From 1e61b132fbd490778428889dd1ec89eb4d42c7c9 Mon Sep 17 00:00:00 2001 From: Jon Date: Sat, 3 Aug 2024 17:12:47 +0930 Subject: [PATCH 01/21] chore: add github dir #1 --- .github/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .github/.gitkeep diff --git a/.github/.gitkeep b/.github/.gitkeep new file mode 100644 index 0000000..e69de29 From bf3835539745d153c2e9cfb5b9f31ef8f8ba0d08 Mon Sep 17 00:00:00 2001 From: Jon Date: Sat, 3 Aug 2024 17:37:59 +0930 Subject: [PATCH 02/21] feat: docker workflow added MR #1 --- .github/workflows/ci.yaml | 107 ++++ .github/workflows/docker.yaml | 883 ++++++++++++++++++++++++++++++++++ dockerfile | 15 + 3 files changed, 1005 insertions(+) create mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/docker.yaml create mode 100644 dockerfile diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..0f89a22 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,107 @@ +--- + +name: 'CI' + + +on: + # workflow_call: + # inputs: + # build-branch: # tag / dev + # required: true + # type: string + push: + branches: + - '**' + tags: + - '*' + # pull_request: + # branches: + # - '**' + + +# env: +# DOCKER_BUILD_IMAGE: "ghcr.io/${{ github.repository }}-fred:${{ github.sha }}" + + +# permissions: +# pull-requests: write +# contents: read +# actions: read +# checks: write +# packages: write +# security-events: write +# statuses: write + + + +jobs: + + + docker-changed: + if: + (${{ + github.event.push + || + github.ref_type == 'tag' + }}) + runs-on: ubuntu-latest + name: Docker Changed Check + outputs: + feature: ${{ steps.changes-feature.outputs.src }} + development: ${{ steps.changes-development.outputs.src }} + steps: + + + - uses: actions/checkout@v4 + + + - uses: dorny/paths-filter@v3 + name: Development Changes + if: + ( + github.ref_name == 'development' + ) + id: changes-development + with: + ref: master + filters: | + src: + - '.github/workflows/docker.yaml' + - uses: dorny/paths-filter@v3 + name: Feature Branch + if: + ( + github.ref_name != 'development' + && + github.ref_name != 'master' + ) + id: changes-feature + with: + ref: development + filters: | + src: + - '.github/workflows/docker.yaml' + + + docker-check: + needs: docker-changed + name: 'Docker' + if: + ( + needs.docker-changed.outputs.feature == 'true' + || + needs.docker-changed.outputs.development == 'true' + ) + uses: ./.github/workflows/docker.yaml + with: + DOCKER_BUILD_IMAGE_NAME: "nofusscomputing/workflow-docker" + DOCKER_PUBLISH_IMAGE_NAME: "nofusscomputing/workflow-docker-publish" + DOCKER_PUBLISH_REGISTRY: "ghcr.io" + + + + # release: + # name: 'Release' + # uses: nofusscomputing/scratchpad/.github/workflows/release.yaml@further-testing + # # with: + # # DOCKER_BUILD_IMAGE_NAME: "${{ github.repository }}" \ No newline at end of file diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml new file mode 100644 index 0000000..fbe1bfd --- /dev/null +++ b/.github/workflows/docker.yaml @@ -0,0 +1,883 @@ +--- + +name: 'Docker' + + +on: + workflow_call: + inputs: + DOCKER_BUILD_REGISTRY: + default: "ghcr.io" + description: Registry where build image will live + required: false + type: string + DOCKER_BUILD_IMAGE_NAME: + default: "${{ github.repository }}" + description: Docker image name for building image + required: false + type: string + DOCKER_BUILD_IMAGE_TAG: + default: "${{ github.sha }}" + description: Docker image tag for building image + required: false + type: string + DOCKER_FILE: + default: "dockerfile" + description: Path to the dockerfile + required: false + type: string + DOCKER_LABEL_ARTIFACTHUB_MAINTAINER: + default: '[{"name":"No Fuss Computing","email":"helpdesk@nofusscomputing.com"}]' + description: Artifact hub Maintainer + required: false + type: string + DOCKER_LABEL_ARTIFACTHUB_README: + default: 'https://raw.githubusercontent.com/${{ github.repository }}/development/README.md' + description: Artifact hub ReadMe + required: false + type: string + DOCKER_PUBLISH_REGISTRY: + default: "docker.io" + description: Registry where image will be published to + required: false + type: string + DOCKER_PUBLISH_IMAGE_NAME: + default: "${{ github.repository }}" + description: Docker image name for publishing the image + required: false + type: string + DOCKER_SCAN_IMAGE_VULNERABILITY: + default: true + description: Scan Image with Trivy + required: false + type: boolean + DOCKER_TAG_IMAGE_TAG_SOURCE: + default: "${{ github.sha }}" + description: Docker image tag Used for source Image to tag + required: false + type: string + DOCKER_TAG_IMAGE_TAG_LATEST: + default: true + description: Create image with tag 'Latest' + required: false + type: boolean + DOCKER_TAG_IMAGE_TAG_SHA: + default: true + description: Create image with tag that is the git commit + required: false + type: boolean + + +permissions: + pull-requests: write + contents: write + actions: read + checks: write + packages: write + security-events: write + statuses: write + id-token: write + attestations: write + +jobs: + + docker-build: + if: + (${{ + github.event.push + || + github.ref_type == 'tag' + }}) + runs-on: ubuntu-latest + name: Build Image + outputs: + build-image-digest: ${{ steps.image-digest.outputs.value-out }} + steps: + + + + - name: Debug + run: | + echo "${{ github.event.pull_request.head.repo.full_name || github.repository }}"; + echo "**************************"; + echo "${{ github.event.pull_request.head.repo.full_name }}"; + echo "**************************"; + echo "${{ github.repository }}"; + echo "**************************"; + echo "${{ github.event.pull_request.head.repo }}"; + echo "**************************"; + echo "${{ github.event.push }}"; + echo "**************************"; + - uses: actions/checkout@v4 + + - name: Dummy Task + if: ${{ github.ref_type == 'tag' }} + run: | + echo "This Job does nothing however as 'docker-build' is a dependency job, must do something."; + + + + - name: Log into registry ghcr.io + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Setup BuildX + if: ${{ github.ref_type != 'tag' }} + run: | + docker buildx create --name project-v3-builder; + docker buildx use project-v3-builder; + + + - name: build image + if: ${{ github.ref_type != 'tag' }} + run: | + docker buildx build --platform="linux/amd64,linux/arm64" . \ + --label "org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%:z')" \ + --label "org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ + --label "org.opencontainers.image.revision=${{ github.sha }}" \ + \ + --label "io.artifacthub.package.readme-url=${{ inputs.DOCKER_LABEL_ARTIFACTHUB_README }}" \ + --label 'io.artifacthub.package.maintainers=${{ inputs.DOCKER_LABEL_ARTIFACTHUB_MAINTAINER }}' \ + \ + --annotation "org.opencontainers.image.description=a DESCRIPTION for multi-arch images" \ + --annotation "org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%:z')" \ + --annotation "org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ + --annotation "org.opencontainers.image.revision=${{ github.sha }}" \ + --push \ + --file ${{ inputs.DOCKER_FILE }} \ + --tag ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}; + + + - name: Remove "Unknown" Image from Manifest + if: ${{ github.ref_type != 'tag' }} + run: | + + DOCKER_MULTI_ARCH_IMAGES=$(docker buildx imagetools inspect "${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}" --format "{{ range .Manifest.Manifests }}{{ if ne (print .Platform) \"&{unknown unknown [] }\" }}${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}@{{ println .Digest }}{{end}} {{end}}"); + + docker buildx imagetools create $DOCKER_MULTI_ARCH_IMAGES \ + --tag ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }} \ + --tag ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:dev; + + + - name: Fetch image + run: | + docker pull ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }} >> /dev/null; + + + - name: Fetch Manifest digest + id: image-digest + run: | + echo "value-out=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }} | cut -d '@' -f 2)" >> $GITHUB_OUTPUT + + + - name: Attest + if: ${{ + github.ref_name == 'development' + || + github.ref_name == 'master' + || + github.ref_type == 'tag' + }} + uses: actions/attest-build-provenance@v1 + id: image-attest + with: + subject-name: ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }} + subject-digest: ${{ steps.image-digest.outputs.value-out }} + push-to-registry: true + + + - name: Upload Image Attestation Artifact + if: ${{ + github.ref_name == 'development' + || + github.ref_name == 'master' + || + github.ref_type == 'tag' + }} + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image + path: ${{ steps.image-attest.outputs.bundle-path }} + + + - name: Cleanup BuildX + if: ${{ github.ref_type != 'tag' }} + run: | + docker buildx rm project-v3-builder; + + + + docker-scan-vulnerability: + if: + (${{ + ( + github.event.push + || + github.ref_type == 'tag' + ) + && + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + + needs: + - docker-build + runs-on: ubuntu-latest + name: Vulnerability Scan + steps: + - uses: actions/checkout@v4 + + + - name: Dummy Task + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY == false + }}) + run: | + echo "Scanning image turned off.This Job does nothing however as 'docker-scan-vulnerability' is a dependency job, must do something."; + + + - name: Log into registry ghcr.io + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Run Trivy vulnerability scanner (sarif Report) + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: '${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + vuln-type: 'os,library' + scanners: vuln + ignore-unfixed: true + + + - name: Upload Trivy Vulnerability Scan as a release asset + if: ${{ github.ref_type == 'tag' }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "trivy-vulnerability-scan.sarif" + file-path: trivy-results.sarif + + + - name: Upload Trivy scan results to GitHub Security tab + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' + + + - name: Run Trivy vulnerability scanner (json Report) + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: '${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}' + format: 'json' + output: 'scan-results.json' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + vuln-type: 'os,library' + scanners: vuln + ignore-unfixed: false + + - name: Upload scan results + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: actions/upload-artifact@v4 + with: + name: container-scan-results-json + path: scan-results.json + + + - run: | + ls -la + + - name: Create Vulnerabilities (Critical/High) + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + run: | + if [ "$(jq -r '.Results')" ]; then + + not_empty="$(jq -r '.Results[] | .Vulnerabilities[]' scan-results.json)"; + + else + + not_empty=""; + + fi + + + jq -r ' + [ + "# Image Scan Results", + "", + "**Scan Date:** _" + ( .CreatedAt // "" ) + "_", + "**Image:** _" + ( .ArtifactName // "" ) + "_", + "**OS:** _" + ( .Metadata.OS.Family // "" ) + " " + ( .Metadata.OS.Name // "" ) + "_", + "" + ] | join("\n") + ' scan-results.json > vulnerability-report.md + + if [ "$not_empty" ]; then + jq -r ' + def hr(severity): + if severity == "HIGH" or severity == "CRITICAL" then true else false end; + def to_md: + "| " + (.VulnerabilityID // "") + " | " + (.PkgName // "") + " | " + (.InstalledVersion // "") + " | " + (.Severity // "") + " | " + (.Title // "") + " |"; + [ + "## High and Critical Vulnerabilities", + "", + "| Vulnerability ID | Package | Version | Severity | Description |", + "| --------- | ----- | ----- | ----- | -------|", + (.Results[] | .Vulnerabilities[] | select(hr(.Severity)) | to_md), + "" + ] | join("\n") + ' scan-results.json >> vulnerability-report.md + + else + + echo "**Nothing Found**" >> vulnerability-report.md + + fi; + + + + - name: Create Full Vulnerabilities + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + run: | + if [ "$(jq -r '.Results')" ]; then + + not_empty="$(jq -r '.Results[] | .Vulnerabilities[]' scan-results.json)"; + + else + + not_empty=""; + + fi + + + jq -r ' + [ + "# Full Image Scan Results", + "", + "**Scan Date:** _" + ( .CreatedAt // "" ) + "_", + "**Image:** _" + ( .ArtifactName // "" ) + "_", + "**OS:** _" + ( .Metadata.OS.Family // "" ) + " " + ( .Metadata.OS.Name // "" ) + "_", + "" + ] | join("\n") + ' scan-results.json > full-vulnerability-report.md + + if [ "$not_empty" ]; then + jq -r ' + def hr(severity): + if severity == "HIGH" or severity == "CRITICAL" then true else false end; + def to_md: + "| " + (.VulnerabilityID // "") + " | " + (.PkgName // "") + " | " + (.InstalledVersion // "") + " | " + (.Severity // "") + " | " + (.Title // "") + " |"; + [ + "## Vulnerabilities", + "", + "| Vulnerability ID | Package | Version | Severity | Description |", + "| --------- | ----- | ----- | ----- | -------|", + (.Results[] | .Vulnerabilities[] | select(.Severity) | to_md), + "" + ] | join("\n") + ' scan-results.json >> full-vulnerability-report.md + + else + + echo "**Nothing Found**" >> full-vulnerability-report.md + + fi; + + + - name: Upload scan results + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: actions/upload-artifact@v4 + with: + name: docker-vulnerability-report + path: vulnerability-report.md + + - name: Upload scan results + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: actions/upload-artifact@v4 + with: + name: docker-vulnerability-report-full + path: full-vulnerability-report.md + + + + docker-sbom: + if: + (${{ + ( + github.event.push + || + github.ref_type == 'tag' + ) + }}) + needs: + - docker-build + runs-on: ubuntu-latest + name: Image SBOM + steps: + + + - name: Scan Image + uses: aquasecurity/trivy-action@0.20.0 + with: + scan-type: image + format: cyclonedx + output: dependency-results.sbom.json + image-ref: '${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}' + scan-ref: . + ignore-unfixed: false + vuln-type: os,library + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + list-all-pkgs: false + + + - name: Upload SBOM as a Github artifact + uses: actions/upload-artifact@v4 + with: + name: trivy-sbom-report + path: '${{ github.workspace }}/dependency-results.sbom.json' + + + - name: Upload Trivy SBOM as a release asset + if: ${{ github.ref_type == 'tag' }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "dependency-scan.sbom.json" + file-path: dependency-results.sbom.json + + + - name: Log into registry ghcr.io + if: ${{ + github.ref_name == 'development' + || + github.ref_name == 'master' + || + github.ref_type == 'tag' + }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Generate SBOM Attestation + if: ${{ + github.ref_name == 'development' + || + github.ref_name == 'master' + || + github.ref_type == 'tag' + }} + id: sbom-attest + uses: actions/attest-sbom@v1 + with: + subject-name: '${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}' + subject-digest: ${{ needs.docker-build.outputs.build-image-digest }} + sbom-path: 'dependency-results.sbom.json' + push-to-registry: true + + + - name: Upload SBOM Attestation Artifact + if: ${{ + github.ref_name == 'development' + || + github.ref_name == 'master' + || + github.ref_type == 'tag' + }} + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image-sbom + path: ${{ steps.sbom-attest.outputs.bundle-path }} + + + docker-reports: + # if: ${{ + # ( + # github.event.push + # || + # github.ref_type == 'tag' + # ) + # }} + needs: + - docker-scan-vulnerability + - docker-build + runs-on: ubuntu-latest + name: Create Reports + steps: + + + - name: Dummy Task + if: ${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY == false + }} + run: | + echo "Scanning image turned off.This Job does nothing however as 'docker-scan-vulnerability' is a dependency job, must do something."; + + + - name: Fetch Scan Results + if: ${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }} + uses: actions/download-artifact@v4 + with: + name: docker-vulnerability-report-full + + + - uses: dtinth/markdown-report-action@v1 + if: ${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }} + with: + name: Docker Vulnerability Report + title: Vulnerability Report + body-file: full-vulnerability-report.md + + + + docker-tagged: + if: ${{ github.ref_type == 'tag' }} + needs: + - docker-scan-vulnerability + - docker-reports + runs-on: ubuntu-latest + name: Tagged Image + steps: + + + - name: Log into registry ghcr.io + if: + (${{ + github.ref_type != 'tag' + }}) + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Create Image Tag '${{ github.ref_name }}' + run: | + docker buildx imagetools create ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + --tag ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ github.ref_name }}; + + + - name: Create Image Tag 'latest' + if: ${{ inputs.DOCKER_TAG_IMAGE_TAG_LATEST }} + run: | + docker buildx imagetools create ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + --tag ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:latest; + + + + docker-pr-comment: + if: ${{ github.ref_type != 'tag' }} + needs: + - docker-scan-vulnerability + runs-on: ubuntu-latest + name: PR Comment (Vulnerability) + steps: + + + - name: Fetch Vulnerability Report + if: ${{ inputs.DOCKER_SCAN_IMAGE_VULNERABILITY }} + uses: actions/download-artifact@v4 + with: + name: docker-vulnerability-report + + + - name: Capture scan results + if: ${{ inputs.DOCKER_SCAN_IMAGE_VULNERABILITY }} + run: | + content=$(cat vulnerability-report.md | head -c 65000) + echo "report<> $GITHUB_ENV + echo "$content" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - uses: jwalton/gh-find-current-pr@v1 + id: finder + + - name: Comment scan results on PR + if: ${{ inputs.DOCKER_SCAN_IMAGE_VULNERABILITY }} + uses: marocchino/sticky-pull-request-comment@v2 + with: + number: ${{ steps.finder.outputs.pr }} + header: Image Scan Results + message: | + ${{ env.report }} + + + + docker-publish: + if: ${{ github.ref_type == 'tag' }} + needs: + - docker-build + - docker-scan-vulnerability + - docker-reports + - docker-tagged + runs-on: ubuntu-latest + name: Publish + steps: + + + - name: Log into registry ghcr.io + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ inputs.DOCKER_PUBLISH_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Tag Image with GIT Tag '${{ github.ref_name }}' + run: | + docker buildx imagetools create ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + --tag ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ github.ref_name }} \ + + + + - name: Tag Image with GIT commit '${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }}' + if: ${{ inputs.DOCKER_TAG_IMAGE_TAG_SHA }} + run: | + docker buildx imagetools create ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + --tag ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + + + - name: Fetch image ${{ github.ref_name }} + run: | + docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ github.ref_name }} >> /dev/null; + + + - name: Fetch Manifest digest ${{ github.ref_name }} + id: image-digest + run: | + echo "value-out=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ github.ref_name }} | cut -d '@' -f 2)" >> $GITHUB_OUTPUT + + + - name: Attest ${{ github.ref_name }} + uses: actions/attest-build-provenance@v1 + id: image-attest + with: + subject-name: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }} + subject-digest: ${{ steps.image-digest.outputs.value-out }} + push-to-registry: true + + + - name: Upload Image Attestation Artifact ${{ github.ref_name }} + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-published + path: ${{ steps.image-attest.outputs.bundle-path }} + + + - name: Download SBOM as a Github artifact + uses: actions/download-artifact@v4 + with: + name: trivy-sbom-report + + + - name: Generate SBOM Attestation (publish) + id: sbom-attest + uses: actions/attest-sbom@v1 + with: + subject-name: '${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}' + subject-digest: ${{ needs.docker-build.outputs.build-image-digest }} + sbom-path: 'dependency-results.sbom.json' + push-to-registry: true + + + - name: Upload SBOM Attestation Artifact (publish) + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-sbom-published + path: ${{ steps.sbom-attest.outputs.bundle-path }} + + + + - name: Tag Image with GIT 'latest' + if: ${{ inputs.DOCKER_TAG_IMAGE_TAG_LATEST }} + run: | + docker buildx imagetools create ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + --tag ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:latest; + + + - name: Append GH Release Body + if: ${{ github.ref_type == 'tag' }} + id: release + uses: softprops/action-gh-release@v2 + with: + append_body: true + body: | + ## Images + + - `docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:latest` + - `docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }}` + - `docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ github.ref_name }}` + + [another link](https://nofusscomputing.com) does render as markdown works. + + + + docker-release-files: + if: ${{ github.ref_type == 'tag' }} + needs: + - docker-build + - docker-sbom + - docker-tagged + - docker-publish + runs-on: ubuntu-latest + name: Release Files + steps: + + + - name: Fetch Image Attestation Artifact - ${{ inputs.DOCKER_PUBLISH_REGISTRY }} + if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-published + path: attestation-image/ + + + - + if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + run: | + mv attestation-image/attestation.jsonl ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl + + + - name: Fetch SBOM Attestation Artifact - ${{ inputs.DOCKER_PUBLISH_REGISTRY }} + if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-sbom-published + path: attestation-sbom/ + + + - if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + run: | + mv attestation-sbom/attestation.jsonl ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-sbom.jsonl + + + - if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + run: | + ls -la; + + + + - name: Upload created artifact to release assets - ${{ inputs.DOCKER_PUBLISH_REGISTRY }} + if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl" + file-path: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl + + + + - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} + if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-sbom.jsonl" + file-path: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-sbom.jsonl + + + - name: Fetch Image Attestation Artifact - ${{ inputs.DOCKER_BUILD_REGISTRY }} + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image + path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image/ + + + - run: | + mv ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image/attestation.jsonl ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl + + + - name: Fetch SBOM Attestation Artifact - ${{ inputs.DOCKER_BUILD_REGISTRY }} + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image-sbom + path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom/ + + + - run: | + mv ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom/attestation.jsonl ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom.jsonl + + + - run: | + ls -la; + + + - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl" + file-path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl + + + + - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image-sbom.jsonl" + file-path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom.jsonl + + + # - name: Update Release + # uses: nicovince/manage-release@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # files: + # release: ${{ github.ref_name }} + # tag: ${{ github.ref_name }} diff --git a/dockerfile b/dockerfile new file mode 100644 index 0000000..db61340 --- /dev/null +++ b/dockerfile @@ -0,0 +1,15 @@ +# +# This dockerfile is used for testing the docker workflow +# + +FROM debian:bookworm-slim + + + +LABEL \ + org.opencontainers.image.title="Test" \ + org.opencontainers.image.description="a testing docker container" \ + org.opencontainers.image.documentation="https://nofusscomputing.com" \ + org.opencontainers.image.vendor="No Fuss Computing" \ + io.artifacthub.package.license="MIT" + From 1f12548160cd6379d248240f975e7ca2fe2c1872 Mon Sep 17 00:00:00 2001 From: Jon Date: Thu, 8 Aug 2024 18:25:04 +0930 Subject: [PATCH 03/21] temp commit --- .github/workflows/code-coverage-report.yaml | 93 +++ .github/workflows/docker.yaml | 34 +- .github/workflows/pull-requests.yaml | 37 + .github/workflows/release.yaml | 53 ++ .github/workflows/{ => temp}/ci.yaml | 0 .github/workflows/temp/docker.yaml | 883 ++++++++++++++++++++ .github/workflows/temp/management.yaml | 34 + .github/workflows/temp/pr.yaml | 24 + .github/workflows/temp/release.yaml | 53 ++ .github/workflows/unit-test-report.yaml | 58 ++ .github/workflows/unit-test.yaml | 262 ++++++ 11 files changed, 1519 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/code-coverage-report.yaml create mode 100644 .github/workflows/pull-requests.yaml create mode 100644 .github/workflows/release.yaml rename .github/workflows/{ => temp}/ci.yaml (100%) create mode 100644 .github/workflows/temp/docker.yaml create mode 100644 .github/workflows/temp/management.yaml create mode 100644 .github/workflows/temp/pr.yaml create mode 100644 .github/workflows/temp/release.yaml create mode 100644 .github/workflows/unit-test-report.yaml create mode 100644 .github/workflows/unit-test.yaml diff --git a/.github/workflows/code-coverage-report.yaml b/.github/workflows/code-coverage-report.yaml new file mode 100644 index 0000000..8fc875c --- /dev/null +++ b/.github/workflows/code-coverage-report.yaml @@ -0,0 +1,93 @@ +--- + +name: 'Process Coverage Artifact' + +on: + workflow_run: + workflows: + - 'Unit Test' + types: + - completed + + +permissions: + contents: read + actions: read + checks: write + + +jobs: + report: + runs-on: ubuntu-latest + # strategy: + # max-parallel: 4 + # matrix: + # python-version: ['3.12'] + name: Coverage + steps: + + - name: Run Tests + run: | + ls -l; + + - name: Download Coverage Artifact + uses: actions/download-artifact@v4 + with: + name: coverage-report-3.12 + # path: coverage.xml + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + + - name: ls + if: success() || failure() + run: | + ls -l; + + - name: Code Coverage Report + uses: irongut/CodeCoverageSummary@v1.3.0 + with: + filename: coverage.xml + badge: true + fail_below_min: true + format: markdown + hide_branch_rate: false + hide_complexity: false + indicators: true + output: both + thresholds: '60 85' + + + # - name: Add Coverage PR Comment + # uses: marocchino/sticky-pull-request-comment@v2 + # if: github.event_name == 'pull_request' + # with: + # recreate: true + # path: code-coverage-results.md + + + - name: ls + if: success() || failure() + run: | + ls -l; + + # - name: Adding markdown + # run: | + # cat $(ls *.md | tail -1) >> $GITHUB_STEP_SUMMARY + + - name: create status check/comment for code coverage results + id: jest_coverage_check + uses: im-open/process-code-coverage-summary@v2.3.0 + with: + # github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ github.token }} + summary-file: code-coverage-results.md + create-pr-comment: true + update-comment-if-one-exists: true + update-comment-key: "${{ env.GITHUB-JOB }}_${{ env.GITHUB-ACTION }}" + + - name: Upload Coverage Summary + uses: actions/upload-artifact@v4 + if: success() || failure() + with: + name: code-coverage-results-3.12 + path: code-coverage-results.md diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index fbe1bfd..8f134aa 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -66,7 +66,17 @@ on: description: Create image with tag that is the git commit required: false type: boolean - + secrets: + DOCKER_PUBLISH_USERNAME: + # default: ${{ github.actor }} + description: Publish Docker registry username + required: true + # type: string + DOCKER_PUBLISH_PASSWORD: + # default: ${{ secrets.GITHUB_TOKEN }} + description: Publish Docker registry username + required: true + # type: string permissions: pull-requests: write @@ -117,10 +127,10 @@ jobs: - - name: Log into registry ghcr.io + - name: Log into registry ${{ inputs.DOCKER_BUILD_REGISTRY }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: - registry: ghcr.io + registry: ${{ inputs.DOCKER_BUILD_REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} @@ -240,14 +250,14 @@ jobs: echo "Scanning image turned off.This Job does nothing however as 'docker-scan-vulnerability' is a dependency job, must do something."; - - name: Log into registry ghcr.io + - name: Log into registry ${{ inputs.DOCKER_BUILD_REGISTRY }} if: (${{ inputs.DOCKER_SCAN_IMAGE_VULNERABILITY }}) uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: - registry: ghcr.io + registry: ${{ inputs.DOCKER_BUILD_REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} @@ -489,7 +499,7 @@ jobs: file-path: dependency-results.sbom.json - - name: Log into registry ghcr.io + - name: Log into registry ${{ inputs.DOCKER_BUILD_REGISTRY }} if: ${{ github.ref_name == 'development' || @@ -499,7 +509,7 @@ jobs: }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: - registry: ghcr.io + registry: ${{ inputs.DOCKER_BUILD_REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} @@ -589,14 +599,14 @@ jobs: steps: - - name: Log into registry ghcr.io + - name: Log into registry ${{ inputs.DOCKER_BUILD_REGISTRY }} if: (${{ github.ref_type != 'tag' }}) uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: - registry: ghcr.io + registry: ${{ inputs.DOCKER_BUILD_REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} @@ -665,12 +675,12 @@ jobs: steps: - - name: Log into registry ghcr.io + - name: Log into registry ${{ inputs.DOCKER_PUBLISH_REGISTRY }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ inputs.DOCKER_PUBLISH_REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: ${{ inputs.DOCKER_PUBLISH_USERNAME }} + password: ${{ inputs.DOCKER_PUBLISH_PASSWORD }} - name: Tag Image with GIT Tag '${{ github.ref_name }}' diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml new file mode 100644 index 0000000..cb0bedd --- /dev/null +++ b/.github/workflows/pull-requests.yaml @@ -0,0 +1,37 @@ +--- + +name: Pull Requests + + +on: + workflow_call: + + +jobs: + + conventional-pr-title: + name: Conventional PR Title + runs-on: ubuntu-latest + steps: + + + - name: Conventional Commit PR Title + uses: agenthunt/conventional-commit-checker-action@v1.0.0 + with: + pr-title-regex: "^(.+)(?:(([^)s]+)))?: (.+)" + pr-body-regex: "(.*)" + + + conventional-commits: + name: Conventional Commits + runs-on: ubuntu-latest + steps: + + - name: Check Commits + uses: taskmedia/action-conventional-commits@v1.1.17 + with: + token: ${{ github.token }} + skip_merge: true + skip_revert: true + types: "build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test" + diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..aa4cbca --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,53 @@ +name: Release + +on: + workflow_call: + + + +jobs: + release: + name: Release + if: ${{ github.ref_type == 'tag' }} + runs-on: ubuntu-latest + steps: + + + - name: Create GH Release + if: ${{ github.ref_type == 'tag' }} + id: release + uses: softprops/action-gh-release@v2 + with: + body: | + # A title block + + Some release text + + A [link](https://nofusscomputing.com) does render as markdown works. + + + release-label: + if: ${{ github.ref_type == 'tag' }} + name: Create Release Label + permissions: + contents: read + issues: write + runs-on: ubuntu-latest + steps: + + - run: | + mkdir -p .github; + echo " + labels: + v${{ github.ref_name }}: + color: "EEE600" + description: Version Affected. + + " > .github/labels.yml; + + cat .github/labels.yml; + + + - uses: oliversalzburg/action-label-manager@v0.0.9 + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci.yaml b/.github/workflows/temp/ci.yaml similarity index 100% rename from .github/workflows/ci.yaml rename to .github/workflows/temp/ci.yaml diff --git a/.github/workflows/temp/docker.yaml b/.github/workflows/temp/docker.yaml new file mode 100644 index 0000000..fbe1bfd --- /dev/null +++ b/.github/workflows/temp/docker.yaml @@ -0,0 +1,883 @@ +--- + +name: 'Docker' + + +on: + workflow_call: + inputs: + DOCKER_BUILD_REGISTRY: + default: "ghcr.io" + description: Registry where build image will live + required: false + type: string + DOCKER_BUILD_IMAGE_NAME: + default: "${{ github.repository }}" + description: Docker image name for building image + required: false + type: string + DOCKER_BUILD_IMAGE_TAG: + default: "${{ github.sha }}" + description: Docker image tag for building image + required: false + type: string + DOCKER_FILE: + default: "dockerfile" + description: Path to the dockerfile + required: false + type: string + DOCKER_LABEL_ARTIFACTHUB_MAINTAINER: + default: '[{"name":"No Fuss Computing","email":"helpdesk@nofusscomputing.com"}]' + description: Artifact hub Maintainer + required: false + type: string + DOCKER_LABEL_ARTIFACTHUB_README: + default: 'https://raw.githubusercontent.com/${{ github.repository }}/development/README.md' + description: Artifact hub ReadMe + required: false + type: string + DOCKER_PUBLISH_REGISTRY: + default: "docker.io" + description: Registry where image will be published to + required: false + type: string + DOCKER_PUBLISH_IMAGE_NAME: + default: "${{ github.repository }}" + description: Docker image name for publishing the image + required: false + type: string + DOCKER_SCAN_IMAGE_VULNERABILITY: + default: true + description: Scan Image with Trivy + required: false + type: boolean + DOCKER_TAG_IMAGE_TAG_SOURCE: + default: "${{ github.sha }}" + description: Docker image tag Used for source Image to tag + required: false + type: string + DOCKER_TAG_IMAGE_TAG_LATEST: + default: true + description: Create image with tag 'Latest' + required: false + type: boolean + DOCKER_TAG_IMAGE_TAG_SHA: + default: true + description: Create image with tag that is the git commit + required: false + type: boolean + + +permissions: + pull-requests: write + contents: write + actions: read + checks: write + packages: write + security-events: write + statuses: write + id-token: write + attestations: write + +jobs: + + docker-build: + if: + (${{ + github.event.push + || + github.ref_type == 'tag' + }}) + runs-on: ubuntu-latest + name: Build Image + outputs: + build-image-digest: ${{ steps.image-digest.outputs.value-out }} + steps: + + + + - name: Debug + run: | + echo "${{ github.event.pull_request.head.repo.full_name || github.repository }}"; + echo "**************************"; + echo "${{ github.event.pull_request.head.repo.full_name }}"; + echo "**************************"; + echo "${{ github.repository }}"; + echo "**************************"; + echo "${{ github.event.pull_request.head.repo }}"; + echo "**************************"; + echo "${{ github.event.push }}"; + echo "**************************"; + - uses: actions/checkout@v4 + + - name: Dummy Task + if: ${{ github.ref_type == 'tag' }} + run: | + echo "This Job does nothing however as 'docker-build' is a dependency job, must do something."; + + + + - name: Log into registry ghcr.io + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Setup BuildX + if: ${{ github.ref_type != 'tag' }} + run: | + docker buildx create --name project-v3-builder; + docker buildx use project-v3-builder; + + + - name: build image + if: ${{ github.ref_type != 'tag' }} + run: | + docker buildx build --platform="linux/amd64,linux/arm64" . \ + --label "org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%:z')" \ + --label "org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ + --label "org.opencontainers.image.revision=${{ github.sha }}" \ + \ + --label "io.artifacthub.package.readme-url=${{ inputs.DOCKER_LABEL_ARTIFACTHUB_README }}" \ + --label 'io.artifacthub.package.maintainers=${{ inputs.DOCKER_LABEL_ARTIFACTHUB_MAINTAINER }}' \ + \ + --annotation "org.opencontainers.image.description=a DESCRIPTION for multi-arch images" \ + --annotation "org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%:z')" \ + --annotation "org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ + --annotation "org.opencontainers.image.revision=${{ github.sha }}" \ + --push \ + --file ${{ inputs.DOCKER_FILE }} \ + --tag ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}; + + + - name: Remove "Unknown" Image from Manifest + if: ${{ github.ref_type != 'tag' }} + run: | + + DOCKER_MULTI_ARCH_IMAGES=$(docker buildx imagetools inspect "${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}" --format "{{ range .Manifest.Manifests }}{{ if ne (print .Platform) \"&{unknown unknown [] }\" }}${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}@{{ println .Digest }}{{end}} {{end}}"); + + docker buildx imagetools create $DOCKER_MULTI_ARCH_IMAGES \ + --tag ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }} \ + --tag ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:dev; + + + - name: Fetch image + run: | + docker pull ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }} >> /dev/null; + + + - name: Fetch Manifest digest + id: image-digest + run: | + echo "value-out=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }} | cut -d '@' -f 2)" >> $GITHUB_OUTPUT + + + - name: Attest + if: ${{ + github.ref_name == 'development' + || + github.ref_name == 'master' + || + github.ref_type == 'tag' + }} + uses: actions/attest-build-provenance@v1 + id: image-attest + with: + subject-name: ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }} + subject-digest: ${{ steps.image-digest.outputs.value-out }} + push-to-registry: true + + + - name: Upload Image Attestation Artifact + if: ${{ + github.ref_name == 'development' + || + github.ref_name == 'master' + || + github.ref_type == 'tag' + }} + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image + path: ${{ steps.image-attest.outputs.bundle-path }} + + + - name: Cleanup BuildX + if: ${{ github.ref_type != 'tag' }} + run: | + docker buildx rm project-v3-builder; + + + + docker-scan-vulnerability: + if: + (${{ + ( + github.event.push + || + github.ref_type == 'tag' + ) + && + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + + needs: + - docker-build + runs-on: ubuntu-latest + name: Vulnerability Scan + steps: + - uses: actions/checkout@v4 + + + - name: Dummy Task + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY == false + }}) + run: | + echo "Scanning image turned off.This Job does nothing however as 'docker-scan-vulnerability' is a dependency job, must do something."; + + + - name: Log into registry ghcr.io + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Run Trivy vulnerability scanner (sarif Report) + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: '${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + vuln-type: 'os,library' + scanners: vuln + ignore-unfixed: true + + + - name: Upload Trivy Vulnerability Scan as a release asset + if: ${{ github.ref_type == 'tag' }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "trivy-vulnerability-scan.sarif" + file-path: trivy-results.sarif + + + - name: Upload Trivy scan results to GitHub Security tab + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' + + + - name: Run Trivy vulnerability scanner (json Report) + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: '${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}' + format: 'json' + output: 'scan-results.json' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + vuln-type: 'os,library' + scanners: vuln + ignore-unfixed: false + + - name: Upload scan results + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: actions/upload-artifact@v4 + with: + name: container-scan-results-json + path: scan-results.json + + + - run: | + ls -la + + - name: Create Vulnerabilities (Critical/High) + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + run: | + if [ "$(jq -r '.Results')" ]; then + + not_empty="$(jq -r '.Results[] | .Vulnerabilities[]' scan-results.json)"; + + else + + not_empty=""; + + fi + + + jq -r ' + [ + "# Image Scan Results", + "", + "**Scan Date:** _" + ( .CreatedAt // "" ) + "_", + "**Image:** _" + ( .ArtifactName // "" ) + "_", + "**OS:** _" + ( .Metadata.OS.Family // "" ) + " " + ( .Metadata.OS.Name // "" ) + "_", + "" + ] | join("\n") + ' scan-results.json > vulnerability-report.md + + if [ "$not_empty" ]; then + jq -r ' + def hr(severity): + if severity == "HIGH" or severity == "CRITICAL" then true else false end; + def to_md: + "| " + (.VulnerabilityID // "") + " | " + (.PkgName // "") + " | " + (.InstalledVersion // "") + " | " + (.Severity // "") + " | " + (.Title // "") + " |"; + [ + "## High and Critical Vulnerabilities", + "", + "| Vulnerability ID | Package | Version | Severity | Description |", + "| --------- | ----- | ----- | ----- | -------|", + (.Results[] | .Vulnerabilities[] | select(hr(.Severity)) | to_md), + "" + ] | join("\n") + ' scan-results.json >> vulnerability-report.md + + else + + echo "**Nothing Found**" >> vulnerability-report.md + + fi; + + + + - name: Create Full Vulnerabilities + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + run: | + if [ "$(jq -r '.Results')" ]; then + + not_empty="$(jq -r '.Results[] | .Vulnerabilities[]' scan-results.json)"; + + else + + not_empty=""; + + fi + + + jq -r ' + [ + "# Full Image Scan Results", + "", + "**Scan Date:** _" + ( .CreatedAt // "" ) + "_", + "**Image:** _" + ( .ArtifactName // "" ) + "_", + "**OS:** _" + ( .Metadata.OS.Family // "" ) + " " + ( .Metadata.OS.Name // "" ) + "_", + "" + ] | join("\n") + ' scan-results.json > full-vulnerability-report.md + + if [ "$not_empty" ]; then + jq -r ' + def hr(severity): + if severity == "HIGH" or severity == "CRITICAL" then true else false end; + def to_md: + "| " + (.VulnerabilityID // "") + " | " + (.PkgName // "") + " | " + (.InstalledVersion // "") + " | " + (.Severity // "") + " | " + (.Title // "") + " |"; + [ + "## Vulnerabilities", + "", + "| Vulnerability ID | Package | Version | Severity | Description |", + "| --------- | ----- | ----- | ----- | -------|", + (.Results[] | .Vulnerabilities[] | select(.Severity) | to_md), + "" + ] | join("\n") + ' scan-results.json >> full-vulnerability-report.md + + else + + echo "**Nothing Found**" >> full-vulnerability-report.md + + fi; + + + - name: Upload scan results + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: actions/upload-artifact@v4 + with: + name: docker-vulnerability-report + path: vulnerability-report.md + + - name: Upload scan results + if: + (${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }}) + uses: actions/upload-artifact@v4 + with: + name: docker-vulnerability-report-full + path: full-vulnerability-report.md + + + + docker-sbom: + if: + (${{ + ( + github.event.push + || + github.ref_type == 'tag' + ) + }}) + needs: + - docker-build + runs-on: ubuntu-latest + name: Image SBOM + steps: + + + - name: Scan Image + uses: aquasecurity/trivy-action@0.20.0 + with: + scan-type: image + format: cyclonedx + output: dependency-results.sbom.json + image-ref: '${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}' + scan-ref: . + ignore-unfixed: false + vuln-type: os,library + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + list-all-pkgs: false + + + - name: Upload SBOM as a Github artifact + uses: actions/upload-artifact@v4 + with: + name: trivy-sbom-report + path: '${{ github.workspace }}/dependency-results.sbom.json' + + + - name: Upload Trivy SBOM as a release asset + if: ${{ github.ref_type == 'tag' }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "dependency-scan.sbom.json" + file-path: dependency-results.sbom.json + + + - name: Log into registry ghcr.io + if: ${{ + github.ref_name == 'development' + || + github.ref_name == 'master' + || + github.ref_type == 'tag' + }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Generate SBOM Attestation + if: ${{ + github.ref_name == 'development' + || + github.ref_name == 'master' + || + github.ref_type == 'tag' + }} + id: sbom-attest + uses: actions/attest-sbom@v1 + with: + subject-name: '${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}' + subject-digest: ${{ needs.docker-build.outputs.build-image-digest }} + sbom-path: 'dependency-results.sbom.json' + push-to-registry: true + + + - name: Upload SBOM Attestation Artifact + if: ${{ + github.ref_name == 'development' + || + github.ref_name == 'master' + || + github.ref_type == 'tag' + }} + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image-sbom + path: ${{ steps.sbom-attest.outputs.bundle-path }} + + + docker-reports: + # if: ${{ + # ( + # github.event.push + # || + # github.ref_type == 'tag' + # ) + # }} + needs: + - docker-scan-vulnerability + - docker-build + runs-on: ubuntu-latest + name: Create Reports + steps: + + + - name: Dummy Task + if: ${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY == false + }} + run: | + echo "Scanning image turned off.This Job does nothing however as 'docker-scan-vulnerability' is a dependency job, must do something."; + + + - name: Fetch Scan Results + if: ${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }} + uses: actions/download-artifact@v4 + with: + name: docker-vulnerability-report-full + + + - uses: dtinth/markdown-report-action@v1 + if: ${{ + inputs.DOCKER_SCAN_IMAGE_VULNERABILITY + }} + with: + name: Docker Vulnerability Report + title: Vulnerability Report + body-file: full-vulnerability-report.md + + + + docker-tagged: + if: ${{ github.ref_type == 'tag' }} + needs: + - docker-scan-vulnerability + - docker-reports + runs-on: ubuntu-latest + name: Tagged Image + steps: + + + - name: Log into registry ghcr.io + if: + (${{ + github.ref_type != 'tag' + }}) + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Create Image Tag '${{ github.ref_name }}' + run: | + docker buildx imagetools create ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + --tag ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ github.ref_name }}; + + + - name: Create Image Tag 'latest' + if: ${{ inputs.DOCKER_TAG_IMAGE_TAG_LATEST }} + run: | + docker buildx imagetools create ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + --tag ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:latest; + + + + docker-pr-comment: + if: ${{ github.ref_type != 'tag' }} + needs: + - docker-scan-vulnerability + runs-on: ubuntu-latest + name: PR Comment (Vulnerability) + steps: + + + - name: Fetch Vulnerability Report + if: ${{ inputs.DOCKER_SCAN_IMAGE_VULNERABILITY }} + uses: actions/download-artifact@v4 + with: + name: docker-vulnerability-report + + + - name: Capture scan results + if: ${{ inputs.DOCKER_SCAN_IMAGE_VULNERABILITY }} + run: | + content=$(cat vulnerability-report.md | head -c 65000) + echo "report<> $GITHUB_ENV + echo "$content" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - uses: jwalton/gh-find-current-pr@v1 + id: finder + + - name: Comment scan results on PR + if: ${{ inputs.DOCKER_SCAN_IMAGE_VULNERABILITY }} + uses: marocchino/sticky-pull-request-comment@v2 + with: + number: ${{ steps.finder.outputs.pr }} + header: Image Scan Results + message: | + ${{ env.report }} + + + + docker-publish: + if: ${{ github.ref_type == 'tag' }} + needs: + - docker-build + - docker-scan-vulnerability + - docker-reports + - docker-tagged + runs-on: ubuntu-latest + name: Publish + steps: + + + - name: Log into registry ghcr.io + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ inputs.DOCKER_PUBLISH_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Tag Image with GIT Tag '${{ github.ref_name }}' + run: | + docker buildx imagetools create ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + --tag ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ github.ref_name }} \ + + + + - name: Tag Image with GIT commit '${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }}' + if: ${{ inputs.DOCKER_TAG_IMAGE_TAG_SHA }} + run: | + docker buildx imagetools create ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + --tag ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + + + - name: Fetch image ${{ github.ref_name }} + run: | + docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ github.ref_name }} >> /dev/null; + + + - name: Fetch Manifest digest ${{ github.ref_name }} + id: image-digest + run: | + echo "value-out=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ github.ref_name }} | cut -d '@' -f 2)" >> $GITHUB_OUTPUT + + + - name: Attest ${{ github.ref_name }} + uses: actions/attest-build-provenance@v1 + id: image-attest + with: + subject-name: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }} + subject-digest: ${{ steps.image-digest.outputs.value-out }} + push-to-registry: true + + + - name: Upload Image Attestation Artifact ${{ github.ref_name }} + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-published + path: ${{ steps.image-attest.outputs.bundle-path }} + + + - name: Download SBOM as a Github artifact + uses: actions/download-artifact@v4 + with: + name: trivy-sbom-report + + + - name: Generate SBOM Attestation (publish) + id: sbom-attest + uses: actions/attest-sbom@v1 + with: + subject-name: '${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}' + subject-digest: ${{ needs.docker-build.outputs.build-image-digest }} + sbom-path: 'dependency-results.sbom.json' + push-to-registry: true + + + - name: Upload SBOM Attestation Artifact (publish) + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-sbom-published + path: ${{ steps.sbom-attest.outputs.bundle-path }} + + + + - name: Tag Image with GIT 'latest' + if: ${{ inputs.DOCKER_TAG_IMAGE_TAG_LATEST }} + run: | + docker buildx imagetools create ${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }} \ + --tag ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:latest; + + + - name: Append GH Release Body + if: ${{ github.ref_type == 'tag' }} + id: release + uses: softprops/action-gh-release@v2 + with: + append_body: true + body: | + ## Images + + - `docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:latest` + - `docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }}` + - `docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ github.ref_name }}` + + [another link](https://nofusscomputing.com) does render as markdown works. + + + + docker-release-files: + if: ${{ github.ref_type == 'tag' }} + needs: + - docker-build + - docker-sbom + - docker-tagged + - docker-publish + runs-on: ubuntu-latest + name: Release Files + steps: + + + - name: Fetch Image Attestation Artifact - ${{ inputs.DOCKER_PUBLISH_REGISTRY }} + if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-published + path: attestation-image/ + + + - + if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + run: | + mv attestation-image/attestation.jsonl ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl + + + - name: Fetch SBOM Attestation Artifact - ${{ inputs.DOCKER_PUBLISH_REGISTRY }} + if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-sbom-published + path: attestation-sbom/ + + + - if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + run: | + mv attestation-sbom/attestation.jsonl ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-sbom.jsonl + + + - if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + run: | + ls -la; + + + + - name: Upload created artifact to release assets - ${{ inputs.DOCKER_PUBLISH_REGISTRY }} + if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl" + file-path: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl + + + + - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} + if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-sbom.jsonl" + file-path: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-sbom.jsonl + + + - name: Fetch Image Attestation Artifact - ${{ inputs.DOCKER_BUILD_REGISTRY }} + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image + path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image/ + + + - run: | + mv ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image/attestation.jsonl ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl + + + - name: Fetch SBOM Attestation Artifact - ${{ inputs.DOCKER_BUILD_REGISTRY }} + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image-sbom + path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom/ + + + - run: | + mv ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom/attestation.jsonl ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom.jsonl + + + - run: | + ls -la; + + + - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl" + file-path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl + + + + - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} + uses: mkatanski/release-files-action@v1.1.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ github.ref_name }} + name: "${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image-sbom.jsonl" + file-path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom.jsonl + + + # - name: Update Release + # uses: nicovince/manage-release@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # files: + # release: ${{ github.ref_name }} + # tag: ${{ github.ref_name }} diff --git a/.github/workflows/temp/management.yaml b/.github/workflows/temp/management.yaml new file mode 100644 index 0000000..f5e0ebd --- /dev/null +++ b/.github/workflows/temp/management.yaml @@ -0,0 +1,34 @@ +--- + +name: Management + + +on: + push: + branches: + - '**' + paths: + - .github/labels.yml + workflow_dispatch: + workflow_call: + + +concurrency: manage-labels + + +jobs: + manage-labels: + name: Manage Labels + permissions: + contents: read + issues: write + runs-on: ubuntu-latest + steps: + + + - uses: actions/checkout@v4 + + + - uses: oliversalzburg/action-label-manager@v0.0.9 + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/temp/pr.yaml b/.github/workflows/temp/pr.yaml new file mode 100644 index 0000000..59f74ff --- /dev/null +++ b/.github/workflows/temp/pr.yaml @@ -0,0 +1,24 @@ +--- + +name: PR + + +on: + pull_request: {} + workflow_call: + + +jobs: + conventional: + name: Conventional PR Title + runs-on: ubuntu-latest + steps: + + + - name: check-for-cc + # if: ${{ github.event.pull_request }} + id: check-for-cc + uses: agenthunt/conventional-commit-checker-action@v1.0.0 + with: + pr-title-regex: "^(.+)(?:(([^)s]+)))?: (.+)" + pr-body-regex: "(.*)" diff --git a/.github/workflows/temp/release.yaml b/.github/workflows/temp/release.yaml new file mode 100644 index 0000000..aa4cbca --- /dev/null +++ b/.github/workflows/temp/release.yaml @@ -0,0 +1,53 @@ +name: Release + +on: + workflow_call: + + + +jobs: + release: + name: Release + if: ${{ github.ref_type == 'tag' }} + runs-on: ubuntu-latest + steps: + + + - name: Create GH Release + if: ${{ github.ref_type == 'tag' }} + id: release + uses: softprops/action-gh-release@v2 + with: + body: | + # A title block + + Some release text + + A [link](https://nofusscomputing.com) does render as markdown works. + + + release-label: + if: ${{ github.ref_type == 'tag' }} + name: Create Release Label + permissions: + contents: read + issues: write + runs-on: ubuntu-latest + steps: + + - run: | + mkdir -p .github; + echo " + labels: + v${{ github.ref_name }}: + color: "EEE600" + description: Version Affected. + + " > .github/labels.yml; + + cat .github/labels.yml; + + + - uses: oliversalzburg/action-label-manager@v0.0.9 + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/unit-test-report.yaml b/.github/workflows/unit-test-report.yaml new file mode 100644 index 0000000..4d9a84b --- /dev/null +++ b/.github/workflows/unit-test-report.yaml @@ -0,0 +1,58 @@ +--- + +name: 'Process Unit Test Artifact' + +on: + workflow_run: + workflows: + - 'Unit Test' + types: + - completed + + +permissions: + contents: read + actions: read + checks: write + + +jobs: + report: + runs-on: ubuntu-latest + strategy: + max-parallel: 4 + matrix: + python-version: ['3.10', '3.11', '3.12'] + steps: + + - name: Test Report + if: success() || failure() + uses: dorny/test-reporter@v1 + id: test-report + with: + artifact: unit-test-results-${{ matrix.python-version }} + badge-title: 'Unit Tests [Python ${{ matrix.python-version }}]' + name: Unit Test Report [Python ${{ matrix.python-version }}] + path: '*.xml' + reporter: java-junit + + + - name: Create Shields.io Endpoint.json + if: success() || failure() + run: | + echo " + { + "schemaVersion": 1, + "label": "Unit Test", + "message": "${{ steps.test-report.outputs.passed }} passed | ${{ steps.test-report.outputs.skipped }} skipped", + "namedLogo": "github", + "color": "#000" + }" > endpoint_${{ matrix.python-version }}.json + + + - name: Upload Badge Endpoint json + uses: actions/upload-artifact@v4 + if: success() || failure() + with: + name: unit-test-shield-endpoint-${{ matrix.python-version }} + path: endpoint_${{ matrix.python-version }}.json diff --git a/.github/workflows/unit-test.yaml b/.github/workflows/unit-test.yaml new file mode 100644 index 0000000..04df40d --- /dev/null +++ b/.github/workflows/unit-test.yaml @@ -0,0 +1,262 @@ +name: 'Unit Test' + +on: + workflow_call: + # push: + # branches: + # - "development" + # tags: + # - '*' + # pull_request: + # branches: + # - "development" + + +jobs: + unit-test: + runs-on: ubuntu-latest + strategy: + max-parallel: 4 + matrix: + python-version: ['3.10', '3.11', '3.12'] + + steps: + + + - uses: actions/checkout@v4 + + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + + + - name: Install Dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + pip install -r requirements_test.txt + + + - name: Run Tests + shell: bash + run: | + cd app; + pytest --cov --cov-report term --cov-report xml:../coverage.xml --cov-report html:../coverage/ --junit-xml=../unit.JUnit.xml **/tests/unit; + + + - name: Upload Test Report + uses: actions/upload-artifact@v4 + if: success() || failure() + with: + name: unit-test-results-${{ matrix.python-version }} + path: unit.JUnit.xml + + + - name: Upload Coverage Report + uses: actions/upload-artifact@v4 + if: success() || failure() + with: + name: coverage-report-${{ matrix.python-version }} + path: coverage.xml + + + - name: Upload Coverage + uses: actions/upload-artifact@v4 + if: success() || failure() + with: + name: coverage-${{ matrix.python-version }} + path: coverage/* + + + # should only run on dev/master and tag + report: + needs: + - unit-test + runs-on: ubuntu-latest + strategy: + max-parallel: 4 + matrix: + python-version: ['3.10', '3.11', '3.12'] + steps: + + + - name: Test Report + if: success() || failure() + uses: dorny/test-reporter@v1 + id: test-report + with: + artifact: unit-test-results-${{ matrix.python-version }} + # badge-title: 'Unit Tests [Python ${{ matrix.python-version }}]' + name: Unit Test Report [Python ${{ matrix.python-version }}] + path: '*.xml' + reporter: java-junit + + + - name: Create Shields.io Endpoint.json + if: success() || failure() + shell: bash + run: | + echo ' + { + "schemaVersion": 1, + "label": "Unit Test", + "message": "${{ steps.test-report.outputs.passed }} passed | ${{ steps.test-report.outputs.skipped }} skipped", + "namedLogo": "github", + "color": "#000" + }' > endpoint_${{ matrix.python-version }}.json + + + - name: Upload Badge Endpoint json + uses: actions/upload-artifact@v4 + if: success() || failure() + with: + name: unit-test-shield-endpoint-${{ matrix.python-version }} + path: endpoint_${{ matrix.python-version }}.json + + + + coverage-report: + needs: + - unit-test + runs-on: ubuntu-latest + strategy: + max-parallel: 4 + matrix: + python-version: ['3.12'] + name: Coverage + steps: + + - name: Run Tests + shell: bash + run: | + ls -l; + + - name: Download Coverage Artifact + uses: actions/download-artifact@v4 + with: + name: coverage-report-${{ matrix.python-version }} + # path: coverage.xml + # run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + + - name: ls + shell: bash + if: success() || failure() + run: | + ls -l; + + - name: Code Coverage Report + uses: irongut/CodeCoverageSummary@v1.3.0 + with: + filename: coverage.xml + badge: true + fail_below_min: true + format: markdown + hide_branch_rate: false + hide_complexity: false + indicators: true + output: both + thresholds: '60 85' + + + # - name: Add Coverage PR Comment + # uses: marocchino/sticky-pull-request-comment@v2 + # if: github.event_name == 'pull_request' + # with: + # recreate: true + # path: code-coverage-results.md + + + - name: ls + shell: bash + if: success() || failure() + run: | + ls -l; + + # - name: Adding markdown + # run: | + # cat $(ls *.md | tail -1) >> $GITHUB_STEP_SUMMARY + + - name: create status check/comment for code coverage results + id: jest_coverage_check + uses: im-open/process-code-coverage-summary@v2.3.0 + with: + # github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ github.token }} + summary-file: code-coverage-results.md + create-pr-comment: true + update-comment-if-one-exists: true + update-comment-key: "${{ env.GITHUB-JOB }}_${{ env.GITHUB-ACTION }}" + + - name: Upload Coverage Summary + uses: actions/upload-artifact@v4 + if: success() || failure() + with: + name: code-coverage-results-${{ matrix.python-version }} + path: code-coverage-results.md + + + + + + + # coverage: + # needs: + # - test + # runs-on: ubuntu-latest + # # strategy: + # # max-parallel: 4 + # # matrix: + # # python-version: ['3.12'] + # name: Coverage + # steps: + + # # - name: Run Tests + # # run: | + # # ls -l; + + # - name: Download Coverage Artifact + # uses: actions/download-artifact@v4 + # with: + # name: coverage-report-3.12 + # # path: coverage.xml + # # run-id: ${{ github.event.workflow_run.id }} + # # github-token: ${{ github.token }} + + + # - name: Add Coverage PR Comment + # uses: marocchino/sticky-pull-request-comment@v2 + # if: github.event_name == 'pull_request' + # with: + # recreate: true + # path: code-coverage-results.md + + + # - name: ls + # if: success() || failure() + # run: | + # ls -l; + + # - name: Code Coverage Report + # uses: irongut/CodeCoverageSummary@v1.3.0 + # with: + # filename: coverage.xml + # badge: true + # fail_below_min: true + # format: markdown + # hide_branch_rate: false + # hide_complexity: false + # indicators: true + # output: both + # thresholds: '60 85' + + # - name: ls + # if: success() || failure() + # run: | + # ls -l; + + # - name: Summary + # run: | + # cat $(ls *.md | tail -1) >> $GITHUB_STEP_SUMMARY From 3424c6b259428b2fe2f5503fb6627a1036e8fea2 Mon Sep 17 00:00:00 2001 From: Jon Date: Thu, 8 Aug 2024 23:40:51 +0930 Subject: [PATCH 04/21] feat: build on tag --- .github/workflows/docker.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 8f134aa..0a13db1 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -120,10 +120,10 @@ jobs: echo "**************************"; - uses: actions/checkout@v4 - - name: Dummy Task - if: ${{ github.ref_type == 'tag' }} - run: | - echo "This Job does nothing however as 'docker-build' is a dependency job, must do something."; + # - name: Dummy Task + # if: ${{ github.ref_type == 'tag' }} + # run: | + # echo "This Job does nothing however as 'docker-build' is a dependency job, must do something."; @@ -136,14 +136,14 @@ jobs: - name: Setup BuildX - if: ${{ github.ref_type != 'tag' }} + # if: ${{ github.ref_type != 'tag' }} run: | docker buildx create --name project-v3-builder; docker buildx use project-v3-builder; - name: build image - if: ${{ github.ref_type != 'tag' }} + # if: ${{ github.ref_type != 'tag' }} run: | docker buildx build --platform="linux/amd64,linux/arm64" . \ --label "org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%:z')" \ @@ -163,7 +163,7 @@ jobs: - name: Remove "Unknown" Image from Manifest - if: ${{ github.ref_type != 'tag' }} + # if: ${{ github.ref_type != 'tag' }} run: | DOCKER_MULTI_ARCH_IMAGES=$(docker buildx imagetools inspect "${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}" --format "{{ range .Manifest.Manifests }}{{ if ne (print .Platform) \"&{unknown unknown [] }\" }}${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}@{{ println .Digest }}{{end}} {{end}}"); @@ -215,7 +215,7 @@ jobs: - name: Cleanup BuildX - if: ${{ github.ref_type != 'tag' }} + # if: ${{ github.ref_type != 'tag' }} run: | docker buildx rm project-v3-builder; From 6d3cd1907d8076ed315bb06477a7ecbdcb16b63b Mon Sep 17 00:00:00 2001 From: Jon Date: Thu, 8 Aug 2024 23:45:07 +0930 Subject: [PATCH 05/21] fix: add secret --- .github/workflows/docker.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 0a13db1..994a11c 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -679,8 +679,8 @@ jobs: uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ inputs.DOCKER_PUBLISH_REGISTRY }} - username: ${{ inputs.DOCKER_PUBLISH_USERNAME }} - password: ${{ inputs.DOCKER_PUBLISH_PASSWORD }} + username: ${{ secrets.DOCKER_PUBLISH_USERNAME }} + password: ${{ secrets.DOCKER_PUBLISH_PASSWORD }} - name: Tag Image with GIT Tag '${{ github.ref_name }}' From f19bbc0a91adb85d8a576457483f0135bf8ec0fa Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 00:02:41 +0930 Subject: [PATCH 06/21] feat: update docker rel image notes --- .github/workflows/docker.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 994a11c..1a5da3f 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -762,14 +762,14 @@ jobs: with: append_body: true body: | - ## Images + ### Images part of this release + + The following images were built and published: - `docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:latest` - `docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ inputs.DOCKER_TAG_IMAGE_TAG_SOURCE }}` - `docker pull ${{ inputs.DOCKER_PUBLISH_REGISTRY }}/${{ inputs.DOCKER_PUBLISH_IMAGE_NAME }}:${{ github.ref_name }}` - [another link](https://nofusscomputing.com) does render as markdown works. - docker-release-files: From 56cd82a5fc5135c8d69851a061b3768f5b7c3fb5 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 01:00:24 +0930 Subject: [PATCH 07/21] feat: add bump --- .github/workflows/bump.yaml | 519 ++++++++++++++++++++++++++++++++++++ 1 file changed, 519 insertions(+) create mode 100644 .github/workflows/bump.yaml diff --git a/.github/workflows/bump.yaml b/.github/workflows/bump.yaml new file mode 100644 index 0000000..6223aaf --- /dev/null +++ b/.github/workflows/bump.yaml @@ -0,0 +1,519 @@ +--- + +name: 'Bump' + + +on: + # workflow_dispatch: + # inputs: + # CZ_PRE_RELEASE: + # default: none + # required: false + # description: Create Pre-Release {alpha,beta,rc,none} + # CZ_INCREMENT: + # default: none + # required: false + # description: Type of increment to conduct {MAJOR,MINOR,PATCH,none} + workflow_call: + inputs: + CZ_PRE_RELEASE: + default: none + required: false + description: Create Pre-Release {alpha,beta,rc,none} + type: string + CZ_INCREMENT: + default: none + required: false + description: Type of increment to conduct {MAJOR,MINOR,PATCH,none} + type: string + secrets: + WORKFLOW_TOKEN: + description: Token used to create the tag (required to trigger 'tag' workflow) + required: true + # push: + # branches: + # - '**' + # tags: + # - '*' + + + +jobs: + + bump: + name: 'Bump Version' + runs-on: ubuntu-latest + outputs: + # nextStrict: ${{ steps.get_next_version.outputs.nextStrict }} + version-current: ${{ steps.version-current.outputs.value-out }} + version-new: ${{ steps.version-new.outputs.value-out }} + steps: + + + - name: Checkout Code - ${{ github.ref_name }} Branch + if: ${{ github.ref_name == 'master' }} + uses: actions/checkout@v4 + with: + fetch-depth: 0 + fetch-tags: true + token: ${{ secrets.WORKFLOW_TOKEN }} + ref: development + + + - name: Checkout Code - ${{ github.ref_name }} Branch + if: ${{ github.ref_name != 'master' }} + uses: actions/checkout@v4 + with: + fetch-depth: 0 + fetch-tags: true + token: ${{ secrets.WORKFLOW_TOKEN }} + ref: ${{ github.ref_name }} + + + # - name: Get Next Version + # id: get_next_version + # uses: ietf-tools/semver-action@v1 + # with: + # token: ${{ github.token }} + # branch: ${{ github.ref_name }} + # noVersionBumpBehavior: warn + # noNewCommitBehavior: warn + + # - name: Get next version + # id: get_next_version + # uses: thenativeweb/get-next-version@main + # with: + # prefix: 'v' # optional, defaults to '' + + + # - name: Show the next version + # if: success() || failure() + # run: | + # echo ${{ steps.get_next_version.outputs.current }}; + # echo ${{ steps.get_next_version.outputs.next }}; + # echo ${{ steps.get_next_version.outputs.nextMajor }}; + # echo ${{ steps.get_next_version.outputs.nextStrict }}; + # echo ${{ steps.get_next_version.outputs.nextMajorStrict }}; + # echo ${{ steps.get_next_version.outputs.bump }}; + + + - name: Install Commitizen + shell: bash + run: | + pip install \ + commitizen==3.28.0 + + + - name: Fetch Current Version + id: version-current + run: | + echo "value-out=$(cz version --project)" >> $GITHUB_OUTPUT + + + # - name: Configure git + # shell: bash + # run: | + # git config --global user.email "helpdesk@nofusscomputing.com"; + # git config --global user.name "nfc_bot"; + + + + # - name: Create Release Changelog + # shell: bash + # run: | + # cz changelog --incremental --dry-run --unreleased-version + + - name: Increment version with .cz.yaml + shell: bash + run: | + if [ "${{ inputs.CZ_PRE_RELEASE }}" != 'none' ]; then + + echo "[debug] Pre-Release detected: ${{ inputs.CZ_PRE_RELEASE }}"; + + export pre_release="--prerelease ${{ inputs.CZ_PRE_RELEASE }}"; + + fi; + + if [ "${{ inputs.CZ_INCREMENT }}" != 'none' ]; then + + echo "[debug] Pre-Release detected: ${{ inputs.CZ_INCREMENT }}"; + + export increment="--increment ${{ inputs.CZ_INCREMENT }}"; + + fi; + + cz bump \ + --files-only \ + ${pre_release} \ + ${increment} \ + --yes; + + + - name: Fetch Current Version + id: version-new + run: | + echo "value-out=$(cz version --project)" >> $GITHUB_OUTPUT + + + - name: ls + if: ${{ github.ref_name != 'master' }} + shell: bash + run: | + ls -la + + + - name: Update Changelog + # if: ${{ github.ref_name != 'master' }} + shell: bash + run: | + cz changelog --dry-run --incremental --unreleased-version "${{ steps.version-new.outputs.value-out }}" > changelog-release.md + + + - name: Update Changelog + # if: ${{ github.ref_name != 'master' }} + shell: bash + run: | + cz changelog --unreleased-version "${{ steps.version-new.outputs.value-out }}" + + + + + + # - name: Update Changelog - (Master Branch) + # if: ${{ github.ref_name == 'master' }} + # shell: bash + # run: | + # cz changelog --merge-prerelease --unreleased-version ${{ steps.get_next_version.outputs.nextStrict }}" + # cz changelog --dry-run --incremental --unreleased-version "${{ steps.get_next_version.outputs.nextStrict }}" > changelog-release.md + + + + # - name: Update Changelog - (Master Branch) + # # if: ${{ github.ref_name == 'master' }} + # shell: bash + # run: | + # cz changelog --dry-run --incremental --unreleased-version "${{ steps.get_next_version.outputs.nextStrict }}" > changelog-release.md + + + + # - name: Increment version with .cz.yaml + # shell: bash + # run: | + # if [ "${{ inputs.CZ_PRE_RELEASE }}" != 'none' ]; then + + # echo "[debug] Pre-Release detected: ${{ inputs.CZ_PRE_RELEASE }}"; + + # export pre_release="--prerelease ${{ inputs.CZ_PRE_RELEASE }}"; + + # fi; + + # if [ "${{ inputs.CZ_INCREMENT }}" != 'none' ]; then + + # echo "[debug] Pre-Release detected: ${{ inputs.CZ_INCREMENT }}"; + + # export increment="--increment ${{ inputs.CZ_INCREMENT }}"; + + # fi; + + # cz bump \ + # --files-only \ + # ${pre_release} \ + # ${increment} \ + # --yes; + + + # - name: Get previous tag + # if: ${{ steps.get_next_version.outputs.hasNextVersion }} + # id: previousTag + # run: | + # name=$(git --no-pager tag --sort=creatordate --merged ${{ github.ref_name }} | tail -2 | head -1) + # echo "previousTag: $name" + # echo "previousTag=$name" >> $GITHUB_ENV + + + # - name: Create Temp git tag + # if: ${{ steps.get_next_version.outputs.nextStrict }} + # # id: previousTag + # run: | + # git tag ${{ steps.get_next_version.outputs.nextStrict }}; + + + # - name: Update CHANGELOG + # if: ${{ steps.get_next_version.outputs.nextStrict }} + # id: changelog + # uses: requarks/changelog-action@v1 + # with: + # token: ${{ github.token }} + # # tag: ${{ steps.get_next_version.outputs.current }} + # # tag: ${{ github.ref_name }} + # # fromTag: ${{ github.ref_name }} + # fromTag: ${{ steps.get_next_version.outputs.nextStrict }} + # toTag: ${{ steps.get_next_version.outputs.current }} + # writeToFile: true + # changelogFilePath: CHANGELOG.md + # includeRefIssues: true + # includeInvalidCommits: false + # reverseOrder: false + + # - name: Create Temp git tag + # if: ${{ steps.get_next_version.outputs.nextStrict }} + # # id: previousTag + # run: | + # git tag -d ${{ steps.get_next_version.outputs.nextStrict }}; + + + + # - name: Conventional Changelog Action + # id: changelog + # uses: TriPSs/conventional-changelog-action@v5 + # with: + # github-token: ${{ secrets.github_token }} + # # git-message: 'chore(release): {version}' + # # git-user-name: 'Awesome Changelog Action' + # # git-user-email: 'awesome_changelog@github.actions.com' + # preset: 'conventionalcommits' + # tag-prefix: '' + # input-file: CHANGELOG.md + # output-file: 'CHANGELOG.md' + # # release-count: '10000' + # pre-changelog-generation: '' # pre changelog script file + # # version-file: './my_custom_version_file.json' // or .yml, .yaml, .toml, mix.exs + # # version-path: 'path.to.version' + # skip-on-empty: true + # skip-version-file: true + # skip-commit: true + # git-branch: ${{ github.ref_name }} + # skip-bump: true + # git-push: true + # skip-tag: true + # skip-git-pull: true + + + + # - name: Create Release Changelog + # if: ${{ steps.get_next_version.outputs.nextStrict }} + # shell: bash + # run: | + # echo '${{ steps.changelog.outputs.clean_changelog }}' > changelog-release.md + + + - name: Upload Release Changelog + if: ${{ steps.version-new.outputs.value-out }} + uses: actions/upload-artifact@v4 + with: + name: changelog-release + path: changelog-release.md + + + - name: Create Release Changelog + if: ${{ steps.version-new.outputs.value-out }} + shell: bash + run: | + rm changelog-release.md; + git status; + + + - name: Commit the changelog + if: ${{ steps.version-new.outputs.value-out && github.ref_name == 'master' }} + uses: stefanzweifel/git-auto-commit-action@v5 + with: + # Optional. Commit message for the created commit. + # Defaults to "Apply automatic changes" + commit_message: 'build: bump version ${{ steps.get_next_version.outputs.current }} -> ${{ steps.version-new.outputs.value-out }}' + + # Optional. Local and remote branch name where commit is going to be pushed + # to. Defaults to the current branch. + # You might need to set `create_branch: true` if the branch does not exist. + branch: development + + # Optional. Options used by `git-commit`. + # See https://git-scm.com/docs/git-commit#_options + # commit_options: '--no-verify --signoff' + + # Optional glob pattern of files which should be added to the commit + # Defaults to all (.) + # See the `pathspec`-documentation for git + # - https://git-scm.com/docs/git-add#Documentation/git-add.txt-ltpathspecgt82308203 + # - https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefpathspecapathspec + # file_pattern: '.' + + # Optional. Local file path to the repository. + # Defaults to the root of the repository. + # repository: . + + # Optional commit user and author settings + commit_user_name: nfc-bot # defaults to "github-actions[bot]" + commit_user_email: helpdesk@nofusscomputing.com # defaults to "41898282+github-actions[bot]@users.noreply.github.com" + commit_author: nfc-bot # defaults to "username ", where "username" belongs to the author of the commit that triggered the run + + # Optional. Tag name being created in the local repository and + # pushed to remote repository and defined branch. + # tagging_message: ${{ steps.get_next_version.outputs.nextStrict }} + + # Optional. Option used by `git-status` to determine if the repository is + # dirty. See https://git-scm.com/docs/git-status#_options + # status_options: '--untracked-files=no' + + # Optional. Options used by `git-add`. + # See https://git-scm.com/docs/git-add#_options + # add_options: '-u' + + # Optional. Options used by `git-push`. + # See https://git-scm.com/docs/git-push#_options + # push_options: '--force' + + # Optional. Disable dirty check and always try to create a commit and push + skip_dirty_check: true + + # Optional. Skip internal call to `git fetch` + skip_fetch: true + + # Optional. Skip internal call to `git checkout` + skip_checkout: true + + # Optional. Prevents the shell from expanding filenames. + # Details: https://www.gnu.org/software/bash/manual/html_node/Filename-Expansion.html + disable_globbing: true + + # Optional. Create given branch name in local and remote repository. + # create_branch: true + + + - name: Commit the changelog + if: ${{ steps.version-new.outputs.value-out && github.ref_name != 'master'}} + uses: stefanzweifel/git-auto-commit-action@v5 + with: + # Optional. Commit message for the created commit. + # Defaults to "Apply automatic changes" + commit_message: 'build: bump version ${{ steps.get_next_version.outputs.current }} -> ${{ steps.version-new.outputs.value-out }}' + + # Optional. Local and remote branch name where commit is going to be pushed + # to. Defaults to the current branch. + # You might need to set `create_branch: true` if the branch does not exist. + branch: ${{ github.ref_name }} + + # Optional. Options used by `git-commit`. + # See https://git-scm.com/docs/git-commit#_options + # commit_options: '--no-verify --signoff' + + # Optional glob pattern of files which should be added to the commit + # Defaults to all (.) + # See the `pathspec`-documentation for git + # - https://git-scm.com/docs/git-add#Documentation/git-add.txt-ltpathspecgt82308203 + # - https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefpathspecapathspec + # file_pattern: '.' + + # Optional. Local file path to the repository. + # Defaults to the root of the repository. + # repository: . + + # Optional commit user and author settings + commit_user_name: nfc-bot # defaults to "github-actions[bot]" + commit_user_email: helpdesk@nofusscomputing.com # defaults to "41898282+github-actions[bot]@users.noreply.github.com" + commit_author: nfc-bot # defaults to "username ", where "username" belongs to the author of the commit that triggered the run + + # Optional. Tag name being created in the local repository and + # pushed to remote repository and defined branch. + tagging_message: ${{ steps.version-new.outputs.value-out }} + + # Optional. Option used by `git-status` to determine if the repository is + # dirty. See https://git-scm.com/docs/git-status#_options + # status_options: '--untracked-files=no' + + # Optional. Options used by `git-add`. + # See https://git-scm.com/docs/git-add#_options + # add_options: '-u' + + # Optional. Options used by `git-push`. + # See https://git-scm.com/docs/git-push#_options + # push_options: '--force' + + # Optional. Disable dirty check and always try to create a commit and push + skip_dirty_check: true + + # Optional. Skip internal call to `git fetch` + skip_fetch: true + + # Optional. Skip internal call to `git checkout` + skip_checkout: true + + # Optional. Prevents the shell from expanding filenames. + # Details: https://www.gnu.org/software/bash/manual/html_node/Filename-Expansion.html + disable_globbing: true + + # Optional. Create given branch name in local and remote repository. + # create_branch: true + + + + # - name: Update Changelog + # if: ${{ github.ref_name != 'master' }} + # shell: bash + # run: | + # git tag ${{ steps.get_next_version.outputs.nextStrict }} + + # - name: Update Changelog + # if: ${{ github.ref_name != 'master' }} + # shell: bash + # run: | + # git push --tags + + + + release: + needs: + - bump + name: Release + if: ${{ needs.bump.outputs.version-new }} + runs-on: ubuntu-latest + steps: + + - name: Download Release Changelog + # if: ${{ steps.get_next_version.outputs.nextStrict }} + uses: actions/download-artifact@v4 + with: + name: changelog-release + # path: changelog-release.md + + + - name: Create GH Release + # if: ${{ github.ref_type == 'tag' }} + id: release + uses: softprops/action-gh-release@v2 + with: + name: ${{ needs.bump.outputs.version-new }} + tag_name: ${{ needs.bump.outputs.version-new }} + body_path: changelog-release.md + make_latest: true + + + release-label: + needs: + - bump + - release + if: ${{ needs.bump.outputs.version-new }} + name: Create Release Label + permissions: + contents: read + issues: write + runs-on: ubuntu-latest + steps: + + - run: | + mkdir -p .github; + echo " + labels: + v${{ needs.bump.outputs.version-new }}: + color: "EEE600" + description: Version Affected. + + " > .github/labels.yml; + + cat .github/labels.yml; + + + - uses: oliversalzburg/action-label-manager@v0.0.9 + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + + From 62e1a913f09a6a8c955a2c9063d3c9541d4d1ee7 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 01:09:03 +0930 Subject: [PATCH 08/21] feat: release draft --- .github/workflows/bump.yaml | 3 ++- .github/workflows/docker.yaml | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/bump.yaml b/.github/workflows/bump.yaml index 6223aaf..6d586c5 100644 --- a/.github/workflows/bump.yaml +++ b/.github/workflows/bump.yaml @@ -476,7 +476,7 @@ jobs: # path: changelog-release.md - - name: Create GH Release + - name: Create Draft GH Release # if: ${{ github.ref_type == 'tag' }} id: release uses: softprops/action-gh-release@v2 @@ -485,6 +485,7 @@ jobs: tag_name: ${{ needs.bump.outputs.version-new }} body_path: changelog-release.md make_latest: true + draft: true release-label: diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 1a5da3f..6de3ac6 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -891,3 +891,20 @@ jobs: # files: # release: ${{ github.ref_name }} # tag: ${{ github.ref_name }} + + + docker-release: + name: Mark Release as not draft + runs-on: ubuntu-latest + steps: + + - name: Mark GH Release as not a draft + # if: ${{ github.ref_type == 'tag' }} + id: release + uses: softprops/action-gh-release@v2 + with: + # name: ${{ needs.bump.outputs.version-new }} + tag_name: ${{ needs.bump.outputs.version-new }} + # body_path: changelog-release.md + make_latest: true + draft: false \ No newline at end of file From aa5e38f95e9c66f038958b44dd4bb46486fd85f6 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 01:10:11 +0930 Subject: [PATCH 09/21] fix: only on tag release --- .github/workflows/docker.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 6de3ac6..65f268c 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -894,6 +894,7 @@ jobs: docker-release: + if: ${{ github.ref_type == 'tag' }} name: Mark Release as not draft runs-on: ubuntu-latest steps: From 7bca33e95f0abaa748308a771e1b275040cf7fda Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 01:21:25 +0930 Subject: [PATCH 10/21] feat: try dif rel style --- .github/workflows/docker.yaml | 141 +++++++++++++++++++++++----------- 1 file changed, 96 insertions(+), 45 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 65f268c..da7e083 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -278,14 +278,27 @@ jobs: ignore-unfixed: true - - name: Upload Trivy Vulnerability Scan as a release asset + # - name: Upload Trivy Vulnerability Scan as a release asset + # if: ${{ github.ref_type == 'tag' }} + # uses: mkatanski/release-files-action@v1.1.3 + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + # release-tag: ${{ github.ref_name }} + # name: "trivy-vulnerability-scan.sarif" + # file-path: trivy-results.sarif + + - name: Create Draft GH Release if: ${{ github.ref_type == 'tag' }} - uses: mkatanski/release-files-action@v1.1.3 + # id: release + uses: softprops/action-gh-release@v2 with: - token: ${{ secrets.GITHUB_TOKEN }} - release-tag: ${{ github.ref_name }} - name: "trivy-vulnerability-scan.sarif" - file-path: trivy-results.sarif + name: ${{ github.ref_name }} + tag_name: ${{ github.ref_name }} + # body_path: changelog-release.md + # make_latest: true + # draft: true + files: | + trivy-results.sarif - name: Upload Trivy scan results to GitHub Security tab @@ -489,15 +502,27 @@ jobs: path: '${{ github.workspace }}/dependency-results.sbom.json' - - name: Upload Trivy SBOM as a release asset + # - name: Upload Trivy SBOM as a release asset + # if: ${{ github.ref_type == 'tag' }} + # uses: mkatanski/release-files-action@v1.1.3 + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + # release-tag: ${{ github.ref_name }} + # name: "dependency-scan.sbom.json" + # file-path: dependency-results.sbom.json + + - name: Create Draft GH Release if: ${{ github.ref_type == 'tag' }} - uses: mkatanski/release-files-action@v1.1.3 + # id: release + uses: softprops/action-gh-release@v2 with: - token: ${{ secrets.GITHUB_TOKEN }} - release-tag: ${{ github.ref_name }} - name: "dependency-scan.sbom.json" - file-path: dependency-results.sbom.json - + name: ${{ github.ref_name }} + tag_name: ${{ github.ref_name }} + # body_path: changelog-release.md + # make_latest: true + # draft: true + files: | + dependency-results.sbom.json - name: Log into registry ${{ inputs.DOCKER_BUILD_REGISTRY }} if: ${{ @@ -817,25 +842,38 @@ jobs: - - name: Upload created artifact to release assets - ${{ inputs.DOCKER_PUBLISH_REGISTRY }} - if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} - uses: mkatanski/release-files-action@v1.1.3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - release-tag: ${{ github.ref_name }} - name: "${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl" - file-path: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl + # - name: Upload created artifact to release assets - ${{ inputs.DOCKER_PUBLISH_REGISTRY }} + # if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + # uses: mkatanski/release-files-action@v1.1.3 + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + # release-tag: ${{ github.ref_name }} + # name: "${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl" + # file-path: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl + - name: Create Draft GH Release + if: ${{ github.ref_type == 'tag' }} + # id: release + uses: softprops/action-gh-release@v2 + with: + name: ${{ github.ref_name }} + tag_name: ${{ github.ref_name }} + # body_path: changelog-release.md + # make_latest: true + # draft: true + files: | + ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl + ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-sbom.jsonl - - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} - if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} - uses: mkatanski/release-files-action@v1.1.3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - release-tag: ${{ github.ref_name }} - name: "${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-sbom.jsonl" - file-path: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-sbom.jsonl + # - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} + # if: ${{ inputs.DOCKER_PUBLISH_REGISTRY != inputs.DOCKER_BUILD_REGISTRY }} + # uses: mkatanski/release-files-action@v1.1.3 + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + # release-tag: ${{ github.ref_name }} + # name: "${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image-sbom.jsonl" + # file-path: ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-sbom.jsonl - name: Fetch Image Attestation Artifact - ${{ inputs.DOCKER_BUILD_REGISTRY }} @@ -864,23 +902,36 @@ jobs: ls -la; - - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} - uses: mkatanski/release-files-action@v1.1.3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - release-tag: ${{ github.ref_name }} - name: "${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl" - file-path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl + # - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} + # uses: mkatanski/release-files-action@v1.1.3 + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + # release-tag: ${{ github.ref_name }} + # name: "${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl" + # file-path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl + - name: Create Draft GH Release + if: ${{ github.ref_type == 'tag' }} + # id: release + uses: softprops/action-gh-release@v2 + with: + name: ${{ github.ref_name }} + tag_name: ${{ github.ref_name }} + # body_path: changelog-release.md + # make_latest: true + # draft: true + files: | + ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl + ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom.jsonl - - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} - uses: mkatanski/release-files-action@v1.1.3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - release-tag: ${{ github.ref_name }} - name: "${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image-sbom.jsonl" - file-path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom.jsonl + # - name: Upload created artifact to release assets - ${{ inputs.DOCKER_BUILD_REGISTRY }} + # uses: mkatanski/release-files-action@v1.1.3 + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + # release-tag: ${{ github.ref_name }} + # name: "${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image-sbom.jsonl" + # file-path: ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom.jsonl # - name: Update Release @@ -895,7 +946,7 @@ jobs: docker-release: if: ${{ github.ref_type == 'tag' }} - name: Mark Release as not draft + name: Mark Release Live runs-on: ubuntu-latest steps: @@ -905,7 +956,7 @@ jobs: uses: softprops/action-gh-release@v2 with: # name: ${{ needs.bump.outputs.version-new }} - tag_name: ${{ needs.bump.outputs.version-new }} + tag_name: ${{ github.ref_name }} # body_path: changelog-release.md make_latest: true draft: false \ No newline at end of file From c335cf0d198355a802943bc3411341ecbbac50d1 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 01:33:36 +0930 Subject: [PATCH 11/21] fix: randomz --- .github/workflows/bump.yaml | 21 +++++++++++++++++---- .github/workflows/docker.yaml | 8 ++++---- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/.github/workflows/bump.yaml b/.github/workflows/bump.yaml index 6d586c5..273ce3e 100644 --- a/.github/workflows/bump.yaml +++ b/.github/workflows/bump.yaml @@ -319,7 +319,7 @@ jobs: with: # Optional. Commit message for the created commit. # Defaults to "Apply automatic changes" - commit_message: 'build: bump version ${{ steps.get_next_version.outputs.current }} -> ${{ steps.version-new.outputs.value-out }}' + commit_message: 'build: bump version ${{ steps.version-current.outputs.value-out }} -> ${{ steps.version-new.outputs.value-out }}' # Optional. Local and remote branch name where commit is going to be pushed # to. Defaults to the current branch. @@ -385,7 +385,7 @@ jobs: with: # Optional. Commit message for the created commit. # Defaults to "Apply automatic changes" - commit_message: 'build: bump version ${{ steps.get_next_version.outputs.current }} -> ${{ steps.version-new.outputs.value-out }}' + commit_message: 'build: bump version ${{ steps.version-current.outputs.value-out }} -> ${{ steps.version-new.outputs.value-out }}' # Optional. Local and remote branch name where commit is going to be pushed # to. Defaults to the current branch. @@ -477,8 +477,8 @@ jobs: - name: Create Draft GH Release - # if: ${{ github.ref_type == 'tag' }} - id: release + if: ${{ inputs.CZ_PRE_RELEASE == 'none' }} + # id: release uses: softprops/action-gh-release@v2 with: name: ${{ needs.bump.outputs.version-new }} @@ -488,6 +488,19 @@ jobs: draft: true + - name: Create Draft GH Release + if: ${{ inputs.CZ_PRE_RELEASE != 'none' }} + # id: release + uses: softprops/action-gh-release@v2 + with: + name: ${{ needs.bump.outputs.version-new }} + tag_name: ${{ needs.bump.outputs.version-new }} + body_path: changelog-release.md + make_latest: true + draft: true + prerelease: true + + release-label: needs: - bump diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index da7e083..fc0d790 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -296,7 +296,7 @@ jobs: tag_name: ${{ github.ref_name }} # body_path: changelog-release.md # make_latest: true - # draft: true + draft: true files: | trivy-results.sarif @@ -520,7 +520,7 @@ jobs: tag_name: ${{ github.ref_name }} # body_path: changelog-release.md # make_latest: true - # draft: true + draft: true files: | dependency-results.sbom.json @@ -860,7 +860,7 @@ jobs: tag_name: ${{ github.ref_name }} # body_path: changelog-release.md # make_latest: true - # draft: true + draft: true files: | ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-image.jsonl ${{ inputs.DOCKER_PUBLISH_REGISTRY }}-attestation-sbom.jsonl @@ -919,7 +919,7 @@ jobs: tag_name: ${{ github.ref_name }} # body_path: changelog-release.md # make_latest: true - # draft: true + draft: true files: | ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-image.jsonl ${{ inputs.DOCKER_BUILD_REGISTRY }}-attestation-sbom.jsonl From eb14d63cdebc8e9b304f9a6f2686818574e2627e Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 01:39:07 +0930 Subject: [PATCH 12/21] fix: needs --- .github/workflows/docker.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index fc0d790..fa5a6bd 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -946,6 +946,8 @@ jobs: docker-release: if: ${{ github.ref_type == 'tag' }} + needs: + - docker-release-files name: Mark Release Live runs-on: ubuntu-latest steps: @@ -955,7 +957,7 @@ jobs: id: release uses: softprops/action-gh-release@v2 with: - # name: ${{ needs.bump.outputs.version-new }} + name: ${{ github.ref_name }} tag_name: ${{ github.ref_name }} # body_path: changelog-release.md make_latest: true From 76559239cd03e0d85a39c1e3bf5cfce0154746e7 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 01:40:11 +0930 Subject: [PATCH 13/21] fix: again --- .github/workflows/docker.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index fa5a6bd..b2a8a7d 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -786,6 +786,7 @@ jobs: uses: softprops/action-gh-release@v2 with: append_body: true + draft: true body: | ### Images part of this release From 0bfc3cddc19dafc9c58652cc7b062f5f91bb7de0 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 01:54:56 +0930 Subject: [PATCH 14/21] feat: use publish release --- .github/workflows/docker.yaml | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index b2a8a7d..6fcdc67 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -953,13 +953,19 @@ jobs: runs-on: ubuntu-latest steps: - - name: Mark GH Release as not a draft - # if: ${{ github.ref_type == 'tag' }} - id: release - uses: softprops/action-gh-release@v2 + # - name: Mark GH Release as not a draft + # # if: ${{ github.ref_type == 'tag' }} + # id: release + # uses: softprops/action-gh-release@v2 + # with: + # name: ${{ github.ref_name }} + # tag_name: ${{ github.ref_name }} + # # body_path: changelog-release.md + # make_latest: true + # draft: false + + - name: Publish Release + uses: grzegorzkrukowski/action-publish-github-release@v1 with: - name: ${{ github.ref_name }} tag_name: ${{ github.ref_name }} - # body_path: changelog-release.md - make_latest: true - draft: false \ No newline at end of file + token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 03da66ae4bf7108dc691416fa8a62557a0592a9d Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 02:12:05 +0930 Subject: [PATCH 15/21] fix: dont make pre latest --- .github/workflows/bump.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bump.yaml b/.github/workflows/bump.yaml index 273ce3e..ae839c9 100644 --- a/.github/workflows/bump.yaml +++ b/.github/workflows/bump.yaml @@ -496,7 +496,7 @@ jobs: name: ${{ needs.bump.outputs.version-new }} tag_name: ${{ needs.bump.outputs.version-new }} body_path: changelog-release.md - make_latest: true + # make_latest: true draft: true prerelease: true From 3b12376eb4ee55aa8322e9a198e661c86db77cba Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 02:24:17 +0930 Subject: [PATCH 16/21] feat: merge on master --- .github/workflows/bump.yaml | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/.github/workflows/bump.yaml b/.github/workflows/bump.yaml index ae839c9..eb26fa6 100644 --- a/.github/workflows/bump.yaml +++ b/.github/workflows/bump.yaml @@ -452,11 +452,24 @@ jobs: # run: | # git tag ${{ steps.get_next_version.outputs.nextStrict }} - # - name: Update Changelog - # if: ${{ github.ref_name != 'master' }} - # shell: bash - # run: | - # git push --tags + - name: Checkout master + if: ${{ github.ref_name == 'master' }} + shell: bash + run: | + git checkout master; + + - name: Merge changes to master + if: ${{ github.ref_name == 'master' }} + shell: bash + run: | + git merge --no-ff development; + + + - name: Push changes + if: ${{ github.ref_name == 'master' }} + shell: bash + run: | + git push origin master; From 661a7cf0d5e1e9d520b96a43e14c84d00256741d Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 02:29:39 +0930 Subject: [PATCH 17/21] fix: ensure not empty --- .github/workflows/bump.yaml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/bump.yaml b/.github/workflows/bump.yaml index eb26fa6..40cced1 100644 --- a/.github/workflows/bump.yaml +++ b/.github/workflows/bump.yaml @@ -128,17 +128,25 @@ jobs: run: | if [ "${{ inputs.CZ_PRE_RELEASE }}" != 'none' ]; then - echo "[debug] Pre-Release detected: ${{ inputs.CZ_PRE_RELEASE }}"; + if [ "0${{ inputs.CZ_PRE_RELEASE }}" != '0' ]; then - export pre_release="--prerelease ${{ inputs.CZ_PRE_RELEASE }}"; + echo "[debug] Pre-Release detected: ${{ inputs.CZ_PRE_RELEASE }}"; + + export pre_release="--prerelease ${{ inputs.CZ_PRE_RELEASE }}"; + + fi; fi; if [ "${{ inputs.CZ_INCREMENT }}" != 'none' ]; then - echo "[debug] Pre-Release detected: ${{ inputs.CZ_INCREMENT }}"; + if [ "0${{ inputs.CZ_PRE_RELEASE }}" != '0' ]; then + + echo "[debug] Pre-Release detected: ${{ inputs.CZ_INCREMENT }}"; + + export increment="--increment ${{ inputs.CZ_INCREMENT }}"; - export increment="--increment ${{ inputs.CZ_INCREMENT }}"; + fi; fi; From f9832ca5943897e079dc1088ef5031642e57187b Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 02:31:31 +0930 Subject: [PATCH 18/21] fix: configure git --- .github/workflows/bump.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/bump.yaml b/.github/workflows/bump.yaml index 40cced1..ffd0f13 100644 --- a/.github/workflows/bump.yaml +++ b/.github/workflows/bump.yaml @@ -460,6 +460,12 @@ jobs: # run: | # git tag ${{ steps.get_next_version.outputs.nextStrict }} + - name: Configure git + shell: bash + run: | + git config --global user.email "helpdesk@nofusscomputing.com"; + git config --global user.name "nfc_bot"; + - name: Checkout master if: ${{ github.ref_name == 'master' }} shell: bash From 66358d9cb039277f27cf884f04a677a585f956f9 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 02:41:51 +0930 Subject: [PATCH 19/21] fix: dont run bump on bot commits --- .github/workflows/bump.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/bump.yaml b/.github/workflows/bump.yaml index ffd0f13..c03c1e4 100644 --- a/.github/workflows/bump.yaml +++ b/.github/workflows/bump.yaml @@ -42,6 +42,7 @@ jobs: bump: name: 'Bump Version' + if: github.event.commits[0].author.name != 'nfc-bot' runs-on: ubuntu-latest outputs: # nextStrict: ${{ steps.get_next_version.outputs.nextStrict }} @@ -356,7 +357,7 @@ jobs: # Optional. Tag name being created in the local repository and # pushed to remote repository and defined branch. - # tagging_message: ${{ steps.get_next_version.outputs.nextStrict }} + tagging_message: ${{ steps.version-new.outputs.value-out }} # Optional. Option used by `git-status` to determine if the repository is # dirty. See https://git-scm.com/docs/git-status#_options @@ -464,7 +465,7 @@ jobs: shell: bash run: | git config --global user.email "helpdesk@nofusscomputing.com"; - git config --global user.name "nfc_bot"; + git config --global user.name "nfc-bot"; - name: Checkout master if: ${{ github.ref_name == 'master' }} @@ -491,7 +492,7 @@ jobs: needs: - bump name: Release - if: ${{ needs.bump.outputs.version-new }} + if: ${{ needs.bump.outputs.version-new && github.event.commits[0].author.name != 'nfc-bot' }} runs-on: ubuntu-latest steps: @@ -532,7 +533,7 @@ jobs: needs: - bump - release - if: ${{ needs.bump.outputs.version-new }} + if: ${{ needs.bump.outputs.version-new && github.event.commits[0].author.name != 'nfc-bot'}} name: Create Release Label permissions: contents: read From cec683ad8e616d99e1cbe1d8f1dcdf613117dcf6 Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 02:59:34 +0930 Subject: [PATCH 20/21] fix: dont create pre release on master --- .github/workflows/bump.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/bump.yaml b/.github/workflows/bump.yaml index c03c1e4..a147d37 100644 --- a/.github/workflows/bump.yaml +++ b/.github/workflows/bump.yaml @@ -504,8 +504,8 @@ jobs: # path: changelog-release.md - - name: Create Draft GH Release - if: ${{ inputs.CZ_PRE_RELEASE == 'none' }} + - name: Create Draft GH Release - master Branch + if: ${{ inputs.CZ_PRE_RELEASE == 'none' || github.ref_name == 'master' }} # id: release uses: softprops/action-gh-release@v2 with: @@ -513,11 +513,12 @@ jobs: tag_name: ${{ needs.bump.outputs.version-new }} body_path: changelog-release.md make_latest: true + prerelease: false draft: true - - name: Create Draft GH Release - if: ${{ inputs.CZ_PRE_RELEASE != 'none' }} + - name: Create Draft GH Release - Other Branches + if: ${{ inputs.CZ_PRE_RELEASE != 'none' && github.ref_name != 'master' }} # id: release uses: softprops/action-gh-release@v2 with: From 91fd7d09ceb0fbd103472bf5d214b4c0a86b731b Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 9 Aug 2024 18:44:03 +0930 Subject: [PATCH 21/21] feat: pr dependency check --- .github/workflows/pull-requests.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml index cb0bedd..cd124f5 100644 --- a/.github/workflows/pull-requests.yaml +++ b/.github/workflows/pull-requests.yaml @@ -35,3 +35,13 @@ jobs: skip_revert: true types: "build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test" + + pr_dependencies: + runs-on: ubuntu-latest + name: Dependency Check + steps: + - uses: gregsdennis/dependencies-action@4fc2a4879387b43f784920699cb9303dd0524ac4 + with: + custom-domains: my-custom-domain.io another.domain.com + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}