ci(pipeline.yml): #275 add github release job in GHA

Author: abhisheksr01

.github/workflows/pipeline.yml

@@ -143,6 +143,8 @@ jobs:
       - dependency-vulnerability-analysis
       - sast-snyk
       - sast-iac-trivy-hadolint
+    outputs:
+      is-dryrun-version-bumped: ${{ steps.step1.outputs.is-dryrun-version-bumped }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -153,7 +155,7 @@ jobs:
       - id: bump-version
         uses: abhisheksr01/github-actions/[email protected]
         with:
-          dry-run: true
+          dry-run: true # Since we are setting dryrun argument the bump-version will always be available until 'current-version' is pushed as release
       - name: check-bump-version-output
         run: |
           echo "previous-version: ${{ steps.bump-version.outputs.previous-version }}"
@@ -170,6 +172,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Docker meta
+        if: ${{ steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }}
         id: meta
         uses: docker/metadata-action@v5
         with:
@@ -188,10 +191,39 @@ jobs:
             "org.opencontainers.image.revision": ${{ github.sha }},
             "org.opencontainers.image.licenses": "MIT"
       - name: Build and push
+        if: ${{ steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }}
         uses: docker/build-push-action@v6
         with:
           push: ${{ github.event_name != 'pull_request' && steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }} # Only push on main branch & when version is bumped with dryrun. We will create tags and creates separately after proper testing
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           sbom: true
           provenance: true
+  create-release:
+    if: ${{ needs.docker-build-push.outputs.is-dryrun-version-bumped  == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+    needs:
+      - docker-build-push
+    environment:
+      name: approve-release # Manual Approval to decide if we are ready to push tags and release
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - uses: abhisheksr01/github-actions/[email protected] # Publishing the tags
+        id: tag-version
+      - name: Generate changelog
+        run: cog changelog --at v${{ steps.bump-version.outputs.current-version }} -t full_hash > CHANGELOG.md
+      - run: |
+          set -euo pipefail
+          echo "Creating release from tag $tag"
+          gh release create "$tag" \
+              --title="$tag" \
+              --repo="$GITHUB_REPOSITORY" \
+              --notes-file CHANGELOG.md
+        env:
+          tag: v${{ needs.tag-version.outputs.current-version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

config/trivy/trivy.yaml

@@ -5,7 +5,7 @@ misconfiguration:
     - kubernetes
 
 severity:
-#  - UNKNOWN # Tracking the issue here: https://github.com/abhisheksr01/spring-boot-microservice-best-practices/issues/351
+#  - UNKNOWN # TODO: Remove commented severity . Tracking the issue here: https://github.com/abhisheksr01/spring-boot-microservice-best-practices/issues/351
 #  - LOW
 #  - MEDIUM
 #  - HIGH