don't run an interactive terminal

Author: pdabelf5

.github/workflows/release.yml

@@ -0,0 +1,199 @@
+name: Release NGINX Prometheus Exporter
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version (e.g. 1.0.0)'
+        required: true
+      dry_run:
+        description: 'Dry run'
+        required: false
+        default: false
+        type: boolean
+
+env:
+  DOCKER_PLATFORMS: "linux/arm/v5,linux/arm/v6,linux/arm/v7,linux/arm64,linux/amd64,linux/ppc64le,linux/s390x,linux/mips64le,linux/386,linux/riscv64"
+
+concurrency:
+  group: ${{ github.ref_name }}-release
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  variables:
+    name: Setup variables
+    runs-on: ubuntu-24.04
+    outputs:
+      tag: ${{ steps.vars.outputs.tag }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set up Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
+
+      - name: Get version
+        id: vars
+        run: echo "tag=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
+
+  build-docker:
+    name: Build Docker Image
+    runs-on: ubuntu-24.04-amd64
+    permissions:
+      contents: write # for lucacome/draft-release to create/update release draft
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      id-token: write # for OIDC login to AWS ECR and goreleaser/goreleaser-action to sign artifacts
+      packages: write # for docker/build-push-action to push to GHCR
+      issues: write # for goreleaser/goreleaser-action to close milestones
+    services:
+      registry:
+        image: registry:3
+        ports:
+          - 5000:5000
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Setup Golang Environment
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        with:
+          version: latest
+          driver-opts: network=host
+
+      - name: DockerHub Login
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
+
+      - name: Login to Public ECR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: public.ecr.aws
+
+      - name: Login to Quay.io
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: |
+            name=nginx/nginx-prometheus-exporter,enable=true
+            name=ghcr.io/nginx/nginx-prometheus-exporter,enable=true
+            name=public.ecr.aws/nginx/nginx-prometheus-exporter,enable=true
+            name=quay.io/nginx/nginx-prometheus-exporter,enable=true
+            name=localhost:5000/nginx/nginx-prometheus-exporter
+          tags: |
+            type=raw,value=${{ github.event.inputs.version }}
+          labels: |
+            org.opencontainers.image.vendor=NGINX Inc <[email protected]>
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+      - name: Create/Update Draft
+        uses: lucacome/draft-release@fd099feb33710d1fa27b915a08a7acd6a1fb7fd2 # v2.0.0
+        with:
+          minor-label: "enhancement"
+          major-label: "change"
+          publish: ${{ !github.event.inputs.dry_run }}
+          collapse-after: 30
+          notes-footer: |
+            ## Upgrade
+
+            - Use the {{version}} image from our [DockerHub](https://hub.docker.com/r/nginx/nginx-prometheus-exporter/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/nginx-prometheus-exporter/pkgs/container/nginx-prometheus-exporter), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-prometheus-exporter) or [Quay.io](https://quay.io/repository/nginx/nginx-prometheus-exporter/tag/{{version-number}}?tab=tags).
+            - Download the latest binaries from the [GitHub releases page](https://github.com/nginx/nginx-prometheus-exporter/releases/tag/{{version}}).
+            - Update to the latest version with `brew upgrade nginx-prometheus-exporter` or `scoop update nginx-prometheus-exporter`.
+
+            ## Compatibility
+
+            - NGINX 0.1.18 or newer.
+            - NGINX Plus R19 or newer.
+
+      - name: Download Syft
+        uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          version: v2.12.5 # renovate: datasource=github-tags depName=goreleaser/goreleaser
+          args: ${{ github.event.inputs.dry_run && 'build --snapshot' || 'release' }} --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NGINX_GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
+
+      - name: Print NGINX Prometheus Exporter info
+        run: ./dist/nginx-prometheus-exporter_linux_amd64_v1/nginx-prometheus-exporter --version
+        continue-on-error: false
+
+      - name: Build and Push Docker Image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: build/Dockerfile
+          context: "."
+          target: goreleaser
+          platforms: ${{ env.DOCKER_PLATFORMS }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          push: ${{ !github.event.inputs.dry_run }}
+          cache-from: type=gha,scope=exporter
+          cache-to: type=gha,scope=exporter,mode=max
+          no-cache: true
+          provenance: mode=max
+          sbom: true
+
+      - name: Scan image
+        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
+        id: scan
+        continue-on-error: true
+        with:
+          image: localhost:5000/nginx/nginx-prometheus-exporter:${{ steps.meta.outputs.version }}
+          only-fixed: true
+          add-cpes-if-none: true
+
+      - name: Upload scan result to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
+        continue-on-error: true
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}