Merge pull request #157 from k3rnelpan1c-dev/fix/release-workflow

refactor: split of publish workflow

Author: nscuro

.github/workflows/_meta-build.yaml

@@ -16,6 +16,11 @@ on:
         required: false
         default: "snapshot"
         description: "Set the version that should be set/used as tag for the container image"
+      publish-container:
+        type: boolean
+        required: false
+        default: false
+        description: "Set if the container image gets publish and scan once its build"
     secrets:
       registry-0-usr:
         required: true
@@ -81,7 +86,7 @@ jobs:
 
       - name: Login to Docker.io
         uses: docker/[email protected]
-        if: ${{ github.ref == 'refs/heads/master' }}
+        if: ${{ inputs.publish-container }}
         with:
           registry: docker.io
           username: ${{ secrets.registry-0-usr }}
@@ -105,12 +110,12 @@ jobs:
             APP_VERSION=${{ inputs.app-version }}
             COMMIT_SHA=${{ github.sha }}
           platforms: linux/amd64,linux/arm64
-          push: ${{ github.ref == 'refs/heads/master' }}
+          push: ${{ inputs.publish-container }}
           context: .
           file: docker/Dockerfile.alpine
 
       - name: Run Trivy Vulnerability Scanner
-        if: ${{ github.ref == 'refs/heads/master' }}
+        if: ${{ inputs.publish-container }}
         uses: aquasecurity/[email protected]
         with:
           image-ref: docker.io/dependencytrack/frontend:${{ inputs.app-version }}
@@ -120,7 +125,7 @@ jobs:
           vuln-type: 'os'
 
       - name: Upload Trivy Scan Results to GitHub Security Tab
-        if: ${{ github.ref == 'refs/heads/master' }}
+        if: ${{ inputs.publish-container }}
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/ci-build.yaml

@@ -16,6 +16,7 @@ jobs:
       node-versions: '["14", "16"]'
       node-version-package: '16'
       app-version: 'snapshot'
+      publish-container: ${{ github.ref == 'refs/heads/master' }}
     secrets:
       registry-0-usr: ${{ secrets.HUB_USERNAME }}
       registry-0-psw: ${{ secrets.HUB_ACCESS_TOKEN }}

.github/workflows/ci-publish.yaml

@@ -0,0 +1,85 @@
+name: Publish CI
+
+on:
+  release:
+    types:
+      - released
+  workflow_dispatch:
+
+jobs:
+  read-version:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.parse.outputs.version }}
+    steps:
+      - name: Assert ref type
+        run: |-
+          if [[ "$GITHUB_REF_TYPE" != "tag" ]]; then
+            echo "::error::Publishing is only supported for tags!"
+            exit 1
+          fi
+
+      - name: Checkout Repository
+        uses: actions/[email protected]
+
+      - name: Parse Version from package.json
+        id: parse
+        run: |-
+          VERSION=`jq -r '.version' package.json`
+          echo "::set-output name=version::${VERSION}"
+
+  call-build:
+    needs:
+      - read-version
+    uses: ./.github/workflows/_meta-build.yaml
+    with:
+      app-version: ${{ needs.read-version.outputs.version }}
+      publish-container: true
+    secrets:
+      registry-0-usr: ${{ secrets.HUB_USERNAME }}
+      registry-0-psw: ${{ secrets.HUB_ACCESS_TOKEN }}
+
+  update-github-release:
+    runs-on: ubuntu-latest
+    needs:
+      - read-version
+      - call-build
+    steps:
+      - name: Checkout Repository
+        uses: actions/[email protected]
+
+      - name: Download Artifacts
+        uses: actions/[email protected]
+        with:
+          name: assembled-frontend-node16
+
+      - name: Create Checksums
+        run: |-
+          zip -qr frontend-dist.zip dist/*
+
+          echo "# SHA1" >> checksums.txt
+          sha1sum frontend-dist.zip >> checksums.txt
+          echo "# SHA256" >> checksums.txt
+          sha256sum frontend-dist.zip >> checksums.txt
+          echo "# SHA512" >> checksums.txt
+          sha512sum frontend-dist.zip >> checksums.txt
+
+      - name: Update Release
+        env:
+          # or change it to a custom PAT that should be credited for the release
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |-
+          cat << EOF >> .github/default-release-notes.md
+          \`\`\`text
+          $(cat checksums.txt)
+          \`\`\`
+          EOF
+
+          gh release edit ${{ needs.read-version.outputs.version }} \
+            --notes-file ".github/default-release-notes.md"
+
+          gh release upload ${{ needs.read-version.outputs.version }} \
+            --clobber \
+            frontend-dist.zip \
+            checksums.txt \
+            bom.xml bom.json

.github/workflows/ci-release.yaml

@@ -19,8 +19,6 @@ on:
 jobs:
   prepare-release:
     runs-on: ubuntu-latest
-    outputs:
-      version: ${{ steps.variables.outputs.version }}
     steps:
       - name: Checkout Repository
         uses: actions/[email protected]
@@ -31,82 +29,29 @@ jobs:
           node-version: '16'
           cache: 'npm'
 
-      - name: Setup Environment
-        id: variables
+      - name: Bump version and tag via NodeJS
+        # if you use a bot-user to create the release in the next step
+        # then it might be a solid idea to change the git config values below to the bot-user's name + email
         run: |-
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
 
           npm version ${{ github.event.inputs.version-to-bump }} -m "prepare-release: set version to %s"
 
-          git push --tags origin "HEAD:refs/heads/master"
-          APP_VERSION=`jq -r '.version' package.json`
-          echo "::set-output name=version::${APP_VERSION}"
-
-  call-build:
-    needs:
-      - prepare-release
-    uses: ./.github/workflows/_meta-build.yaml
-    with:
-      app-version: ${{ needs.prepare-release.outputs.version }}
-    secrets:
-      registry-0-usr: ${{ secrets.HUB_USERNAME }}
-      registry-0-psw: ${{ secrets.HUB_ACCESS_TOKEN }}
-
-  create-release:
-    runs-on: ubuntu-latest
-    needs:
-      - prepare-release
-      - call-build
-
-    env:
-      VERSION: ${{ needs.prepare-release.outputs.version }}
-
-    steps:
-      - name: Checkout Repository
-        uses: actions/[email protected]
-
-      - name: Set up NodeJs
-        uses: actions/[email protected]
-        with:
-          node-version: '16'
-          cache: 'npm'
-
-      - name: Download Artifacts
-        uses: actions/[email protected]
-        with:
-          name: assembled-frontend-node16
-
-      - name: Create Checksums
-        run: |-
-          zip -qr frontend-dist.zip dist/*
-
-          echo "# SHA1" >> checksums.txt
-          sha1sum frontend-dist.zip >> checksums.txt
-          echo "# SHA256" >> checksums.txt
-          sha256sum frontend-dist.zip >> checksums.txt
-          echo "# SHA512" >> checksums.txt
-          sha512sum frontend-dist.zip >> checksums.txt
+          git push origin "HEAD:refs/heads/master"
 
       - name: Create GitHub Release
         env:
+          # or change it to a custom PAT that should be credited for the release
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_OPTS: ""
         run: |-
-          cat << EOF >> .github/default-release-notes.md
-          \`\`\`text
-          $(cat checksums.txt)
-          \`\`\`
-          EOF
+          VERSION=`jq -r '.version' package.json`
 
           if [[ "${{ contains(github.event.inputs.version-to-bump, 'pre') }}" == "true" ]]; then
-            GH_OPTS="--prerelease "
+            GH_OPTS="--prerelease"
           fi
 
-          gh release create "${{ needs.prepare-release.outputs.version }}" \
-            --title "${{ needs.prepare-release.outputs.version }}" \
-            --notes-file ".github/default-release-notes.md" \
-            --generate-notes ${GH_OPTS}\
-            frontend-dist.zip \
-            checksums.txt \
-            bom.xml bom.json
+          gh release create "${VERSION}" ${GH_OPTS} \
+            --title "${VERSION}" \
+            --notes-file ".github/default-release-notes.md"

docker/Dockerfile.alpine

@@ -1,4 +1,4 @@
-FROM nginxinc/nginx-unprivileged:1.21.6-alpine@sha256:c754b5ff17e6cd39e786855ee31d4eeac21276d26119bf37385cbb3dcc3a9d29
+FROM nginxinc/nginx-unprivileged:1.22.0-alpine@sha256:a7f1327503df0b1a4181f84ec1cb93438d701719b3f6e4a9d882494ccae9e8a8
 
 # Arguments that can be passed at build time
 ARG COMMIT_SHA=unknown