From f95bc8243b9d4c7c0b7258c2a73a58a3b4518309 Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 2 Dec 2024 14:29:37 +0000 Subject: [PATCH 1/3] ci: sync workflows from central-workflows Signed-off-by: Scott --- .github/workflows/codacy.yml | 66 ++++++++++ .github/workflows/codeql.yml | 82 ++++++++++++ .github/workflows/conventional-commits.yml | 36 ++++++ .github/workflows/dco-check.yml | 57 +++++++++ .github/workflows/dependency-review.yml | 26 ++++ .github/workflows/dockerfile-linter.yml | 52 ++++++++ .github/workflows/dockerhub-image-build.yml | 80 ++++++++++++ .github/workflows/gpg-verify.yml | 43 +++++++ .github/workflows/milestone.yml | 41 +++--- .github/workflows/njsscan.yml | 47 +++++++ .github/workflows/release.yml | 134 ++++++++++++++------ .github/workflows/sbom.yml | 44 +++++++ 12 files changed, 654 insertions(+), 54 deletions(-) create mode 100644 .github/workflows/codacy.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/conventional-commits.yml create mode 100644 .github/workflows/dco-check.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/dockerfile-linter.yml create mode 100644 .github/workflows/dockerhub-image-build.yml create mode 100644 .github/workflows/gpg-verify.yml create mode 100644 .github/workflows/njsscan.yml create mode 100644 .github/workflows/sbom.yml diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml new file mode 100644 index 0000000..273f607 --- /dev/null +++ b/.github/workflows/codacy.yml @@ -0,0 +1,66 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: Codacy Security Scan + +on: + push: + branches: [ "dev", "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "dev", "main" ] + schedule: + - cron: '17 0 * * 4' + +permissions: + contents: read + +jobs: + codacy-security-scan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v4 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@3ff8e64eb4b714c4bee91b7b4eea31c6fc2c4f93 + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..6212b29 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,82 @@ +# SPDX-License-Identifier: Apache-2.0 + +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: "CodeQL" + +on: + push: + branches: [ "dev", "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "dev", "main" ] + schedule: + - cron: '34 0 * * 4' + +jobs: + analyze: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + name: Analyze + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # โ„น๏ธ Command-line programs to run using the OS shell. + # ๐Ÿ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml new file mode 100644 index 0000000..6aee786 --- /dev/null +++ b/.github/workflows/conventional-commits.yml @@ -0,0 +1,36 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This GitHub Actions workflow validates the title of pull requests (PRs) to ensure they follow conventional commit standards. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: PR Conventional Commit Validation + +on: + # Trigger this workflow on specific events related to pull requests + pull_request: + types: [opened, synchronize, reopened, edited] + +jobs: + validate-pr-title: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job + steps: + - name: Checkout code + uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action + + - name: PR Conventional Commit Validation + uses: ytanikin/PRConventionalCommits@1.1.0 # Use the PRConventionalCommits action to validate PR titles + with: + # Define the task types that are valid for conventional commits + task_types: '["build","ci","docs","feat","fix","perf","refactor","style","test","feat!"]' + # Map the conventional commit types to corresponding GitHub labels + custom_labels: '{"build": "build", "ci": "CI/CD", "docs": "documentation", "feat": "enhancement", "fix": "bug", "perf": "performance", "refactor": "refactor", "style": "style", "test": "test", "feat!": "enhancement breaking change"}' + # Use a personal access token (GITHUB_TOKEN) stored in GitHub secrets for authentication + token: ${{ secrets.GITHUB_TOKEN }} + add_label: 'true' diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml new file mode 100644 index 0000000..861c0ea --- /dev/null +++ b/.github/workflows/dco-check.yml @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This GitHub Actions workflow checks that all commits in a pull request (PR) have a "Signed-off-by" line to ensure Developer Certificate of Origin (DCO) compliance. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: DCO + +# Trigger the workflow on pull request events +on: [pull_request] + +jobs: + dco: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + # Define the runner environment + runs-on: ubuntu-latest + + steps: + # Step to check out the repository + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Fetch all history for all branches to ensure complete commit history is available + + - name: Set up environment variables + run: | + echo "BASE_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV + echo "HEAD_BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV + + # Step to check each commit in the pull request for a Signed-off-by line + - name: Check for DCO Sign-off + run: | + # Get the base branch and head branch of the pull request + base_branch=$BASE_BRANCH + head_branch=$HEAD_BRANCH + + # Get the list of commit hashes between the head branch and base branch + commits=$(git log --pretty=format:%H origin/${head_branch}..origin/${base_branch}) + non_compliant_commits="" + + # Loop through each commit and check for the Signed-off-by line + for commit in $commits; do + # Check if the commit message contains the Signed-off-by line + if ! git show --quiet --format=%B $commit | grep -q "^Signed-off-by: "; then + # If not, add the commit hash to the list of non-compliant commits + non_compliant_commits="$non_compliant_commits $commit" + fi + done + + # If there are any non-compliant commits, output their hashes and fail the job + if [ -n "$non_compliant_commits" ]; then + echo "The following commits do not have a Signed-off-by line:" + for commit in $non_compliant_commits; do + echo "- $commit" + done + exit 1 + fi + shell: bash diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..577adb6 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: Apache-2.0 + +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement + + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v4 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/dockerfile-linter.yml b/.github/workflows/dockerfile-linter.yml new file mode 100644 index 0000000..f2959a7 --- /dev/null +++ b/.github/workflows/dockerfile-linter.yml @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: Hadolint + +on: + push: + branches: [ "dev", "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "dev" ] + schedule: + - cron: '17 13 * * 0' + +permissions: + contents: read + +jobs: + hadolint: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run hadolint + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/.github/workflows/dockerhub-image-build.yml b/.github/workflows/dockerhub-image-build.yml new file mode 100644 index 0000000..4ea0d8e --- /dev/null +++ b/.github/workflows/dockerhub-image-build.yml @@ -0,0 +1,80 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: Publish Docker image + +on: + push: + branches: [ "main" ] + release: + types: [published] + +jobs: + push_to_registry: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + name: Push Docker image to Docker Hub + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + attestations: write + id-token: write + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Set ENV variables + run: | + echo "REPO_NAME=${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}" >> $GITHUB_ENV + + - name: Use the custom ENV variable + run: | + echo $REPO_NAME + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: tazamaorg/${{ env.REPO_NAME }} + tags: | + type=raw,value=2.1.0 + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 + with: + context: . + file: ./Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: GH_TOKEN=${{ secrets.GH_TOKEN }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: docker.io/tazamaorg/${{ env.REPO_NAME }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Send Slack Notification + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + curl -X POST -H 'Content-type: application/json' --data '{"blocks": [{"type": "header","text": {"type": "plain_text","text": "New Dockerhub Image published :ship::ship:","emoji": true}},{"type": "section","fields": [{"type": "mrkdwn","text": "*Service:*\n${{ env.REPO_NAME }} "},{"type": "mrkdwn","text": "*Tazama Dockerhub:*\n"}]}]}' $SLACK_WEBHOOK_URL diff --git a/.github/workflows/gpg-verify.yml b/.github/workflows/gpg-verify.yml new file mode 100644 index 0000000..56b6f3c --- /dev/null +++ b/.github/workflows/gpg-verify.yml @@ -0,0 +1,43 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This GitHub Actions workflow checks that all commits in a pull request (PR) have been verified with GPG signatures. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: GPG Verify + +on: [pull_request] # Trigger this workflow on pull request events + +jobs: + gpg-verify: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job + steps: + - uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action + with: + fetch-depth: 0 # Fetch all history for all branches to ensure we have the full commit history + + - name: Set up environment variables + run: | + echo "PR_HEAD_REF=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV + echo "PR_BASE_REF=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV + echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV + echo "GITHUB_REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV + + - name: Check GPG verification status # Step to check each commit for GPG signature verification + run: | + # Get the list of commits in the pull request + commits=$(git log --pretty=format:%H origin/${PR_HEAD_REF}..origin/${PR_BASE_REF}) + + # Check the GPG verification status of each commit + for commit in $commits; do + status=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ + https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$commit/check-runs \ + | jq -r '.check_runs[] | select(.name == "GPG verify") | .conclusion') + + # If the GPG verification status is not successful, list the commit and exit with a non-zero status + if [[ "$status" != "success" ]]; then + echo "GPG signature verification failed for commit $commit." + exit 1 + fi + done diff --git a/.github/workflows/milestone.yml b/.github/workflows/milestone.yml index 7e53bce..8b5bb6a 100644 --- a/.github/workflows/milestone.yml +++ b/.github/workflows/milestone.yml @@ -1,7 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 +# This GitHub Actions workflow is designed to close a milestone and trigger a release workflow. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Milestone Workflow +# This workflow can be manually triggered with a specified milestone ID. on: workflow_dispatch: inputs: @@ -12,37 +17,39 @@ on: jobs: close_milestone: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest steps: + # Step to check out the repository code. - name: Checkout Repository uses: actions/checkout@v2 - - name: Setup Node.js (.npmrc) - uses: actions/setup-node@v3 - with: - node-version: 16.x - registry-url: https://npm.pkg.github.com/ - # Defaults to the user or organization that owns the workflow file - scope: '@tazama-lf' - - - name: Install dependencies - run: npm ci - env: - GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - + # Step to set up environment variables required for the script. + - name: Set up environment variables + run: | + # Set the GitHub token for authentication. + echo "ACCESS_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV + # Set the milestone number based on the workflow input. + echo "MILESTONE_NUMBER=${{ github.event.inputs.milestoneId }}" >> $GITHUB_ENV + # Set the base API URL for GitHub. + echo "API_URL=https://api.github.com" >> $GITHUB_ENV + + # Step to close the specified milestone using GitHub API. - name: Close Milestone run: | - ACCESS_TOKEN="${{ secrets.GITHUB_TOKEN }}" - MILESTONE_NUMBER=${{ github.event.inputs.milestoneId }} - API_URL="https://api.github.com" - + # Use the environment variables set up earlier to make the API call. curl -X PATCH \ -H "Accept: application/vnd.github.v3+json" \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -d '{"state": "closed"}' \ $API_URL/repos/${{ github.repository }}/milestones/$MILESTONE_NUMBER + env: + ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + MILESTONE_NUMBER: ${{ github.event.inputs.milestoneId }} + API_URL: "https://api.github.com" + # Step to trigger another workflow for releasing, passing the milestone number. - name: Trigger Release Workflow uses: peter-evans/repository-dispatch@v1 with: diff --git a/.github/workflows/njsscan.yml b/.github/workflows/njsscan.yml new file mode 100644 index 0000000..d1bddf2 --- /dev/null +++ b/.github/workflows/njsscan.yml @@ -0,0 +1,47 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates njsscan with GitHub's Code Scanning feature +# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: njsscan sarif + +on: + push: + branches: [ "dev", "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "dev", "main" ] + schedule: + - cron: '17 17 * * 1' + +permissions: + contents: read + +jobs: + njsscan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + name: njsscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v4 + - name: nodejsscan scan + id: njsscan + uses: ajinabraham/njsscan-action@d58d8b2f26322cd35a9efb8003baac517f226d81 + with: + args: '. --sarif --output results.sarif || true' + - name: Upload njsscan report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e2113d9..c54ed3c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Release Workflow on: @@ -8,16 +10,19 @@ on: properties: milestone_number: type: string + jobs: release: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest steps: + # Checkout the main branch with all history - name: Checkout Repository uses: actions/checkout@v2 with: ref: main fetch-depth: 0 # Fetch all tags - + # Fetch merged pull request and determine release labels - uses: actions-ecosystem/action-get-merged-pull-request@v1 id: get-merged-pull-request @@ -29,41 +34,22 @@ jobs: if: ${{ steps.get-merged-pull-request.outputs.title != null }} with: github_token: ${{ secrets.GITHUB_TOKEN }} - #labels: ${{ steps.get-merged-pull-request.outputs.labels }} - # Get the latest tag in the repositorys + # Get the latest tag in the repository - uses: actions-ecosystem/action-get-latest-tag@v1 id: get-latest-tag if: ${{ steps.release-label.outputs.level != null }} with: semver_only: true - - - name: Setup Node.js (.npmrc) - uses: actions/setup-node@v3 - with: - node-version: 16.x - registry-url: https://npm.pkg.github.com/ - # Defaults to the user or organization that owns the workflow file - scope: '@tazama-lf' - - - name: Install dependencies - run: npm ci - env: - GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - - - name: Run Tests - run: npm test - env: - STARTUP_TYPE: 'nats' # Determine the release type (major, minor, patch) based on commit messages - name: Determine Release Type id: determine_release run: | - export PREV_VERSION=$(git describe --abbrev=0 --tags) + PREV_VERSION=$(git describe --abbrev=0 --tags) echo "Previous Version: $PREV_VERSION" - export COMMIT_MESSAGES=$(git log $PREV_VERSION^..HEAD --format=%B) + COMMIT_MESSAGES=$(git log $PREV_VERSION^..HEAD --format=%B) echo "Commit Messages: $COMMIT_MESSAGES" # Determine release type based on commit messages and labels @@ -71,14 +57,16 @@ jobs: if echo "$COMMIT_MESSAGES" | grep -q -e "BREAKING CHANGE:"; then RELEASE_TYPE="major" + elif echo "$COMMIT_MESSAGES" | grep -q -e "feat!:"; then + RELEASE_TYPE="major" elif echo "$COMMIT_MESSAGES" | grep -q -e "feat:"; then RELEASE_TYPE="minor" elif echo "$COMMIT_MESSAGES" | grep -q -e "feat:" && (echo "$COMMIT_MESSAGES" | grep -q -e "fix:" || echo "$COMMIT_MESSAGES" | grep -q -e "enhancement:" || echo "$COMMIT_MESSAGES" | grep -q -e "docs:" || echo "$COMMIT_MESSAGES" | grep -q -e "refactor:" || echo "$COMMIT_MESSAGES" | grep -q -e "chore:"); then RELEASE_TYPE="minor" - elif echo "$COMMIT_MESSAGES" | grep -q -e "fix:" -e "enhancement:" -e "docs:" -e "refactor:" -e "chore:"; then + elif echo "$COMMIT_MESSAGES" | grep -q -e "fix:" -e "enhancement:" -e "docs:" -e "refactor:" -e "chore:" -e "build:" -e "ci:" -e "perf:" -e "style:" -e "test:" -e "chore(deps):" -e "chore(deps-dev):"; then RELEASE_TYPE="patch" fi - + echo "Release Type: $RELEASE_TYPE" echo "::set-output name=release_type::$RELEASE_TYPE" @@ -86,32 +74,32 @@ jobs: - name: Bump Version id: bump_version run: | - export PREV_VERSION=$(git describe --abbrev=0 --tags) + PREV_VERSION=$(git describe --abbrev=0 --tags) echo "Previous Version: $PREV_VERSION" - export RELEASE_TYPE=${{ steps.determine_release.outputs.release_type }} + RELEASE_TYPE=${{ steps.determine_release.outputs.release_type }} echo "Release Type: $RELEASE_TYPE" - export VERSION_PARTS=($(echo $PREV_VERSION | tr '.' '\n')) - MAJOR=${VERSION_PARTS[0]} - MINOR=${VERSION_PARTS[1]} - PATCH=${VERSION_PARTS[2]} + # Strip the 'v' from the version if it exists + PREV_VERSION=${PREV_VERSION#v} + + IFS='.' read -r MAJOR MINOR PATCH <<< "$PREV_VERSION" if [[ $RELEASE_TYPE == "major" ]]; then MAJOR=$((MAJOR + 1)) MINOR=0 PATCH=0 elif [[ $RELEASE_TYPE == "minor" ]]; then - MINOR=$((MINOR + 1)) - PATCH=0 + MINOR=$((MINOR + 1)) + PATCH=0 else PATCH=$((PATCH + 1)) fi - NEW_VERSION="$MAJOR.$MINOR.$PATCH" + NEW_VERSION="v$MAJOR.$MINOR.$PATCH" echo "New Version: $NEW_VERSION" echo "::set-output name=new_version::$NEW_VERSION" - + # Get the milestone details - name: Get Milestone Details id: get_milestone @@ -139,9 +127,18 @@ jobs: LABEL_DOCS="docs:" LABEL_REFACTOR="refactor:" LABEL_CHORE="chore:" + LABEL_BUILD="build:" + LABEL_CI="ci:" + LABEL_PERFORMANCE="perf:" + LABEL_STYLE="style:" + LABEL_TEST="test:" LABEL_BREAKING_CHANGE="BREAKING CHANGE:" + LABEL_FEAT_BREAKING="feat!:" + LABEL_DEPS="chore(deps):" + LABEL_DEPS_DEV="chore(deps-dev):" # Get the last release tag LAST_RELEASE_TAG=$(git describe --abbrev=0 --tags) + echo "Last Release Tag: $LAST_RELEASE_TAG" # Get the milestone details from the output of the previous step MILESTONE_TITLE="${{ steps.get_milestone.outputs.milestone_title }}" MILESTONE_DESCRIPTION="${{ steps.get_milestone.outputs.milestone_description }}" @@ -157,12 +154,14 @@ jobs: local section_label="$2" local section_icon="$3" # Get the commit messages with the specified label between the last release and the current release - local commit_messages=$(git log --pretty=format:"- %s (Milestone: %b, Linked Issues: %C(yellow)%H%Creset)" "$LAST_RELEASE_TAG..HEAD" --grep="$section_label" --no-merges --decorate --decorate-refs=refs/issues) + local commit_messages=$(git log --pretty=format:"- %s (Linked Issues: %C(yellow)%H%Creset)" "$LAST_RELEASE_TAG..HEAD" --grep="$section_label" --no-merges --decorate --decorate-refs=refs/issues) # If there are commit messages, append the section to the changelog file if [ -n "$commit_messages" ]; then + # Remove duplicate commit messages + local unique_commit_messages=$(echo "$commit_messages" | awk '!seen[$0]++') echo "### $section_icon $section_title" >> "$CHANGELOG_FILE" echo "" >> "$CHANGELOG_FILE" - echo "$commit_messages" >> "$CHANGELOG_FILE" + echo "$unique_commit_messages" >> "$CHANGELOG_FILE" echo "" >> "$CHANGELOG_FILE" fi } @@ -173,7 +172,33 @@ jobs: append_section "Documentation" "$LABEL_DOCS" "๐Ÿ“š" append_section "Refactorings" "$LABEL_REFACTOR" "๐Ÿ”จ" append_section "Chores" "$LABEL_CHORE" "โš™๏ธ" + append_section "Build" "$LABEL_BUILD" "๐Ÿ—๏ธ" + append_section "CI" "$LABEL_CI" "โš™๏ธ" + append_section "Performance" "$LABEL_PERFORMANCE" "๐Ÿš€" + append_section "Style" "$LABEL_STYLE" "๐Ÿ’…" + append_section "Tests" "$LABEL_TEST" "๐Ÿงช" append_section "Breaking Changes" "$LABEL_BREAKING_CHANGE" "๐Ÿ’ฅ" + append_section "Feature Breaking Changes" "$LABEL_FEAT_BREAKING" "๐Ÿ’ฅ" + append_section "Dependencies" "$LABEL_DEPS" "๐Ÿ“ฆ" + append_section "Dev Dependencies" "$LABEL_DEPS_DEV" "๐Ÿ”ง" + + # Function to append non-labeled commits to the changelog file + append_non_labeled_commits() { + # Get the commit messages that do not match any conventional commit labels between the last release and the current release + local non_labeled_commit_messages=$(git log --pretty=format:"- %s (Linked Issues: %C(yellow)%H%Creset)" "$LAST_RELEASE_TAG..HEAD" --invert-grep --grep="^fix:\|^feat:\|^enhancement:\|^docs:\|^refactor:\|^chore:\|^build:\|^ci:\|^perf:\|^style:\|^test:\|^BREAKING CHANGE:\|^feat!:\|^chore(deps):\|^chore(deps-dev):") + # If there are non-labeled commit messages, append the section to the changelog file + if [ -n "$non_labeled_commit_messages" ]; then + # Remove duplicate commit messages + local unique_commit_messages=$(echo "$non_labeled_commit_messages" | awk '!seen[$0]++') + echo "### ๐Ÿ“ Other Changes" >> "$CHANGELOG_FILE" + echo "" >> "$CHANGELOG_FILE" + echo "$unique_commit_messages" >> "$CHANGELOG_FILE" + echo "" >> "$CHANGELOG_FILE" + fi + } + # Append non-labeled commits to the changelog file + append_non_labeled_commits + echo "::set-output name=changelog_file::$CHANGELOG_FILE" # Read changelog contents into a variable @@ -205,3 +230,38 @@ jobs: body_path: /home/runner/work/changelog.txt draft: false prerelease: false + + - name: Get Latest Release + run: | + echo "LATEST_RELEASE=$(gh release list --limit 1 | awk '{print $1}')" >> $GITHUB_ENV + echo "The latest release tag is $LATEST_RELEASE" + + - name: Send Slack Notification + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + curl -X POST -H 'Content-type: application/json' --data '{ + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": "New Release Alert :tazama:", + "emoji": true + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Github Repository:*\nhttps://github.com/${{ github.repository }}" + }, + { + "type": "mrkdwn", + "text": "*Release:*\n" + } + ] + } + ] + }' ${{ secrets.SLACK_WEBHOOK_URL }} \ No newline at end of file diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 0000000..1abab3f --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency +# submission API. + +# For more information on the Anchore sbom-action usage +# and parameters, see https://github.com/anchore/sbom-action. For more +# information about the Anchore SBOM tool, Syft, see +# https://github.com/anchore/syft + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: Anchore Syft SBOM scan + +on: + push: + branches: [ "main" ] + +permissions: + contents: write + +jobs: + Anchore-Build-Scan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + permissions: + contents: write # required to upload to the Dependency submission API + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v4 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a + with: + image: "localbuild/testimage:latest" + artifact-name: image.spdx.json + dependency-snapshot: true From ae95e9ceb00f4c02a107781749cbd9fa1e24fa0d Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 2 Dec 2024 15:26:36 +0000 Subject: [PATCH 2/3] ci: sync workflows from central-workflows Signed-off-by: Scott --- .github/workflows/dockerhub-image-build.yml | 2 +- .github/workflows/release.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dockerhub-image-build.yml b/.github/workflows/dockerhub-image-build.yml index 4ea0d8e..8e226f1 100644 --- a/.github/workflows/dockerhub-image-build.yml +++ b/.github/workflows/dockerhub-image-build.yml @@ -71,7 +71,7 @@ jobs: with: subject-name: docker.io/tazamaorg/${{ env.REPO_NAME }} subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true + push-to-registry: false - name: Send Slack Notification env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c54ed3c..3058564 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -213,7 +213,7 @@ jobs: # Attach changelog as an artifact - name: Attach Changelog to Release - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: Changelog path: /home/runner/work/changelog.txt @@ -264,4 +264,4 @@ jobs: ] } ] - }' ${{ secrets.SLACK_WEBHOOK_URL }} \ No newline at end of file + }' ${{ secrets.SLACK_WEBHOOK_URL }} From 2a8ce07f59504ea1770add59f9b4acde7ea16b74 Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 2 Dec 2024 20:56:52 +0000 Subject: [PATCH 3/3] ci: sync workflows from central-workflows Signed-off-by: Scott --- .github/workflows/dockerhub-image-build.yml | 2 -- .github/workflows/release.yml | 38 ++++++++++----------- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/.github/workflows/dockerhub-image-build.yml b/.github/workflows/dockerhub-image-build.yml index 8e226f1..0195ce5 100644 --- a/.github/workflows/dockerhub-image-build.yml +++ b/.github/workflows/dockerhub-image-build.yml @@ -16,8 +16,6 @@ name: Publish Docker image on: push: branches: [ "main" ] - release: - types: [published] jobs: push_to_registry: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3058564..05c0a4c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,7 @@ on: properties: milestone_number: type: string + workflow_dispatch: jobs: release: @@ -41,33 +42,32 @@ jobs: if: ${{ steps.release-label.outputs.level != null }} with: semver_only: true + + - name: Get Last Merged PR + id: get_merged_pr + uses: actions-ecosystem/action-get-merged-pull-request@v1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} - # Determine the release type (major, minor, patch) based on commit messages - - name: Determine Release Type + # Determine the release type (major, minor, patch) based on Last Merged PR Title + - name: Determine Release Type from PR Title id: determine_release run: | - PREV_VERSION=$(git describe --abbrev=0 --tags) - echo "Previous Version: $PREV_VERSION" - - COMMIT_MESSAGES=$(git log $PREV_VERSION^..HEAD --format=%B) - echo "Commit Messages: $COMMIT_MESSAGES" - - # Determine release type based on commit messages and labels - RELEASE_TYPE="patch" # Default to patch - - if echo "$COMMIT_MESSAGES" | grep -q -e "BREAKING CHANGE:"; then + PR_TITLE="${{ steps.get_merged_pr.outputs.title }}" + echo "PR Title: $PR_TITLE" + + RELEASE_TYPE="patch" # Default release type + if echo "$PR_TITLE" | grep -q "^BREAKING CHANGE:"; then RELEASE_TYPE="major" - elif echo "$COMMIT_MESSAGES" | grep -q -e "feat!:"; then + elif echo "$PR_TITLE" | grep -q "^feat!:"; then RELEASE_TYPE="major" - elif echo "$COMMIT_MESSAGES" | grep -q -e "feat:"; then + elif echo "$PR_TITLE" | grep -q "^feat:"; then RELEASE_TYPE="minor" - elif echo "$COMMIT_MESSAGES" | grep -q -e "feat:" && (echo "$COMMIT_MESSAGES" | grep -q -e "fix:" || echo "$COMMIT_MESSAGES" | grep -q -e "enhancement:" || echo "$COMMIT_MESSAGES" | grep -q -e "docs:" || echo "$COMMIT_MESSAGES" | grep -q -e "refactor:" || echo "$COMMIT_MESSAGES" | grep -q -e "chore:"); then - RELEASE_TYPE="minor" - elif echo "$COMMIT_MESSAGES" | grep -q -e "fix:" -e "enhancement:" -e "docs:" -e "refactor:" -e "chore:" -e "build:" -e "ci:" -e "perf:" -e "style:" -e "test:" -e "chore(deps):" -e "chore(deps-dev):"; then + else RELEASE_TYPE="patch" fi - - echo "Release Type: $RELEASE_TYPE" + + echo "Determined Release Type: $RELEASE_TYPE" echo "::set-output name=release_type::$RELEASE_TYPE" # Bump the version based on the determined release type