refactor release pipeline: TAG_TOKEN, skip-checks gate, dependabot/zizmor cleanup (#5003)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
Alex Goodman 2026-06-22 14:04:48 -04:00 committed by GitHub
parent 1f4f9332c5
commit 506ad5d6a7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 16 additions and 34 deletions

View File

@ -1,13 +1,4 @@
# Dependabot configuration # Dependabot configuration
#
# Grouping behavior (see inline comments for details):
# - Minor + patch updates: grouped into a single PR per ecosystem
# - Major version bumps: individual PR per dependency
# - Security updates: individual PR per dependency
#
# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes.
# Security updates are identified separately via GitHub's Advisory Database and
# can be any version bump (patch, minor, or major) that fixes a known CVE.
version: 2 version: 2
@ -30,14 +21,6 @@ updates:
- dependency-name: "github.com/aquasecurity/go-version" - dependency-name: "github.com/aquasecurity/go-version"
- dependency-name: "github.com/knqyf263/go-apk-version" - dependency-name: "github.com/knqyf263/go-apk-version"
- dependency-name: "github.com/knqyf263/go-deb-version" - dependency-name: "github.com/knqyf263/go-deb-version"
groups:
go-minor-patch:
applies-to: version-updates # security updates get individual PRs
patterns:
- "*"
update-types: # major omitted, gets individual PRs
- "minor"
- "patch"
- package-ecosystem: "github-actions" - package-ecosystem: "github-actions"
directories: directories:
@ -51,11 +34,3 @@ updates:
open-pull-requests-limit: 10 open-pull-requests-limit: 10
labels: labels:
- "dependencies" - "dependencies"
groups:
actions-minor-patch:
applies-to: version-updates # security updates get individual PRs
patterns:
- "*"
update-types: # major omitted, gets individual PRs
- "minor"
- "patch"

View File

@ -21,6 +21,11 @@ on:
options: options:
- "all" - "all"
- "install-script-only" - "install-script-only"
skip-checks:
description: skip the check-gate (release even if checks haven't passed on main)
type: boolean
default: false
required: false
jobs: jobs:
version-available: version-available:
@ -32,7 +37,7 @@ jobs:
version: ${{ github.event.inputs.version }} version: ${{ github.event.inputs.version }}
check-gate: check-gate:
if: ${{ github.event.inputs.phase == 'all' }} if: ${{ github.event.inputs.phase == 'all' && !inputs.skip-checks }}
permissions: permissions:
contents: read contents: read
checks: read # required for getting the status of specific check names checks: read # required for getting the status of specific check names
@ -45,7 +50,14 @@ jobs:
release: release:
needs: [check-gate, version-available] needs: [check-gate, version-available]
if: ${{ github.event.inputs.phase == 'all' }} # run even when check-gate is skipped, but never when version-available
# failed/was skipped, nor when check-gate failed or was cancelled. note:
# always() disables the implicit success() gate on ALL needs, so the
# version-available requirement must be re-asserted explicitly here.
if: >-
${{ always()
&& needs.version-available.result == 'success'
&& !contains(fromJSON('["failure", "cancelled"]'), needs.check-gate.result) }}
environment: release environment: release
# runs-on.com: compute instances for parallel builds # runs-on.com: compute instances for parallel builds
# spot disabled: reliability for build workflows (used for releases too) # spot disabled: reliability for build workflows (used for releases too)
@ -82,8 +94,8 @@ jobs:
- name: Build & publish release artifacts - name: Build & publish release artifacts
run: make ci-release run: make ci-release
env: env:
# used for pushing tags # for pushing tags (does not inherit workflow permissions)
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }} TAG_TOKEN: ${{ secrets.TAG_TOKEN }}
RELEASE_VERSION: ${{ github.event.inputs.version }} RELEASE_VERSION: ${{ github.event.inputs.version }}
# for mac signing and notarization... # for mac signing and notarization...
QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }} QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}

5
.github/zizmor.yml vendored
View File

@ -1,9 +1,4 @@
rules: rules:
unpinned-uses:
config:
policies:
# anchore/workflows is an internal repository; using @main is acceptable
anchore/*: any
dangerous-triggers: dangerous-triggers:
ignore: ignore:
# Safe use of pull_request_target - only runs trusted scripts from base repo, # Safe use of pull_request_target - only runs trusted scripts from base repo,