build(deps): bump k8s.io/apimachinery from 0.34.0-alpha.0 to 0.34.0-alpha.1 #25
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| pull_request: | |
| types: [ closed ] | |
| branches: | |
| - main | |
| jobs: | |
| release-tag: | |
| if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'release')) }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Generate token from GitHub App | |
| id: generate-token | |
| uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 | |
| with: | |
| app_id: ${{ secrets.APP_PUSH_TAG_ID }} | |
| private_key: ${{ secrets.APP_PUSH_TAG_PRIVATE_KEY }} | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| token: ${{ steps.generate-token.outputs.token }} | |
| fetch-tags: true | |
| fetch-depth: 0 | |
| submodules: recursive | |
| - name: Import GPG key | |
| env: | |
| GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | |
| run: | | |
| echo "$GPG_PRIVATE_KEY" | gpg --batch --import | |
| echo "use-agent" >> ~/.gnupg/gpg.conf | |
| echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf | |
| echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf | |
| echo RELOADAGENT | gpg-connect-agent | |
| git config --global user.name "GitHub CI Bot" | |
| git config --global user.email "github-ci[bot]@users.noreply.github.com" | |
| git config --global user.signingkey "${{ secrets.GPG_KEY_ID }}" | |
| git config --global commit.gpgsign true | |
| git config --global tag.gpgSign true | |
| git config --global gpg.program gpg | |
| - name: Ensure initial tag exists | |
| run: | | |
| if [ -z "$(git tag)" ]; then | |
| echo "No tags found. Creating v0.0.0 from main." | |
| git fetch origin main --tags | |
| git tag -a v0.0.0 origin/main -m "Initial tag" --local-user "$(git config user.signingkey)" | |
| git push origin "refs/tags/v0.0.0" | |
| else | |
| echo "Tags already exist. Skipping initial tag creation." | |
| fi | |
| - name: Checkout build (taskfiles) repo | |
| run: | | |
| git clone https://github.com/openkcm/build.git ./hack/common | |
| - name: Install Task | |
| uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 #v2.0.0 | |
| with: | |
| version: 3.x | |
| - name: Set up environment | |
| run: | | |
| echo "repo_name=$(basename "$GITHUB_REPOSITORY")" >> $GITHUB_ENV | |
| echo "version=$(task next-release-version)" >> $GITHUB_ENV | |
| - name: Generate Build Version | |
| uses: hashicorp/actions-generate-metadata@f6f1ca9cededa05d841a58d171064faf3de8ec74 #main | |
| with: | |
| repositoryOwner: ${{ github.repository_owner }} | |
| repository: ${{ github.repository }} | |
| version: ${{ env.version }} | |
| product: ${{ env.repo_name }} | |
| metadataFileName: ${{ github.workspace }}/build_version.json | |
| - name: Print Build Version | |
| run: cat ${{ github.workspace }}/build_version.json | |
| - name: Generate SBOM | |
| run: | | |
| task cyclonedxgomod:app --verbose | |
| - name: Run Trivy sbom vulnerability scanner | |
| uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 #v0.31.0 | |
| with: | |
| scan-type: 'sbom' | |
| scan-ref: "${{ env.repo_name }}-sbom.json" | |
| format: 'json' | |
| output: 'trivy-sbom-vuln.json' | |
| - name: Run trivy repository security scanner | |
| uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 #v0.31.0 | |
| with: | |
| token-setup-trivy: ${{ steps.generate-token.outputs.token }} | |
| scan-type: repository | |
| format: json | |
| output: trivy-repository-vuln.json | |
| severity: CRITICAL,HIGH,MEDIUM | |
| - name: Run tfsec security scanner | |
| uses: aquasecurity/tfsec-action@b466648d6e39e7c75324f25d83891162a721f2d6 #v1.0.3 | |
| with: | |
| github_token: ${{ steps.generate-token.outputs.token }} | |
| format: json | |
| - name: Build Changelog | |
| id: github_release | |
| uses: mikepenz/release-changelog-builder-action@5fb6e51e44d4aea73f66549f425aa3ed5008109e # v5 | |
| with: | |
| mode: "release" | |
| configurationJson: | | |
| { | |
| "template": "#{{CHANGELOG}}", | |
| "pr_template": "- #{{TITLE}}: ##{{NUMBER}}", | |
| "categories": [ | |
| { | |
| "title": "## Feature", | |
| "labels": ["feat", "feature"] | |
| }, | |
| { | |
| "title": "## Fix", | |
| "labels": ["fix", "bug"] | |
| }, | |
| { | |
| "title": "## Other", | |
| "labels": [] | |
| } | |
| ], | |
| "label_extractor": [ | |
| { | |
| "pattern": "^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test){1}(\\([\\w\\-\\.]+\\))?(!)?: ([\\w ])+([\\s\\S]*)", | |
| "on_property": "title", | |
| "target": "$1" | |
| } | |
| ], | |
| "exclude": { | |
| "pattern": "^chore:\s*release", | |
| "labels": "release" | |
| } | |
| } | |
| - name: Create signed tag from main | |
| run: | | |
| git fetch origin main --tags | |
| git tag -a "${{ env.version }}" origin/main -m "Release ${{ env.version }}" --local-user "$(git config user.signingkey)" | |
| git push origin "refs/tags/${{ env.version }}" | |
| env: | |
| GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} | |
| - name: Create GitHub release | |
| uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2 | |
| with: | |
| tag_name: ${{ env.version }} | |
| name: Release ${{ env.version }} | |
| body: ${{steps.github_release.outputs.changelog}} | |
| files: | | |
| *sbom.json | |
| *vuln.json | |
| draft: true | |
| prerelease: false | |
| env: | |
| GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} |