From 506ad5d6a726028536c7b07f0c344106aedfd77a Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Mon, 22 Jun 2026 14:04:48 -0400 Subject: [PATCH] refactor release pipeline: TAG_TOKEN, skip-checks gate, dependabot/zizmor cleanup (#5003) Signed-off-by: Alex Goodman --- .github/dependabot.yml | 25 ------------------------- .github/workflows/release.yaml | 20 ++++++++++++++++---- .github/zizmor.yml | 5 ----- 3 files changed, 16 insertions(+), 34 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c7097b2b8..d52390045 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,13 +1,4 @@ # Dependabot configuration -# -# Grouping behavior (see inline comments for details): -# - Minor + patch updates: grouped into a single PR per ecosystem -# - Major version bumps: individual PR per dependency -# - Security updates: individual PR per dependency -# -# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes. -# Security updates are identified separately via GitHub's Advisory Database and -# can be any version bump (patch, minor, or major) that fixes a known CVE. version: 2 @@ -30,14 +21,6 @@ updates: - dependency-name: "github.com/aquasecurity/go-version" - dependency-name: "github.com/knqyf263/go-apk-version" - dependency-name: "github.com/knqyf263/go-deb-version" - groups: - go-minor-patch: - applies-to: version-updates # security updates get individual PRs - patterns: - - "*" - update-types: # major omitted, gets individual PRs - - "minor" - - "patch" - package-ecosystem: "github-actions" directories: @@ -51,11 +34,3 @@ updates: open-pull-requests-limit: 10 labels: - "dependencies" - groups: - actions-minor-patch: - applies-to: version-updates # security updates get individual PRs - patterns: - - "*" - update-types: # major omitted, gets individual PRs - - "minor" - - "patch" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f3387ce97..b282397d4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,6 +21,11 @@ on: options: - "all" - "install-script-only" + skip-checks: + description: skip the check-gate (release even if checks haven't passed on main) + type: boolean + default: false + required: false jobs: version-available: @@ -32,7 +37,7 @@ jobs: version: ${{ github.event.inputs.version }} check-gate: - if: ${{ github.event.inputs.phase == 'all' }} + if: ${{ github.event.inputs.phase == 'all' && !inputs.skip-checks }} permissions: contents: read checks: read # required for getting the status of specific check names @@ -45,7 +50,14 @@ jobs: release: needs: [check-gate, version-available] - if: ${{ github.event.inputs.phase == 'all' }} + # run even when check-gate is skipped, but never when version-available + # failed/was skipped, nor when check-gate failed or was cancelled. note: + # always() disables the implicit success() gate on ALL needs, so the + # version-available requirement must be re-asserted explicitly here. + if: >- + ${{ always() + && needs.version-available.result == 'success' + && !contains(fromJSON('["failure", "cancelled"]'), needs.check-gate.result) }} environment: release # runs-on.com: compute instances for parallel builds # spot disabled: reliability for build workflows (used for releases too) @@ -82,8 +94,8 @@ jobs: - name: Build & publish release artifacts run: make ci-release env: - # used for pushing tags - DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }} + # for pushing tags (does not inherit workflow permissions) + TAG_TOKEN: ${{ secrets.TAG_TOKEN }} RELEASE_VERSION: ${{ github.event.inputs.version }} # for mac signing and notarization... QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 9002617dd..ee5ca02ba 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,9 +1,4 @@ rules: - unpinned-uses: - config: - policies: - # anchore/workflows is an internal repository; using @main is acceptable - anchore/*: any dangerous-triggers: ignore: # Safe use of pull_request_target - only runs trusted scripts from base repo,