From 9f777689c13ab4b8960fe6bce013e946755bc54f Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 2 Dec 2024 14:29:06 +0000 Subject: [PATCH 1/3] ci: sync workflows from central-workflows Signed-off-by: Scott --- .github/workflows/codacy.yml | 11 +-- .github/workflows/codeql.yml | 14 ++-- .github/workflows/conventional-commits.yml | 3 + .github/workflows/dco-check.yml | 57 +++++++++++++++ .github/workflows/dependency-review.yml | 6 +- .github/workflows/dockerfile-linter.yml | 52 ++++++++++++++ .github/workflows/dockerhub-image-build.yml | 80 +++++++++++++++++++++ .github/workflows/gpg-verify.yml | 16 ++++- .github/workflows/milestone.yml | 41 ++++++----- .github/workflows/njsscan.yml | 9 ++- .github/workflows/release.yml | 74 +++++++++---------- .github/workflows/sbom.yml | 18 +++-- 12 files changed, 301 insertions(+), 80 deletions(-) create mode 100644 .github/workflows/dco-check.yml create mode 100644 .github/workflows/dockerfile-linter.yml create mode 100644 .github/workflows/dockerhub-image-build.yml diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index 482882b..273f607 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -13,14 +13,16 @@ # For more information on Codacy Analysis CLI in general, see # https://github.com/codacy/codacy-analysis-cli. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Codacy Security Scan on: push: - branches: [ "main" ] + branches: [ "dev", "main" ] pull_request: # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: [ "dev", "main" ] schedule: - cron: '17 0 * * 4' @@ -29,6 +31,7 @@ permissions: jobs: codacy-security-scan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -42,7 +45,7 @@ jobs: # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI - uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + uses: codacy/codacy-analysis-cli-action@3ff8e64eb4b714c4bee91b7b4eea31c6fc2c4f93 with: # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository # You can also omit the token and run the tools that support default configurations @@ -58,6 +61,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 33c05fc..6212b29 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,19 +11,23 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: "CodeQL" on: push: - branches: [ "main" ] + branches: [ "dev", "main" ] pull_request: # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: [ "dev", "main" ] schedule: - cron: '34 0 * * 4' jobs: analyze: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' name: Analyze runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: @@ -46,7 +50,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +64,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +77,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml index 68efbd2..6aee786 100644 --- a/.github/workflows/conventional-commits.yml +++ b/.github/workflows/conventional-commits.yml @@ -7,6 +7,8 @@ # This GitHub Actions workflow validates the title of pull requests (PRs) to ensure they follow conventional commit standards. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: PR Conventional Commit Validation on: @@ -16,6 +18,7 @@ on: jobs: validate-pr-title: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - name: Checkout code diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml new file mode 100644 index 0000000..861c0ea --- /dev/null +++ b/.github/workflows/dco-check.yml @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This GitHub Actions workflow checks that all commits in a pull request (PR) have a "Signed-off-by" line to ensure Developer Certificate of Origin (DCO) compliance. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: DCO + +# Trigger the workflow on pull request events +on: [pull_request] + +jobs: + dco: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + # Define the runner environment + runs-on: ubuntu-latest + + steps: + # Step to check out the repository + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Fetch all history for all branches to ensure complete commit history is available + + - name: Set up environment variables + run: | + echo "BASE_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV + echo "HEAD_BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV + + # Step to check each commit in the pull request for a Signed-off-by line + - name: Check for DCO Sign-off + run: | + # Get the base branch and head branch of the pull request + base_branch=$BASE_BRANCH + head_branch=$HEAD_BRANCH + + # Get the list of commit hashes between the head branch and base branch + commits=$(git log --pretty=format:%H origin/${head_branch}..origin/${base_branch}) + non_compliant_commits="" + + # Loop through each commit and check for the Signed-off-by line + for commit in $commits; do + # Check if the commit message contains the Signed-off-by line + if ! git show --quiet --format=%B $commit | grep -q "^Signed-off-by: "; then + # If not, add the commit hash to the list of non-compliant commits + non_compliant_commits="$non_compliant_commits $commit" + fi + done + + # If there are any non-compliant commits, output their hashes and fail the job + if [ -n "$non_compliant_commits" ]; then + echo "The following commits do not have a Signed-off-by line:" + for commit in $non_compliant_commits; do + echo "- $commit" + done + exit 1 + fi + shell: bash diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index c13575a..577adb6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -6,6 +6,10 @@ # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement + + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: 'Dependency Review' on: [pull_request] @@ -19,4 +23,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v4 - name: 'Dependency Review' - uses: actions/dependency-review-action@v3 + uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/dockerfile-linter.yml b/.github/workflows/dockerfile-linter.yml new file mode 100644 index 0000000..f2959a7 --- /dev/null +++ b/.github/workflows/dockerfile-linter.yml @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: Hadolint + +on: + push: + branches: [ "dev", "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "dev" ] + schedule: + - cron: '17 13 * * 0' + +permissions: + contents: read + +jobs: + hadolint: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run hadolint + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/.github/workflows/dockerhub-image-build.yml b/.github/workflows/dockerhub-image-build.yml new file mode 100644 index 0000000..4ea0d8e --- /dev/null +++ b/.github/workflows/dockerhub-image-build.yml @@ -0,0 +1,80 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: Publish Docker image + +on: + push: + branches: [ "main" ] + release: + types: [published] + +jobs: + push_to_registry: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + name: Push Docker image to Docker Hub + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + attestations: write + id-token: write + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Set ENV variables + run: | + echo "REPO_NAME=${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}" >> $GITHUB_ENV + + - name: Use the custom ENV variable + run: | + echo $REPO_NAME + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: tazamaorg/${{ env.REPO_NAME }} + tags: | + type=raw,value=2.1.0 + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 + with: + context: . + file: ./Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: GH_TOKEN=${{ secrets.GH_TOKEN }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: docker.io/tazamaorg/${{ env.REPO_NAME }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Send Slack Notification + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + curl -X POST -H 'Content-type: application/json' --data '{"blocks": [{"type": "header","text": {"type": "plain_text","text": "New Dockerhub Image published :ship::ship:","emoji": true}},{"type": "section","fields": [{"type": "mrkdwn","text": "*Service:*\n${{ env.REPO_NAME }} "},{"type": "mrkdwn","text": "*Tazama Dockerhub:*\n"}]}]}' $SLACK_WEBHOOK_URL diff --git a/.github/workflows/gpg-verify.yml b/.github/workflows/gpg-verify.yml index 5bc2b33..56b6f3c 100644 --- a/.github/workflows/gpg-verify.yml +++ b/.github/workflows/gpg-verify.yml @@ -2,27 +2,37 @@ # This GitHub Actions workflow checks that all commits in a pull request (PR) have been verified with GPG signatures. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: GPG Verify on: [pull_request] # Trigger this workflow on pull request events jobs: gpg-verify: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action with: fetch-depth: 0 # Fetch all history for all branches to ensure we have the full commit history + - name: Set up environment variables + run: | + echo "PR_HEAD_REF=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV + echo "PR_BASE_REF=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV + echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV + echo "GITHUB_REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV + - name: Check GPG verification status # Step to check each commit for GPG signature verification run: | # Get the list of commits in the pull request - commits=$(git log --pretty=format:%H origin/${{ github.event.pull_request.head.ref }}..origin/${{ github.event.pull_request.base.ref }}) + commits=$(git log --pretty=format:%H origin/${PR_HEAD_REF}..origin/${PR_BASE_REF}) # Check the GPG verification status of each commit for commit in $commits; do - status=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - https://api.github.com/repos/${{ github.repository }}/commits/$commit/check-runs \ + status=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ + https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$commit/check-runs \ | jq -r '.check_runs[] | select(.name == "GPG verify") | .conclusion') # If the GPG verification status is not successful, list the commit and exit with a non-zero status diff --git a/.github/workflows/milestone.yml b/.github/workflows/milestone.yml index bce2655..8b5bb6a 100644 --- a/.github/workflows/milestone.yml +++ b/.github/workflows/milestone.yml @@ -1,7 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 +# This GitHub Actions workflow is designed to close a milestone and trigger a release workflow. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Milestone Workflow +# This workflow can be manually triggered with a specified milestone ID. on: workflow_dispatch: inputs: @@ -12,37 +17,39 @@ on: jobs: close_milestone: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest steps: + # Step to check out the repository code. - name: Checkout Repository uses: actions/checkout@v2 - - name: Setup Node.js (.npmrc) - uses: actions/setup-node@v3 - with: - node-version: 16.x - registry-url: https://npm.pkg.github.com/ - # Defaults to the user or organization that owns the workflow file - scope: '@frmscoe' - - - name: Install dependencies - run: npm ci - env: - GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - + # Step to set up environment variables required for the script. + - name: Set up environment variables + run: | + # Set the GitHub token for authentication. + echo "ACCESS_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV + # Set the milestone number based on the workflow input. + echo "MILESTONE_NUMBER=${{ github.event.inputs.milestoneId }}" >> $GITHUB_ENV + # Set the base API URL for GitHub. + echo "API_URL=https://api.github.com" >> $GITHUB_ENV + + # Step to close the specified milestone using GitHub API. - name: Close Milestone run: | - ACCESS_TOKEN="${{ secrets.GITHUB_TOKEN }}" - MILESTONE_NUMBER=${{ github.event.inputs.milestoneId }} - API_URL="https://api.github.com" - + # Use the environment variables set up earlier to make the API call. curl -X PATCH \ -H "Accept: application/vnd.github.v3+json" \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -d '{"state": "closed"}' \ $API_URL/repos/${{ github.repository }}/milestones/$MILESTONE_NUMBER + env: + ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + MILESTONE_NUMBER: ${{ github.event.inputs.milestoneId }} + API_URL: "https://api.github.com" + # Step to trigger another workflow for releasing, passing the milestone number. - name: Trigger Release Workflow uses: peter-evans/repository-dispatch@v1 with: diff --git a/.github/workflows/njsscan.yml b/.github/workflows/njsscan.yml index 0123970..d1bddf2 100644 --- a/.github/workflows/njsscan.yml +++ b/.github/workflows/njsscan.yml @@ -8,14 +8,16 @@ # This workflow integrates njsscan with GitHub's Code Scanning feature # nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: njsscan sarif on: push: - branches: [ "main" ] + branches: [ "dev", "main" ] pull_request: # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: [ "dev", "main" ] schedule: - cron: '17 17 * * 1' @@ -24,6 +26,7 @@ permissions: jobs: njsscan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -39,6 +42,6 @@ jobs: with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 43b4016..c54ed3c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Release Workflow on: @@ -11,6 +13,7 @@ on: jobs: release: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest steps: # Checkout the main branch with all history @@ -38,20 +41,6 @@ jobs: if: ${{ steps.release-label.outputs.level != null }} with: semver_only: true - - # Setup Node.js environment - - name: Setup Node.js (.npmrc) - uses: actions/setup-node@v3 - with: - node-version: 20.x - registry-url: https://npm.pkg.github.com/ - scope: '@frmscoe' - - # Install dependencies - - name: Install dependencies - run: npm ci - env: - GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' # Determine the release type (major, minor, patch) based on commit messages - name: Determine Release Type @@ -242,32 +231,37 @@ jobs: draft: false prerelease: false - # Update the CHANGELOG.md file in the repository - - name: Update CHANGELOG.md + - name: Get Latest Release run: | - NEW_VERSION=${{ steps.bump_version.outputs.new_version }} - CHANGELOG_CONTENTS=$(cat /home/runner/work/changelog.txt) - # Prepend the new changelog content to the existing CHANGELOG.md below SPDX-License-Identifier section - echo -e "$(head -n 2 CHANGELOG.md)\n\n## $NEW_VERSION\n\n$CHANGELOG_CONTENTS\n\n$(tail -n +3 CHANGELOG.md)" > CHANGELOG.md - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git add CHANGELOG.md - git commit -m "chore: Update CHANGELOG.md for $NEW_VERSION" - git push origin HEAD:main + echo "LATEST_RELEASE=$(gh release list --limit 1 | awk '{print $1}')" >> $GITHUB_ENV + echo "The latest release tag is $LATEST_RELEASE" + + - name: Send Slack Notification env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - STARTUP_TYPE: 'nats' - - # Update the VERSION file - - name: Update VERSION file + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} run: | - NEW_VERSION=${{ steps.bump_version.outputs.new_version }} - echo -e "# SPDX-License-Identifier: Apache-2.0\n\n$NEW_VERSION" > VERSION - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git add VERSION - git commit -m "chore: Update VERSION to $NEW_VERSION" - git push origin HEAD:main - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - STARTUP_TYPE: 'nats' \ No newline at end of file + curl -X POST -H 'Content-type: application/json' --data '{ + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": "New Release Alert :tazama:", + "emoji": true + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Github Repository:*\nhttps://github.com/${{ github.repository }}" + }, + { + "type": "mrkdwn", + "text": "*Release:*\n" + } + ] + } + ] + }' ${{ secrets.SLACK_WEBHOOK_URL }} \ No newline at end of file diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 410a9bb..1abab3f 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -13,28 +13,32 @@ # and parameters, see https://github.com/anchore/sbom-action. For more # information about the Anchore SBOM tool, Syft, see # https://github.com/anchore/syft + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Anchore Syft SBOM scan on: - workflow_dispatch: push: - branches: [ "dev", "main" ] + branches: [ "main" ] permissions: contents: write jobs: Anchore-Build-Scan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' permissions: contents: write # required to upload to the Dependency submission API runs-on: ubuntu-latest steps: - name: Checkout the code uses: actions/checkout@v4 - - name: Scan the src directory and upload dependency results - uses: anchore/sbom-action@v0 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a with: - path: ./src/ - artifact-name: src.spdx.json + image: "localbuild/testimage:latest" + artifact-name: image.spdx.json dependency-snapshot: true - From 2c32f9e6072292f027f6e123d622388c0e61a456 Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 2 Dec 2024 15:25:56 +0000 Subject: [PATCH 2/3] ci: sync workflows from central-workflows Signed-off-by: Scott --- .github/workflows/dockerhub-image-build.yml | 2 +- .github/workflows/release.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dockerhub-image-build.yml b/.github/workflows/dockerhub-image-build.yml index 4ea0d8e..8e226f1 100644 --- a/.github/workflows/dockerhub-image-build.yml +++ b/.github/workflows/dockerhub-image-build.yml @@ -71,7 +71,7 @@ jobs: with: subject-name: docker.io/tazamaorg/${{ env.REPO_NAME }} subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Send Slack Notification env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c54ed3c..3058564 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -213,7 +213,7 @@ jobs: # Attach changelog as an artifact - name: Attach Changelog to Release - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: Changelog path: /home/runner/work/changelog.txt @@ -264,4 +264,4 @@ jobs: ] } ] - }' ${{ secrets.SLACK_WEBHOOK_URL }} \ No newline at end of file + }' ${{ secrets.SLACK_WEBHOOK_URL }} From 7b5cd8d127d9e24740b5e98e474b7cfe8d3370d4 Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 2 Dec 2024 20:56:26 +0000 Subject: [PATCH 3/3] ci: sync workflows from central-workflows Signed-off-by: Scott --- .github/workflows/dockerhub-image-build.yml | 2 -- .github/workflows/release.yml | 38 ++++++++++----------- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/.github/workflows/dockerhub-image-build.yml b/.github/workflows/dockerhub-image-build.yml index 8e226f1..0195ce5 100644 --- a/.github/workflows/dockerhub-image-build.yml +++ b/.github/workflows/dockerhub-image-build.yml @@ -16,8 +16,6 @@ name: Publish Docker image on: push: branches: [ "main" ] - release: - types: [published] jobs: push_to_registry: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3058564..05c0a4c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,7 @@ on: properties: milestone_number: type: string + workflow_dispatch: jobs: release: @@ -41,33 +42,32 @@ jobs: if: ${{ steps.release-label.outputs.level != null }} with: semver_only: true + + - name: Get Last Merged PR + id: get_merged_pr + uses: actions-ecosystem/action-get-merged-pull-request@v1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} - # Determine the release type (major, minor, patch) based on commit messages - - name: Determine Release Type + # Determine the release type (major, minor, patch) based on Last Merged PR Title + - name: Determine Release Type from PR Title id: determine_release run: | - PREV_VERSION=$(git describe --abbrev=0 --tags) - echo "Previous Version: $PREV_VERSION" - - COMMIT_MESSAGES=$(git log $PREV_VERSION^..HEAD --format=%B) - echo "Commit Messages: $COMMIT_MESSAGES" - - # Determine release type based on commit messages and labels - RELEASE_TYPE="patch" # Default to patch - - if echo "$COMMIT_MESSAGES" | grep -q -e "BREAKING CHANGE:"; then + PR_TITLE="${{ steps.get_merged_pr.outputs.title }}" + echo "PR Title: $PR_TITLE" + + RELEASE_TYPE="patch" # Default release type + if echo "$PR_TITLE" | grep -q "^BREAKING CHANGE:"; then RELEASE_TYPE="major" - elif echo "$COMMIT_MESSAGES" | grep -q -e "feat!:"; then + elif echo "$PR_TITLE" | grep -q "^feat!:"; then RELEASE_TYPE="major" - elif echo "$COMMIT_MESSAGES" | grep -q -e "feat:"; then + elif echo "$PR_TITLE" | grep -q "^feat:"; then RELEASE_TYPE="minor" - elif echo "$COMMIT_MESSAGES" | grep -q -e "feat:" && (echo "$COMMIT_MESSAGES" | grep -q -e "fix:" || echo "$COMMIT_MESSAGES" | grep -q -e "enhancement:" || echo "$COMMIT_MESSAGES" | grep -q -e "docs:" || echo "$COMMIT_MESSAGES" | grep -q -e "refactor:" || echo "$COMMIT_MESSAGES" | grep -q -e "chore:"); then - RELEASE_TYPE="minor" - elif echo "$COMMIT_MESSAGES" | grep -q -e "fix:" -e "enhancement:" -e "docs:" -e "refactor:" -e "chore:" -e "build:" -e "ci:" -e "perf:" -e "style:" -e "test:" -e "chore(deps):" -e "chore(deps-dev):"; then + else RELEASE_TYPE="patch" fi - - echo "Release Type: $RELEASE_TYPE" + + echo "Determined Release Type: $RELEASE_TYPE" echo "::set-output name=release_type::$RELEASE_TYPE" # Bump the version based on the determined release type