Skip to content

Commit b60cc89

Browse files
authored
refactor release pipeline: TAG_TOKEN, skip-checks gate, go-make bump, dependabot/zizmor/gci cleanup (#53)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
1 parent b1334ec commit b60cc89

6 files changed

Lines changed: 35 additions & 42 deletions

File tree

.github/dependabot.yml

Lines changed: 0 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,4 @@
11
# Dependabot configuration
2-
#
3-
# Grouping behavior (see inline comments for details):
4-
# - Minor + patch updates: grouped into a single PR per ecosystem
5-
# - Major version bumps: individual PR per dependency
6-
# - Security updates: individual PR per dependency
7-
#
8-
# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes.
9-
# Security updates are identified separately via GitHub's Advisory Database and
10-
# can be any version bump (patch, minor, or major) that fixes a known CVE.
112

123
version: 2
134

@@ -25,14 +16,6 @@ updates:
2516
open-pull-requests-limit: 10
2617
labels:
2718
- "dependencies"
28-
groups:
29-
go-minor-patch:
30-
applies-to: version-updates # security updates get individual PRs
31-
patterns:
32-
- "*"
33-
update-types: # major omitted, gets individual PRs
34-
- "minor"
35-
- "patch"
3619

3720
- package-ecosystem: "github-actions"
3821
directories:
@@ -46,11 +29,3 @@ updates:
4629
open-pull-requests-limit: 10
4730
labels:
4831
- "dependencies"
49-
groups:
50-
actions-minor-patch:
51-
applies-to: version-updates # security updates get individual PRs
52-
patterns:
53-
- "*"
54-
update-types: # major omitted, gets individual PRs
55-
- "minor"
56-
- "patch"

.github/workflows/release.yaml

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@ on:
1313
version:
1414
description: tag the latest commit on main with the given version (prefixed with v)
1515
required: true
16+
skip-checks:
17+
description: skip the check-gate (release even if checks haven't passed on main)
18+
type: boolean
19+
default: false
20+
required: false
1621

1722
jobs:
1823
version-available:
@@ -23,7 +28,9 @@ jobs:
2328
version: ${{ github.event.inputs.version }}
2429

2530
check-gate:
31+
if: ${{ !inputs.skip-checks }}
2632
permissions:
33+
contents: read # required for the reusable workflow to check out the repo
2734
checks: read # required for getting the status of specific check names
2835
uses: anchore/workflows/.github/workflows/check-gate.yaml@b0c30a80409130d329aaa356fd64a34d8c0b3375 # v0.7.2
2936
with:
@@ -34,6 +41,14 @@ jobs:
3441

3542
release:
3643
needs: [check-gate, version-available]
44+
# run even when check-gate is skipped, but never when version-available
45+
# failed/was skipped, nor when check-gate failed or was cancelled. note:
46+
# always() disables the implicit success() gate on ALL needs, so the
47+
# version-available requirement must be re-asserted explicitly here.
48+
if: >-
49+
${{ always()
50+
&& needs.version-available.result == 'success'
51+
&& !contains(fromJSON('["failure", "cancelled"]'), needs.check-gate.result) }}
3752
environment: release # contains secrets needed for release
3853
runs-on: ubuntu-24.04
3954
permissions:
@@ -50,6 +65,7 @@ jobs:
5065
- name: Create release
5166
env:
5267
GITHUB_TOKEN: ${{ github.token }}
53-
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
68+
# for pushing tags (does not inherit workflow permissions)
69+
TAG_TOKEN: ${{ secrets.TAG_TOKEN }}
5470
RELEASE_VERSION: ${{ github.event.inputs.version }}
5571
run: make ci-release

.github/zizmor.yml

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1 @@
1-
rules:
2-
unpinned-uses:
3-
ignore:
4-
# Allow unpinned uses of trusted internal anchore/workflows actions
5-
- oss-project-board-add.yaml
6-
- remove-awaiting-response-label.yaml
1+
rules: {}

.golangci.yaml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,8 +90,15 @@ issues:
9090

9191
formatters:
9292
enable:
93+
- gci
9394
- gofmt
94-
- goimports
95+
settings:
96+
gci:
97+
# See https://golangci-lint.run/docs/formatters/configuration/#gci
98+
sections:
99+
- standard # Standard section: captures all standard packages.
100+
- default # Default section: contains all imports that could not be matched to another section type.
101+
- prefix(github.com/anchore)
95102
exclusions:
96103
generated: lax
97104
paths:

.make/go.mod

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,11 @@ module local
22

33
go 1.25.0
44

5-
require github.com/anchore/go-make v0.4.0
5+
require github.com/anchore/go-make v0.7.0
66

77
require (
88
github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect
99
github.com/goccy/go-yaml v1.19.2 // indirect
10-
golang.org/x/mod v0.35.0 // indirect
11-
golang.org/x/sys v0.44.0 // indirect
10+
golang.org/x/mod v0.37.0 // indirect
11+
golang.org/x/sys v0.46.0 // indirect
1212
)

.make/go.sum

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
1-
github.com/anchore/go-make v0.4.0 h1:poFE4PXcHwvix2E8AhdM7YHZ15bMhZb+W02i3+qrP8M=
2-
github.com/anchore/go-make v0.4.0/go.mod h1:Nc/tkwQHW1d1Vi8+0rtS/vSrH6pxieaUQXLdrctn+8g=
1+
github.com/anchore/go-make v0.7.0 h1:qosSwNWV/SsLFc1pI0DlrCZ2BUSDcGDcSKM6HdlnT6c=
2+
github.com/anchore/go-make v0.7.0/go.mod h1:4M6TnArb5w693VyWsgr5dCWrk2BLNu/ed4JUcsrzS34=
33
github.com/bmatcuk/doublestar/v4 v4.10.0 h1:zU9WiOla1YA122oLM6i4EXvGW62DvKZVxIe6TYWexEs=
44
github.com/bmatcuk/doublestar/v4 v4.10.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
55
github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
66
github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
7-
golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
8-
golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
9-
golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
10-
golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
7+
golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
8+
golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
9+
golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
10+
golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=

0 commit comments

Comments
 (0)