Skip to content

Commit b78eee5

Browse files
committed
add release workflow and port common patterns
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
1 parent 3f368c4 commit b78eee5

13 files changed

Lines changed: 241 additions & 104 deletions

File tree

.binny.yaml

Lines changed: 9 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -1,64 +1,30 @@
1+
# only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases)
2+
cooldown: 7d
3+
4+
# other binary versions inherited from .binny.yaml file in the anchore/go-make repo (version pinned in .make).
5+
# If you need to override a tool version, please do so by adding an entry here and go-make will
6+
# account for the local definition over the go-make shared definitions.
17
tools:
28
# we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
39
- name: binny
410
version:
5-
want: v0.10.0
11+
want: v0.13.0
612
method: github-release
713
with:
814
repo: anchore/binny
915

1016
# used to produce SBOMs during release
1117
- name: syft
1218
version:
13-
want: latest
19+
want: v1.42.3
1420
method: github-release
1521
with:
1622
repo: anchore/syft
1723

18-
# used for linting
19-
- name: golangci-lint
20-
version:
21-
want: v2.5.0
22-
method: github-release
23-
with:
24-
repo: golangci/golangci-lint
25-
26-
# used for showing the changelog at release
27-
- name: glow
28-
version:
29-
want: v2.1.1
30-
method: github-release
31-
with:
32-
repo: charmbracelet/glow
33-
34-
# used for organizing imports during static analysis
35-
- name: gosimports
36-
version:
37-
want: v0.3.8
38-
method: github-release
39-
with:
40-
repo: rinchsan/gosimports
41-
4224
# used at release to generate the changelog
4325
- name: chronicle
4426
version:
45-
want: v0.8.0
27+
want: v0.8.3
4628
method: github-release
4729
with:
4830
repo: anchore/chronicle
49-
50-
# used during static analysis for license compliance
51-
- name: bouncer
52-
version:
53-
want: v0.4.0
54-
method: github-release
55-
with:
56-
repo: wagoodman/go-bouncer
57-
58-
# used for triggering a release
59-
- name: gh
60-
version:
61-
want: v2.82.0
62-
method: github-release
63-
with:
64-
repo: cli/cli

.chronicle.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
# no matter the change, stay v0 for now
2+
enforce-v0: true
3+
4+
# since github release pages already have titles that are the tag, we don't need to repeat that in the changelog
5+
title: ""

.github/dependabot.yml

Lines changed: 37 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,33 +1,55 @@
1+
# Dependabot configuration
2+
#
3+
# Grouping behavior (see inline comments for details):
4+
# - Minor + patch updates: grouped into a single PR per ecosystem
5+
# - Major version bumps: individual PR per dependency
6+
# - Security updates: individual PR per dependency
7+
#
8+
# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes.
9+
# Security updates are identified separately via GitHub's Advisory Database and
10+
# can be any version bump (patch, minor, or major) that fixes a known CVE.
11+
112
version: 2
213

314
updates:
415

516
- package-ecosystem: gomod
6-
directory: "/"
7-
schedule:
8-
interval: "daily"
17+
directories:
18+
- "/"
19+
- "/.make"
920
cooldown:
1021
default-days: 7
11-
open-pull-requests-limit: 10
12-
labels:
13-
- "dependencies"
14-
15-
- package-ecosystem: "github-actions"
16-
directory: "/"
1722
schedule:
18-
interval: "daily"
19-
cooldown:
20-
default-days: 7
23+
interval: "weekly"
24+
day: "friday"
2125
open-pull-requests-limit: 10
2226
labels:
2327
- "dependencies"
28+
groups:
29+
go-minor-patch:
30+
applies-to: version-updates # security updates get individual PRs
31+
patterns:
32+
- "*"
33+
update-types: # major omitted, gets individual PRs
34+
- "minor"
35+
- "patch"
2436

2537
- package-ecosystem: "github-actions"
26-
directory: "/.github/actions/boostrap"
27-
schedule:
28-
interval: "daily"
38+
directories:
39+
- "/"
2940
cooldown:
3041
default-days: 7
42+
schedule:
43+
interval: "weekly"
44+
day: "friday"
3145
open-pull-requests-limit: 10
3246
labels:
3347
- "dependencies"
48+
groups:
49+
actions-minor-patch:
50+
applies-to: version-updates # security updates get individual PRs
51+
patterns:
52+
- "*"
53+
update-types: # major omitted, gets individual PRs
54+
- "minor"
55+
- "patch"

.github/workflows/codeql.yaml

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
name: "CodeQL"
2+
3+
on:
4+
push:
5+
branches: [ "main" ]
6+
pull_request:
7+
branches: [ "main" ]
8+
schedule:
9+
- cron: '38 11 * * 3'
10+
11+
jobs:
12+
analyze:
13+
name: Analyze (${{ matrix.language }})
14+
runs-on: ubuntu-latest
15+
permissions:
16+
security-events: write
17+
packages: read
18+
actions: read
19+
contents: read
20+
21+
strategy:
22+
fail-fast: false
23+
matrix:
24+
include:
25+
- language: actions
26+
build-mode: none
27+
28+
- language: go
29+
build-mode: manual
30+
31+
steps:
32+
- name: Checkout repository
33+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
34+
with:
35+
persist-credentials: false
36+
37+
- name: Setup Go
38+
if: matrix.language == 'go'
39+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
40+
with:
41+
go-version-file: go.mod
42+
43+
- name: Initialize CodeQL
44+
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
45+
with:
46+
languages: ${{ matrix.language }}
47+
build-mode: ${{ matrix.build-mode }}
48+
49+
- name: Build (Go)
50+
if: matrix.build-mode == 'manual'
51+
shell: bash
52+
run: go build ./...
53+
54+
- name: Perform CodeQL Analysis
55+
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
56+
with:
57+
category: "/language:${{matrix.language}}"

.github/workflows/release.yaml

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
name: "Release"
2+
3+
permissions:
4+
contents: read
5+
6+
# there should never be two releases in progress at the same time
7+
concurrency:
8+
group: release
9+
cancel-in-progress: false
10+
11+
on:
12+
workflow_dispatch:
13+
inputs:
14+
version:
15+
description: tag the latest commit on main with the given version (prefixed with v)
16+
required: true
17+
18+
jobs:
19+
20+
version-available:
21+
uses: anchore/workflows/.github/workflows/check-version-available.yaml@4f25313f96311410cad4173f74617654a3e46d48 # v0.3.0
22+
with:
23+
version: ${{ github.event.inputs.version }}
24+
25+
check-gate:
26+
permissions:
27+
checks: read # required for getting the status of specific check names
28+
uses: anchore/workflows/.github/workflows/check-gate.yaml@4f25313f96311410cad4173f74617654a3e46d48 # v0.3.0
29+
with:
30+
# these are checks that should be run on pull-request and merges to main.
31+
# we do NOT want to kick off a release if these have not been verified on main.
32+
# Please see the validations.yaml workflow for the names that should be used here.
33+
checks: '["Static analysis", "Unit tests"]'
34+
35+
release:
36+
needs: [check-gate, version-available]
37+
environment: release # contains secrets needed for release
38+
runs-on: ubuntu-24.04
39+
permissions:
40+
contents: write # needed for creating github release objects
41+
steps:
42+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
43+
with:
44+
fetch-depth: 0 # we need the full history to reason about changelogs and tags
45+
persist-credentials: true # needed for pushing a tag
46+
47+
# setup checkout, go, go-make, binny, and cache go modules
48+
- uses: anchore/go-make/.github/actions/setup@383ef7852b8ae43a30f424896b52479186d2ea4d # v0.1.0
49+
50+
- name: Create release
51+
env:
52+
GITHUB_TOKEN: ${{ github.token }}
53+
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
54+
RELEASE_VERSION: ${{ github.event.inputs.version }}
55+
run: make ci-release

.github/workflows/validations.yaml

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
name: "Validations"
22
on:
3+
workflow_dispatch:
34
push:
45
branches:
56
- main
@@ -11,21 +12,23 @@ permissions:
1112
jobs:
1213

1314
Static-Analysis:
15+
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
1416
name: "Static analysis"
15-
runs-on: ubuntu-22.04
17+
runs-on: ubuntu-24.04
1618
steps:
17-
- name: Bootstrap environment
18-
uses: anchore/go-make/.github/actions/bootstrap@latest
19+
# setup checkout, go, go-make, binny, and cache go modules
20+
- uses: anchore/go-make/.github/actions/setup@383ef7852b8ae43a30f424896b52479186d2ea4d # v0.1.0
1921

20-
- name: Run static analysis
21-
run: make static-analysis
22+
- name: Run static analysis
23+
run: make static-analysis
2224

2325
Unit-Test:
26+
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
2427
name: "Unit tests"
25-
runs-on: ubuntu-22.04
28+
runs-on: ubuntu-24.04
2629
steps:
27-
- name: Bootstrap environment
28-
uses: anchore/go-make/.github/actions/bootstrap@latest
30+
# setup checkout, go, go-make, binny, and cache go modules
31+
- uses: anchore/go-make/.github/actions/setup@383ef7852b8ae43a30f424896b52479186d2ea4d # v0.1.0
2932

3033
- name: Run unit tests
3134
run: make unit

.github/zizmor.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
rules:
22
unpinned-uses:
3-
config:
4-
policies:
5-
# anchore actions are internal; using @main is acceptable
6-
anchore/*: any
3+
ignore:
4+
# Allow unpinned uses of trusted internal anchore/workflows actions
5+
- oss-project-board-add.yaml
6+
- remove-awaiting-response-label.yaml

.gitignore

Lines changed: 37 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,41 @@
1-
/test/results/
1+
# local development
2+
go.work
3+
go.work.sum
4+
mise.toml
5+
/specs/
6+
7+
# IDEs
8+
.idea/
29
.vscode/
10+
.history/
11+
12+
# tools and aux data
13+
.tool
14+
.tmp
15+
.task
16+
17+
# release info
18+
/CHANGELOG.md
19+
/VERSION
20+
21+
# archives and fixtures
22+
/test/results
23+
/dist
24+
/snapshot
25+
.server/
26+
*.fingerprint
327
*.tar
4-
.idea/
28+
*.jar
29+
*.war
30+
*.ear
31+
*.jpi
32+
*.hpi
33+
*.zip
534
*.log
635
.images
736
.tmp/
8-
*.DS_Store
937
coverage.txt
10-
**/test-fixtures/cache/
11-
**/*.fingerprint
12-
snapshot/
38+
bin/
1339

1440
# Binaries for programs and plugins
1541
*.exe
@@ -23,6 +49,8 @@ snapshot/
2349

2450
# Output of the go coverage tool, specifically when used with LiteIDE
2551
*.out
26-
/.tool/.binny.state.json
27-
/.tool/binny
28-
/.tool/golangci-lint
52+
53+
# macOS Finder metadata
54+
.DS_STORE
55+
56+
*.profile

0 commit comments

Comments
 (0)