A collection of GitHub Actions for integrating with ReARM - Release Automation and Release Management platform.
This repository contains composable actions that work together to manage the complete release lifecycle:
| Action | Description |
|---|---|
| setup-cli | Install the ReARM CLI on GitHub Actions runners |
| initialize | Initialize ReARM release flow - checks for changes, creates pending releases, syncs branches |
| sbom-sign-scan | Generate SBOMs, perform signing, and run CodeQL analysis |
| finalize | Submit release metadata and finalize the release on ReARM |
name: Build and Release
on:
push:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # Required for full git history
- name: Setup ReARM CLI
uses: relizaio/rearm-actions/setup-cli@main
# Step 1: Initialize release
- name: Initialize ReARM Release
id: init
uses: relizaio/rearm-actions/initialize@main
with:
rearm_api_key: ${{ secrets.REARM_API_KEY }}
rearm_api_id: ${{ secrets.REARM_API_ID }}
# Step 2: Build (only if changes detected)
- name: Build and Push Docker Image
if: steps.init.outputs.do_build == 'true'
id: build
run: |
docker build -t myregistry/myimage:${{ steps.init.outputs.short_version }} .
docker push myregistry/myimage:${{ steps.init.outputs.short_version }}
echo "IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' myregistry/myimage:${{ steps.init.outputs.short_version }} | cut -d'@' -f2)" >> $GITHUB_OUTPUT
# Step 3: Generate SBOMs (optional)
- name: Generate SBOMs
if: steps.init.outputs.do_build == 'true'
id: sbom
uses: relizaio/rearm-actions/sbom-sign-scan@main
with:
image_full_name: myregistry/myimage
image_digest: ${{ steps.build.outputs.IMAGE_DIGEST }}
rearm_short_version: ${{ steps.init.outputs.short_version }}
rearm_full_version: ${{ steps.init.outputs.full_version }}
enable_sbom: 'true'
source_code_sbom_type: 'npm'
registry_username: ${{ secrets.DOCKER_USERNAME }}
registry_password: ${{ secrets.DOCKER_PASSWORD }}
# Step 4: Finalize release
- name: Finalize Release
if: steps.init.outputs.do_build == 'true'
uses: relizaio/rearm-actions/finalize@main
with:
rearm_api_id: ${{ secrets.REARM_API_ID }}
rearm_api_key: ${{ secrets.REARM_API_KEY }}
image_full_name: myregistry/myimage
image_digest: ${{ steps.build.outputs.IMAGE_DIGEST }}
rearm_build_start: ${{ steps.init.outputs.build_start }}
rearm_short_version: ${{ steps.init.outputs.short_version }}
rearm_full_version: ${{ steps.init.outputs.full_version }}
rearm_build_lifecycle: 'ASSEMBLED'
commit_list: ${{ steps.init.outputs.commit_list }}
sce_commit: ${{ steps.init.outputs.sce_commit }}
sce_commit_message: ${{ steps.init.outputs.sce_commit_message }}
sce_commit_date: ${{ steps.init.outputs.sce_commit_date }}
sce_vcs_uri: ${{ steps.init.outputs.sce_vcs_uri }}
scearts: ${{ steps.sbom.outputs.scearts }}
odelartsjson: ${{ steps.sbom.outputs.odelartsjson }}
purl: ${{ steps.sbom.outputs.purl }}┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Initialize │────▶│ Build & SBOM │────▶│ Finalize │
│ │ │ │ │ │
│ • Check changes │ │ • Build image │ │ • Add release │
│ • Get version │ │ • Generate SBOM │ │ • Finalize │
│ • Sync branches │ │ • Sign & scan │ │ • Set status │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│ │ │
▼ ▼ ▼
do_build=true scearts, purl Release complete
full_version odelartsjson
short_version
commit_list
sce_* outputs
- ReARM CLI: Use the
setup-cliaction to install it, or pre-install and make available asrearmcommand - jq: Required for JSON parsing
- Git history: Use
fetch-depth: 0in checkout for full history (required for change detection and branch sync)
Installs the ReARM CLI (rearm) on GitHub Actions runners.
Key inputs:
version- Version of ReARM CLI to install (default:25.12.7)
Detects changes since the last release, creates a pending release if needed, and synchronizes branches with ReARM.
Key outputs:
do_build- Whether a build is neededfull_version/short_version- Version stringsbuild_start- Build start timestampcommit_list,sce_commit,sce_commit_message,sce_commit_date,sce_vcs_uri- SCE data for finalize
Generates SBOMs, performs signing (cosign/SecureSBOM), and runs CodeQL analysis.
Key outputs:
scearts- Source Code Entry artifacts JSONodelartsjson- Output Deliverable artifacts JSONpurl- Package URL for CONTAINER type
Submits release metadata to ReARM and optionally finalizes the release.
Key inputs:
- SCE data from initialize action
- Artifact JSON from sbom-sign-scan action
- Build lifecycle (
DRAFT,ASSEMBLEDorREJECTED)
- name: Setup ReARM CLI
uses: relizaio/rearm-actions/setup-cli@main
- name: Initialize
id: init
uses: relizaio/rearm-actions/initialize@main
with:
rearm_api_key: ${{ secrets.REARM_API_KEY }}
rearm_api_id: ${{ secrets.REARM_API_ID }}
- name: Build
if: steps.init.outputs.do_build == 'true'
run: |
docker build -t myimage:${{ steps.init.outputs.short_version }} .
docker push myimage:${{ steps.init.outputs.short_version }}
- name: Finalize
if: steps.init.outputs.do_build == 'true'
uses: relizaio/rearm-actions/finalize@main
with:
rearm_api_id: ${{ secrets.REARM_API_ID }}
rearm_api_key: ${{ secrets.REARM_API_KEY }}
image_full_name: myimage
rearm_build_start: ${{ steps.init.outputs.build_start }}
rearm_short_version: ${{ steps.init.outputs.short_version }}
rearm_full_version: ${{ steps.init.outputs.full_version }}
rearm_build_lifecycle: 'ASSEMBLED'
commit_list: ${{ steps.init.outputs.commit_list }}
sce_commit: ${{ steps.init.outputs.sce_commit }}