mirror of
https://github.com/anchore/syft.git
synced 2026-07-05 02:28:25 +02:00
refactor release pipeline: TAG_TOKEN, skip-checks gate, dependabot/zizmor cleanup (#5003)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
parent
1f4f9332c5
commit
506ad5d6a7
25
.github/dependabot.yml
vendored
25
.github/dependabot.yml
vendored
@ -1,13 +1,4 @@
|
|||||||
# Dependabot configuration
|
# Dependabot configuration
|
||||||
#
|
|
||||||
# Grouping behavior (see inline comments for details):
|
|
||||||
# - Minor + patch updates: grouped into a single PR per ecosystem
|
|
||||||
# - Major version bumps: individual PR per dependency
|
|
||||||
# - Security updates: individual PR per dependency
|
|
||||||
#
|
|
||||||
# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes.
|
|
||||||
# Security updates are identified separately via GitHub's Advisory Database and
|
|
||||||
# can be any version bump (patch, minor, or major) that fixes a known CVE.
|
|
||||||
|
|
||||||
version: 2
|
version: 2
|
||||||
|
|
||||||
@ -30,14 +21,6 @@ updates:
|
|||||||
- dependency-name: "github.com/aquasecurity/go-version"
|
- dependency-name: "github.com/aquasecurity/go-version"
|
||||||
- dependency-name: "github.com/knqyf263/go-apk-version"
|
- dependency-name: "github.com/knqyf263/go-apk-version"
|
||||||
- dependency-name: "github.com/knqyf263/go-deb-version"
|
- dependency-name: "github.com/knqyf263/go-deb-version"
|
||||||
groups:
|
|
||||||
go-minor-patch:
|
|
||||||
applies-to: version-updates # security updates get individual PRs
|
|
||||||
patterns:
|
|
||||||
- "*"
|
|
||||||
update-types: # major omitted, gets individual PRs
|
|
||||||
- "minor"
|
|
||||||
- "patch"
|
|
||||||
|
|
||||||
- package-ecosystem: "github-actions"
|
- package-ecosystem: "github-actions"
|
||||||
directories:
|
directories:
|
||||||
@ -51,11 +34,3 @@ updates:
|
|||||||
open-pull-requests-limit: 10
|
open-pull-requests-limit: 10
|
||||||
labels:
|
labels:
|
||||||
- "dependencies"
|
- "dependencies"
|
||||||
groups:
|
|
||||||
actions-minor-patch:
|
|
||||||
applies-to: version-updates # security updates get individual PRs
|
|
||||||
patterns:
|
|
||||||
- "*"
|
|
||||||
update-types: # major omitted, gets individual PRs
|
|
||||||
- "minor"
|
|
||||||
- "patch"
|
|
||||||
|
|||||||
20
.github/workflows/release.yaml
vendored
20
.github/workflows/release.yaml
vendored
@ -21,6 +21,11 @@ on:
|
|||||||
options:
|
options:
|
||||||
- "all"
|
- "all"
|
||||||
- "install-script-only"
|
- "install-script-only"
|
||||||
|
skip-checks:
|
||||||
|
description: skip the check-gate (release even if checks haven't passed on main)
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
required: false
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
version-available:
|
version-available:
|
||||||
@ -32,7 +37,7 @@ jobs:
|
|||||||
version: ${{ github.event.inputs.version }}
|
version: ${{ github.event.inputs.version }}
|
||||||
|
|
||||||
check-gate:
|
check-gate:
|
||||||
if: ${{ github.event.inputs.phase == 'all' }}
|
if: ${{ github.event.inputs.phase == 'all' && !inputs.skip-checks }}
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
checks: read # required for getting the status of specific check names
|
checks: read # required for getting the status of specific check names
|
||||||
@ -45,7 +50,14 @@ jobs:
|
|||||||
|
|
||||||
release:
|
release:
|
||||||
needs: [check-gate, version-available]
|
needs: [check-gate, version-available]
|
||||||
if: ${{ github.event.inputs.phase == 'all' }}
|
# run even when check-gate is skipped, but never when version-available
|
||||||
|
# failed/was skipped, nor when check-gate failed or was cancelled. note:
|
||||||
|
# always() disables the implicit success() gate on ALL needs, so the
|
||||||
|
# version-available requirement must be re-asserted explicitly here.
|
||||||
|
if: >-
|
||||||
|
${{ always()
|
||||||
|
&& needs.version-available.result == 'success'
|
||||||
|
&& !contains(fromJSON('["failure", "cancelled"]'), needs.check-gate.result) }}
|
||||||
environment: release
|
environment: release
|
||||||
# runs-on.com: compute instances for parallel builds
|
# runs-on.com: compute instances for parallel builds
|
||||||
# spot disabled: reliability for build workflows (used for releases too)
|
# spot disabled: reliability for build workflows (used for releases too)
|
||||||
@ -82,8 +94,8 @@ jobs:
|
|||||||
- name: Build & publish release artifacts
|
- name: Build & publish release artifacts
|
||||||
run: make ci-release
|
run: make ci-release
|
||||||
env:
|
env:
|
||||||
# used for pushing tags
|
# for pushing tags (does not inherit workflow permissions)
|
||||||
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
|
TAG_TOKEN: ${{ secrets.TAG_TOKEN }}
|
||||||
RELEASE_VERSION: ${{ github.event.inputs.version }}
|
RELEASE_VERSION: ${{ github.event.inputs.version }}
|
||||||
# for mac signing and notarization...
|
# for mac signing and notarization...
|
||||||
QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
|
QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
|
||||||
|
|||||||
5
.github/zizmor.yml
vendored
5
.github/zizmor.yml
vendored
@ -1,9 +1,4 @@
|
|||||||
rules:
|
rules:
|
||||||
unpinned-uses:
|
|
||||||
config:
|
|
||||||
policies:
|
|
||||||
# anchore/workflows is an internal repository; using @main is acceptable
|
|
||||||
anchore/*: any
|
|
||||||
dangerous-triggers:
|
dangerous-triggers:
|
||||||
ignore:
|
ignore:
|
||||||
# Safe use of pull_request_target - only runs trusted scripts from base repo,
|
# Safe use of pull_request_target - only runs trusted scripts from base repo,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user