Add simple 'checks' workflow for PR and Merge events

This workflow automates the following tasks: 1. On pull requests to the 'main' branch, it runs a basic CI check. 2. On pushes or merges to the 'main' branch, it runs the CI check. If successful, it triggers the 'release' job, which performs the following actions: - Determines the current version (e.g., v1.0.1) and increments it to create a new version (e.g., v1.0.2). - Creates a new version release with the updated tag (e.g., v1.0.2). resolves: HACBS-2725 Signed-off-by: Sean Conroy sconroy@redhat.com
enterprise-contract · Oct 11, 2023 · c76a600 · c76a600
1 parent 8e39760
commit c76a600
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 4 deletions.
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -0,0 +1,57 @@
+name: Checks
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  ci: 
+    runs-on: ubuntu-latest
+    outputs:
+      status: ${{ job.status }}
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name : Run EC Validate (keyless)
+      uses: ./
+      with:
+        image: ghcr.io/enterprise-contract/golden-container:latest
+        identity: https:\/\/github\.com\/(slsa-framework\/slsa-github-generator|enterprise-contract\/golden-container)\/
+        issuer: https://token.actions.githubusercontent.com
+
+    #FIXME Commented out because the golden-image on quay.io is failing due to a violation in the image. 
+    # - name : Run EC Validate (Long_Lived)
+    #   uses: ./
+    #   with:
+    #     image: quay.io/redhat-appstudio/ec-golden-image:latest
+    #     key: ${{ vars.PUBLIC_KEY }}
+    #     policy: github.com/enterprise-contract/config//slsa3
+    #     extra-params: --ignore-rekor
+
+  release:
+    runs-on: ubuntu-latest
+    needs: ci 
+    if: needs.ci.outputs.status == 'success' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request'
+    steps:
+    - name: Get Latest Version Tag and Increment 
+      run: |
+        # Find the version tag and then increment new version with v prefix eg. v1.0.1 -> v1.0.2
+        latestVTag=$(gh api -H 'Accept: application/vnd.github.v3+json' /repos/${{ github.repository }}/releases/latest -q '.tag_name')
+        echo "newVersion=v$(echo ${latestVTag#v} | awk -F. '{$NF = $NF + 1;} 1' OFS=.)" >> $GITHUB_ENV
+      env:
+        GH_TOKEN: ${{ github.token }}
+
+    - name: Create New Version Release
+      uses: softprops/action-gh-release@v1
+      with:
+        name: ${{ env.newVersion }} Release
+        body: ""
+        tag_name: ${{ env.newVersion }}
+        generate_release_notes: true
+        draft: false
+        prerelease: false
diff --git a/README.md b/README.md
@@ -83,11 +83,11 @@ jobs:
 
     steps:
     - name: Run EC Validator
-      uses: enterprise-contract/action-validate-image@v1.1
+      uses: enterprise-contract/action-validate-image@latest
       with:
-        image: "quay.io/redhat-appstudio/ec-golden-image:latest"
+        image: quay.io/redhat-appstudio/ec-golden-image:latest
         key: ${{ vars.PUBLIC_KEY }}
-        policy: "github.com/enterprise-contract/config//default"
+        policy: github.com/enterprise-contract/config//slsa3
         extra-params: --ignore-rekor
 ```
 
@@ -109,7 +109,7 @@ jobs:
 
     steps:
     - name: Run EC Validator
-      uses: enterprise-contract/action-validate-image@v1.1
+      uses: enterprise-contract/action-validate-image@latest
       with:
         image: quay.io/lucarval/festoji:latest
         identity: https:\/\/github\.com\/(slsa-framework\/slsa-github-generator|lcarva\/festoji)\/