chore: update BCR publishing to use workflow (#177)

The GH App is legacy and being deprecated.

Author: alexeagle

.bazelrc

@@ -18,7 +18,7 @@ build --java_runtime_version=remotejdk_11
 
 # Newer versions jdk creates collisions on /tmp
 # See: https://github.com/bazelbuild/bazel/issues/3236
-# https://github.com/GoogleContainerTools/rules_distroless/actions/runs/7118944984/job/19382981899?pr=9#step:8:51
+# https://github.com/bazel-contrib/rules_distroless/actions/runs/7118944984/job/19382981899?pr=9#step:8:51
 common:linux --sandbox_tmpfs_path=/tmp
 
 

.bcr/config.yml

@@ -1,5 +1,5 @@
 {
-  "homepage": "https://github.com/GoogleContainerTools/rules_distroless",
+  "homepage": "https://github.com/bazel-contrib/rules_distroless",
   "maintainers": [
     {
       "email": "[email protected]",
@@ -12,7 +12,7 @@
       "name": "Şahin Yort"
     }
   ],
-  "repository": ["github:GoogleContainerTools/rules_distroless"],
+  "repository": ["github:bazel-contrib/rules_distroless"],
   "versions": [],
   "yanked_versions": {}
 }

.bcr/metadata.template.json

@@ -0,0 +1,36 @@
+# Publish new releases to Bazel Central Registry.
+name: Publish to BCR
+on:
+  # Run the publish workflow after a successful release
+  # Will be triggered from the release.yaml workflow
+  workflow_call:
+    inputs:
+      tag_name:
+        required: true
+        type: string
+    secrets:
+      BCR_PUBLISH_TOKEN:
+        required: true
+  # In case of problems, let release engineers retry by manually dispatching
+  # the workflow from the GitHub UI
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        description: git tag being released
+        required: true
+        type: string
+jobs:
+  publish:
+    uses: bazel-contrib/publish-to-bcr/.github/workflows/[email protected]
+    with:
+      tag_name: ${{ inputs.tag_name }}
+      # GitHub repository which is a fork of the upstream where the Pull Request will be opened.
+      registry_fork: bazel-contrib/bazel-central-registry
+      draft: false
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+    secrets:
+      # Necessary to push to the BCR fork, and to open a pull request against a registry
+      publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}

.github/workflows/publish.yaml

@@ -0,0 +1,34 @@
+# Cut a release whenever a new tag is pushed to the repo.
+name: Release
+on:
+  # Can be triggered from the tag.yaml workflow
+  workflow_call:
+    inputs:
+      tag_name:
+        required: true
+        type: string
+    secrets:
+      BCR_PUBLISH_TOKEN:
+        required: true
+  # Or, developers can manually push a tag from their clone
+  push:
+    tags:
+      - "v*.*.*"
+permissions:
+  id-token: write
+  attestations: write
+  contents: write
+jobs:
+  release:
+    uses: bazel-contrib/.github/.github/workflows/[email protected]
+    with:
+      release_files: rules_distroless-*.tar.gz
+      prerelease: false
+      tag_name: ${{ inputs.tag_name || github.ref_name }}
+  publish:
+    needs: release
+    uses: ./.github/workflows/publish.yaml
+    with:
+      tag_name: ${{ inputs.tag_name || github.ref_name }}
+    secrets:
+      BCR_PUBLISH_TOKEN: ${{ secrets.BCR_PUBLISH_TOKEN }}

.github/workflows/release.yaml

@@ -0,0 +1,45 @@
+# Tag a new release using https://github.com/marketplace/actions/conventional-commits-versioner-action
+#
+# This is easier than having to run manual `git` operations on a local clone.
+# It also runs on a schedule so we don't leave commits unreleased indefinitely
+# (avoiding users having to ping "hey could someone cut a release").
+
+name: Tag a Release
+on:
+  # Allow devs to tag manually through the GitHub UI.
+  # For example after landing a fix that customers are waiting for.
+  workflow_dispatch:
+  # Run twice a month, on the 2nd and 16th at 3PM UTC (8AM PST)
+  # This is a trade-off between making too many releases,
+  # which overwhelms BCR maintainers and over-notifies users,
+  # and releasing too infrequently which delays delivery of bugfixes and features.
+  schedule:
+    - cron: "0 15 2,16 * *"
+jobs:
+  tag:
+    permissions:
+      contents: write # allow create tag
+    runs-on: ubuntu-latest
+    outputs:
+      new-tag: ${{ steps.ccv.outputs.new-tag }}
+      new-tag-version: ${{steps.ccv.outputs.new-tag-version}}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Need enough history to find the prior release tag
+          fetch-depth: 0
+      - name: Bump tag if necessary
+        id: ccv
+        uses: smlx/ccv@7318e2f25a52dcd550e75384b84983973251a1f8 # v0.10.0
+  release:
+    needs: tag
+    uses: ./.github/workflows/release.yaml
+    with:
+      tag_name: ${{ needs.tag.outputs.new-tag-version }}
+    secrets:
+      BCR_PUBLISH_TOKEN: ${{ secrets.BCR_PUBLISH_TOKEN }}
+    if: needs.tag.outputs.new-tag == 'true' && needs.tag.outputs.new-tag-version-type != 'major'
+    permissions:
+      id-token: write
+      attestations: write
+      contents: write

.github/workflows/release.yml

@@ -54,7 +54,7 @@ bazel_dep(name = "rules_distroless", version = "0.5.1")
 
 git_override(
     module_name = "rules_distroless",
-    remote = "https://github.com/GoogleContainerTools/rules_distroless.git",
+    remote = "https://github.com/bazel-contrib/rules_distroless.git",
     commit = "a69bc1949d5daf2d1b0906890667d69b0897688b",
 )
 ```
@@ -117,7 +117,7 @@ check the following docs:
 [`archive_override`]: https://bazel.build/versions/6.0.0/rules/lib/globals#archive_override
 [`local_path_override`]: https://bazel.build/versions/6.0.0/rules/lib/globals#local_path_override
 [Bzlmod migration guide]: https://bazel.build/external/migration
-[`rules_distroless` Github releases page]: https://github.com/GoogleContainerTools/rules_distroless/releases
+[`rules_distroless` Github releases page]: https://github.com/bazel-contrib/rules_distroless/releases
 [Update on the future stability of source code archives and hashes]: https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes
-[Google's `distroless` container images]: https://github.com/GoogleContainerTools/distroless
+[Google's `distroless` container images]: https://github.com/bazel-contrib/distroless
 [Arize AI]: https://www.arize.com

.github/workflows/tag.yaml

@@ -2,7 +2,7 @@
 
 ## Reporting a Vulnerability
 
-If it is not security critical, please open an [issue](https://github.com/GoogleContainerTools/rules_distroless/issues)
+If it is not security critical, please open an [issue](https://github.com/bazel-contrib/rules_distroless/issues)
 
 If it could be potentially exploited, or you are unsure if it can,
 please report privately via github [(instructions)](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)

README.md

@@ -58,7 +58,7 @@ def _resolve_package(state, name, version, arch):
 
                 # Since versions are ordered by hight to low, the first satisfied version will be
                 # the highest version and rules_distroless ignores Priority field so it's safe.
-                # TODO: rethink this `break` with https://github.com/GoogleContainerTools/rules_distroless/issues/34
+                # TODO: rethink this `break` with https://github.com/bazel-contrib/rules_distroless/issues/34
                 break
     elif len(versions) > 0:
         # First element in the versions list is the latest version.