}_linux_arm64.tar.gz")" | |
| }, | |
| "windows_amd64": { | |
| "archive": "${BINARY_NAME}_${VERSION}_windows_amd64.zip", | |
| "sha256": "$(get_sha "${BINARY_NAME}_${VERSION}_windows_amd64.zip")" | |
| } | |
| } | |
| } | |
| EOF | |
| - name: Generate install script | |
| run: | | |
| sed -e "s|__BASE_URL__|${{ needs.resolve-env.outputs.base_url }}|g" \ | |
| -e "s|__BINARY_NAME__|${{ needs.resolve-env.outputs.binary_name }}|g" \ | |
| scripts/install.sh.template > artifacts/install.sh | |
| - name: Upload to R2 | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: auto | |
| run: | | |
| ENDPOINT="https://${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com" | |
| if [ "${{ needs.resolve-env.outputs.environment }}" = "prod" ]; then | |
| BUCKET="${{ secrets.R2_PROD_BUCKET_NAME }}" | |
| else | |
| BUCKET="${{ secrets.R2_DEV_BUCKET_NAME }}" | |
| fi | |
| # Upload archives and checksums (immutable) | |
| for f in artifacts/${{ needs.resolve-env.outputs.binary_name }}_*; do | |
| aws s3 cp "$f" "s3://${BUCKET}/cli/build/$(basename "$f")" \ | |
| --endpoint-url "$ENDPOINT" \ | |
| --cache-control "public, max-age=31536000, immutable" | |
| done | |
| # Upload manifest and install script (short cache) | |
| for f in artifacts/manifest.json artifacts/install.sh; do | |
| aws s3 cp "$f" "s3://${BUCKET}/cli/$(basename "$f")" \ | |
| --endpoint-url "$ENDPOINT" \ | |
| --cache-control "public, max-age=60" | |
| done | |
| publish-homebrew: | |
| needs: [resolve-env, deploy] | |
| if: needs.resolve-env.outputs.environment == 'prod' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: artifacts | |
| merge-multiple: true | |
| - name: Generate formula | |
| run: | | |
| VERSION="${{ needs.resolve-env.outputs.version }}" | |
| BASE="${{ needs.resolve-env.outputs.base_url }}/build" | |
| DARWIN_AMD64_SHA="$(cat artifacts/deepsource_${VERSION}_darwin_amd64.tar.gz.sha256 | awk '{print $1}')" | |
| DARWIN_ARM64_SHA="$(cat artifacts/deepsource_${VERSION}_darwin_arm64.tar.gz.sha256 | awk '{print $1}')" | |
| LINUX_AMD64_SHA="$(cat artifacts/deepsource_${VERSION}_linux_amd64.tar.gz.sha256 | awk '{print $1}')" | |
| LINUX_ARM64_SHA="$(cat artifacts/deepsource_${VERSION}_linux_arm64.tar.gz.sha256 | awk '{print $1}')" | |
| cat > deepsource.rb <<FORMULA | |
| class Deepsource < Formula | |
| desc "Command line interface to DeepSource" | |
| homepage "https://github.com/deepsourcelabs/cli" | |
| license "BSD-2-Clause" | |
| version "${VERSION}" | |
| on_macos do | |
| if Hardware::CPU.intel? | |
| url "${BASE}/deepsource_${VERSION}_darwin_amd64.tar.gz" | |
| sha256 "${DARWIN_AMD64_SHA}" | |
| end | |
| if Hardware::CPU.arm? | |
| url "${BASE}/deepsource_${VERSION}_darwin_arm64.tar.gz" | |
| sha256 "${DARWIN_ARM64_SHA}" | |
| end | |
| end | |
| on_linux do | |
| if Hardware::CPU.intel? | |
| url "${BASE}/deepsource_${VERSION}_linux_amd64.tar.gz" | |
| sha256 "${LINUX_AMD64_SHA}" | |
| end | |
| if Hardware::CPU.arm? | |
| url "${BASE}/deepsource_${VERSION}_linux_arm64.tar.gz" | |
| sha256 "${LINUX_ARM64_SHA}" | |
| end | |
| end | |
| def install | |
| bin.install "deepsource" | |
| end | |
| end | |
| FORMULA | |
| - name: Push formula to homebrew-cli | |
| env: | |
| DS_BOT_PAT: ${{ secrets.DS_BOT_PAT }} | |
| run: | | |
| git clone "https://deepsourcebot:${DS_BOT_PAT}@github.com/DeepSourceCorp/homebrew-cli.git" homebrew-cli | |
| cp deepsource.rb homebrew-cli/Formula/deepsource.rb | |
| cd homebrew-cli | |
| git config user.name "deepsourcebot" | |
| git config user.email "[email protected]" | |
| git checkout -B cli-release | |
| git add Formula/deepsource.rb | |
| git commit -m "Update deepsource to ${{ needs.resolve-env.outputs.version }}" | |
| git push -f origin cli-release |