CVE-Radar/.github/workflows/release-github.yml at main · zza-830/CVE-Radar · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# Category: Release | GitHub Release on semver tag — CI parity, dist tarball, CycloneDX SBOM.

name: Release / GitHub

on:
  push:
    tags:
      - "v*"

permissions:
  contents: write
  actions: write

concurrency:
  group: release-github-${{ github.ref }}
  cancel-in-progress: true

jobs:
  release:
    name: Create GitHub Release
    runs-on: ubuntu-latest
    timeout-minutes: 45
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

      - name: Verify tag matches package.json
        run: |
          TAG="${GITHUB_REF#refs/tags/v}"
          PKG=$(node -p "require('./package.json').version")
          if [ "$TAG" != "$PKG" ]; then
            echo "Tag v$TAG does not match package.json version $PKG"
            exit 1
          fi

      - name: Setup Node.js
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version-file: .nvmrc
          cache: npm

      - name: Install and verify
        run: |
          npm ci
          npm run lint
          npm run format:check
          npm run typecheck
          npm test
          npm run check:openapi
          npm run build && npm run build:server

      - name: Pack release assets
        run: tar czf "cve-radar-${GITHUB_REF_NAME}-dist.tar.gz" dist dist-server

      - name: Generate SBOM (CycloneDX)
        run: npx --yes @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format json --output-file sbom.cyclonedx.json

      - name: Create GitHub Release
        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
        with:
          generate_release_notes: true
          files: |
            cve-radar-${{ github.ref_name }}-dist.tar.gz
            CHANGELOG.md
            sbom.cyclonedx.json

      # Pages environment allows `main` ref only — not tag refs (github-pages protection).
      - name: Deploy documentation (GitHub Pages)
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh workflow run "Deploy / GitHub Pages" --repo "$GITHUB_REPOSITORY" --ref main