jetstack
diff --git a/‎.github/workflows/build-test.yaml‎
Lines changed: 50 additions & 8 deletions b/‎.github/workflows/build-test.yaml‎
Lines changed: 50 additions & 8 deletions
diff --git a/‎.github/workflows/coverage-badge.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/coverage-badge.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/helm-docs.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/helm-docs.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/helm-test.yaml‎
Lines changed: 19 additions & 9 deletions b/‎.github/workflows/helm-test.yaml‎
Lines changed: 19 additions & 9 deletions
diff --git a/‎.github/workflows/release-tagger.yaml‎
Lines changed: 23 additions & 0 deletions b/‎.github/workflows/release-tagger.yaml‎
Lines changed: 23 additions & 0 deletions
@@ -19,21 +19,50 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - name: Setup Golang
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
-          version: v1.54
-          args: --timeout 10m --exclude SA5011 --verbose --issues-exit-code=0
+          version: v2.1.0
+          args: --timeout 10m --verbose --issues-exit-code=0
           only-new-issues: true
 
+  code-scan:
+    name: Code Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/[email protected]
+        continue-on-error: true
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          exit-code: "1"
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH,MEDIUM"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"
+
   govulncheck:
     runs-on: ubuntu-latest
     name: Run govulncheck
     steps:
+      # We only need to checkout as govuln does the go setup...
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - id: govulncheck
         uses: golang/govulncheck-action@v1
         with:
@@ -45,8 +74,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4 # v3.5.3
-      - name: Setup Go
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup Golang
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
@@ -88,31 +118,43 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           platforms: ${{ matrix.platform }}
+          driver: docker-container
+          use: true
 
       - name: Build Images
         uses: docker/build-push-action@v6
         with:
           context: .
           platforms: ${{ matrix.platform }}
-          load: true
           push: false
           tags: quay.io/jetstack/version-checker:${{github.sha}}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          # https://github.com/docker/buildx/issues/1714
+          # Whilst trivy says it supports .tar etc, it wouldn't work in gha or locally on my machine.
+          outputs: |-
+            type=oci,tar=false,compression=uncompressed,dest=./.oci-image
+          attests: |-
+            type=sbom
+            type=provenance,mode=max
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.29.0
+        uses: aquasecurity/trivy-action@0.31.0
         with:
-          image-ref: "quay.io/jetstack/version-checker:${{github.sha}}"
+          input: ./.oci-image
           format: "table"
           exit-code: "1"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
+
+      - name: "Cleanup OCI Image from FS"
+        run: rm -rf ./.oci-image
@@ -29,7 +29,7 @@ jobs:
           go tool cover -func=coverage.out -o=coverage.out
 
       - name: Go Coverage Badge  # Pass the `coverage.out` output to this action
-        uses: tj-actions/coverage-badge-go@v2
+        uses: tj-actions/coverage-badge-go@v3
         with:
           filename: coverage.out
 
 
@@ -4,8 +4,8 @@ on:
   workflow_call:
   push:
     paths:
-      - '!*.md'
-      - 'deploy/charts/version-checker/**'
+      - "!*.md"
+      - "deploy/charts/version-checker/**"
     branches:
       - main
 
 
@@ -2,10 +2,10 @@ name: Test Helm Chart
 on:
   pull_request:
     paths:
-      - '!*.md'
-      - 'deploy/charts/version-checker/**'
+      - "!*.md"
+      - "deploy/charts/version-checker/**"
     branches:
-      - 'main'
+      - "main"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,14 +14,19 @@ concurrency:
 jobs:
   lint:
     permissions:
-      contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      contents: read # for actions/checkout to fetch code
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Helm Chart
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
+      - name: Setup Golang
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
       - uses: azure/setup-helm@v4
 
       - run: helm lint deploy/charts/version-checker
@@ -33,9 +38,12 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - uses: azure/setup-helm@v4
+      - name: Setup Golang
+        uses: actions/setup-go@v5
         with:
-          token: ${{ github.token }}
+          go-version-file: go.mod
+
+      - uses: azure/setup-helm@v4
 
       - name: Install helm Plugins
         run: |
@@ -57,7 +65,9 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - name: Install Kyverno CLI
         uses: kyverno/[email protected]
-      - uses: azure/setup-helm@v4
-      - run: kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/)
+
+      - run: |-
+          kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/)
@@ -0,0 +1,23 @@
+name: Tag Release
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  TagRelease:
+    permissions:
+      contents: write
+    name: Create Release Tag
+    runs-on: ubuntu-22.04
+    if: github.event.pull_request.merged == true && startsWith( github.event.pull_request.head.ref, 'release-' )
+    steps:
+      - uses: bhowell2/[email protected]
+        id: release_number
+        with:
+          value: ${{ github.event.pull_request.head.ref }}
+          index_of_str: "release-"
+      - name: Create Tag
+        uses: tvdias/[email protected]
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ steps.release_number.outputs.substring }}