release.yml

name: Release Security CLI

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Release version (e.g., 1.2.3)'
        required: true
        type: string
        default: '0.0.0'
      skip_audit:
        description: 'Skip running audit command'
        required: false
        type: boolean
        default: false

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write

    steps:
      - name: Validate version input
        run: |
          if [ -z "${{ inputs.version }}" ] || [ "${{ inputs.version }}" = "0.0.0" ]; then
            echo "Error: Invalid version provided"
            exit 1
          fi
          echo "NEXT_VERSION=${{ inputs.version }}" >> $GITHUB_ENV
          echo "CI=true" >> $GITHUB_ENV

      - name: Checkout code
        uses: actions/checkout@v5
        with:
          fetch-depth: 0  # fetch all branches so we can checkout main and merge dev
          token: ${{ secrets.RELEASE_GIT_TOKEN }}

      - name: Set up JFrog CLI
        uses: jfrog/setup-jfrog-cli@v4
        with:
          version: latest
        env:
          JF_URL: ${{ secrets.FROGBOT_URL }}
          JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}

      - name: Merge dev into main and create tag
        run: |
          git checkout main
          git merge origin/dev
          git tag v${NEXT_VERSION}

      - name: Run audit
        if: ${{ inputs.skip_audit != true }}
        run: |
          jf audit --extended-table

      - name: Push changes and tag
        run: |
          git clean -fd
          git push origin main
          git push origin --tags

      - name: Merge changes back to dev
        run: |
          git checkout dev
          git merge origin/main
          git push origin dev