Next Gen GitHub Tag Action

.github/pull_request_template.md

@@ -1,19 +1,42 @@
+### Pull Request Title
+
 <!--- Provide a general summary of your changes in the Title above -->
-<!--- See [CONTRIBUTING.md](CONTRIBUTING.md) and [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md). -->
-# Summary of changes
 
-<!--- Describe your changes -->
+### Checklist
+
+- [ ] I have read and followed the [CONTRIBUTING.md](CONTRIBUTING.md) and [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) guidelines.
+
+### Summary of Changes
+
+<!--- Briefly describe your changes -->
+
+- Change 1
+- Change 2
+- ...
+
+### Breaking Changes
+
+<!--- Are there any breaking changes in this PR? If so, describe them. -->
+
+- [ ] Yes
+- [ ] No
+
+### How Changes Have Been Tested
 
-## Breaking Changes
+<!--- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. -->
 
-Do any of the included changes break current behaviour or configuration?
+1. Test A
+2. Test B
+3. ...
 
-(**YES** / NO)
+### Known Issues or Limitations
 
-## How changes have been tested
+<!--- List any unknowns, limitations or issues with your changes. -->
 
--
+1. Issue A
+2. Limitation B
+3. ...
 
-## List any unknowns
+### Additional Notes (optional)
 
--
+<!--- Provide any additional context, screenshots, or other relevant information. -->

.github/workflows/lint.yml

@@ -18,34 +18,40 @@ jobs:
     name: Lint Bash scripts
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: reviewdog/action-shellcheck@v1
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Set up ShellCheck
+        uses: reviewdog/action-shellcheck@v1
         with:
-          github_token: ${{ secrets.github_token }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-review
           level: warning
           path: .
-          pattern: '*.sh'
+          pattern: "*.sh"
           fail_on_error: true
 
   lint-dockerfile:
     name: Lint Dockerfiles
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - name: hadolint
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Set up hadolint
         uses: reviewdog/action-hadolint@v1
         with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-review
           level: warning
           fail_on_error: true
           hadolint_ignore: DL3016 DL3018 # Ignore pinning apk and npm packages to specific version with @
 
   lint-actions:
+    name: Lint GitHub Actions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - name: Lint Github Actions
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Set up actionlint
         uses: reviewdog/action-actionlint@v1
         env:
           REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/main.yml

@@ -7,47 +7,45 @@ on:
     branches:
       - master
     paths:
-      - 'entrypoint.sh'
-      - 'action.yml'
-      - 'Dockerfile'
+      - "entrypoint.sh"
+      - "action.yml"
+      - "Dockerfile"
 
 jobs:
   bump-version:
     if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == true
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v3
         with:
-          fetch-depth: '0'
+          fetch-depth: "0"
 
-      - name: version-tag
+      - name: Bump version tag
         id: tag
-        uses: anothrNick/github-tag-action@master # if we use 1 there is a too-be-fixed bug https://github.com/anothrNick/github-tag-action/actions/runs/3139501775/jobs/5099976842#step:1:35 as alternative we could use v1
+        uses: anothrNick/github-tag-action@master
         env:
           VERBOSE: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      # auto releases is not working atm and is deleting releases due branch tags
-      - name: automatic-draft-release
+      - name: Create automatic draft release
         uses: marvinpinto/[email protected]
         with:
           draft: true
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           title: "${{ steps.tag.outputs.tag }}: [title-edit-me] by:${{ github.actor }}"
           automatic_release_tag: ${{ steps.tag.outputs.new_tag }}
 
-      - name: version-tag-major
+      - name: Update major version tag
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           git fetch --tags
           tagFmt="^v?[0-9]+\.[0-9]+\.[0-9]+$"
           tag="$(git for-each-ref --sort=-v:refname --format '%(refname:lstrip=2)' | grep -E "$tagFmt" | head -n 1)"
-          [[ "$tag" =~ ^([0-9]+) ]] # use ^(v[0-9]+) for vX
+          [[ "$tag" =~ ^([0-9]+) ]]
           major=${BASH_REMATCH[1]}
-          # update major tag
           git tag -f "$major"
           git push -f origin "$major"
-          # add vX as 1 is linked to short sha bug https://github.com/anothrNick/github-tag-action/actions/runs/3139501775/jobs/5099976842#step:1:35
           git tag -f "v$major"
           git push -f origin "v$major"

.github/workflows/publish.yml

@@ -0,0 +1,58 @@
+name: Create and publish a Container Image
+on:
+  schedule:
+    - cron: "41 15 * * *"
+  push:
+    branches: ["master", "main"]
+    # Publish semver tags as releases.
+    tags: ["v*.*.*"]
+  pull_request:
+    branches: ["master", "main"]
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: "v2.0.0"
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/[email protected]
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/[email protected]
+        with:
+          platforms: linux/amd64
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }},
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign -y {}@${{ steps.build-and-push.outputs.digest }}

.github/workflows/scripts/tag_check.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -euo pipefail
+
+MAIN_OUTPUT_TAG=$1
+MAIN_OUTPUT_NEWTAG=$2
+MAIN_OUTPUT_PART=$3
+PRE_OUTPUT_TAG=$4
+PRE_OUTPUT_NEWTAG=$5
+PRE_OUTPUT_PART=$6
+
+echo "Outputs from running the action:" >>"$GITHUB_STEP_SUMMARY"
+echo "MAIN Tag: $MAIN_OUTPUT_TAG" >>"$GITHUB_STEP_SUMMARY"
+echo "MAIN New tag: $MAIN_OUTPUT_NEWTAG" >>"$GITHUB_STEP_SUMMARY"
+echo "MAIN Part: $MAIN_OUTPUT_PART" >>"$GITHUB_STEP_SUMMARY"
+echo "PRE Tag: $PRE_OUTPUT_TAG" >>"$GITHUB_STEP_SUMMARY"
+echo "PRE New tag: $PRE_OUTPUT_NEWTAG" >>"$GITHUB_STEP_SUMMARY"
+echo "PRE Part: $PRE_OUTPUT_PART" >>"$GITHUB_STEP_SUMMARY"
+
+verlte() {
+	[ "$1" = "$(echo -e "$1\n$2" | sort -V | head -n1)" ]
+}
+verlt() {
+	[ "$1" = "$2" ] && return 1 || verlte "$1" "$2"
+}
+
+main="$(verlt "$MAIN_OUTPUT_TAG" "$MAIN_OUTPUT_NEWTAG" && true || false)"
+pre="$(verlt "$PRE_OUTPUT_TAG" "$PRE_OUTPUT_NEWTAG" && true || false)"
+
+if $main && $pre; then
+	echo "The tags were created correctly" >>"$GITHUB_STEP_SUMMARY"
+else
+	echo "Tags not created correctly" >>"$GITHUB_STEP_SUMMARY"
+	exit 1
+fi
+
+# Test for #none bump
+if [[ $MAIN_OUTPUT_PART == "none" ]]; then
+	if [[ $MAIN_OUTPUT_TAG == "$MAIN_OUTPUT_NEWTAG" ]]; then
+		echo "None bump test passed" >>"$GITHUB_STEP_SUMMARY"
+	else
+		echo "None bump test failed" >>"$GITHUB_STEP_SUMMARY"
+		exit 1
+	fi
+fi

.github/workflows/test.yml

@@ -22,9 +22,8 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: '0'
+          fetch-depth: "0"
 
-      # Use the action to generate a tag for itself
       - name: Test action main
         id: test_main
         uses: ./
@@ -34,7 +33,6 @@ jobs:
           VERBOSE: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      # Use the action to generate a tag for itself
       - name: Test action pre-release
         id: test_pre
         uses: ./
@@ -46,44 +44,8 @@ jobs:
           VERBOSE: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      # Check if the action created the expected output
       - name: Check if the tag would have been created
         shell: bash
         run: |
-          set -x
-          MAIN_OUTPUT_TAG=${{ steps.test_main.outputs.old_tag }}
-          MAIN_OUTPUT_NEWTAG=${{ steps.test_main.outputs.new_tag }}
-          MAIN_OUTPUT_PART=${{ steps.test_main.outputs.part }}
-          PRE_OUTPUT_TAG=${{ steps.test_pre.outputs.old_tag }}
-          PRE_OUTPUT_NEWTAG=${{ steps.test_pre.outputs.new_tag }}
-          PRE_OUTPUT_PART=${{ steps.test_pre.outputs.part }}
-
-          echo "Outputs from running the action:" >> $GITHUB_STEP_SUMMARY
-          echo "MAIN Tag: $MAIN_OUTPUT_TAG" >> $GITHUB_STEP_SUMMARY
-          echo "MAIN New tag: $MAIN_OUTPUT_NEWTAG" >> $GITHUB_STEP_SUMMARY
-          echo "MAIN Part: $MAIN_OUTPUT_PART" >> $GITHUB_STEP_SUMMARY
-          echo "PRE Tag: $PRE_OUTPUT_TAG" >> $GITHUB_STEP_SUMMARY
-          echo "PRE New tag: $PRE_OUTPUT_NEWTAG" >> $GITHUB_STEP_SUMMARY
-          echo "PRE Part: $PRE_OUTPUT_PART" >> $GITHUB_STEP_SUMMARY
-
-          # check that the original tag got bumped either major, minor, patch
-          verlte() {
-            [  "$1" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
-          }
-          verlt() {
-            [ "$1" = "$2" ] && return 1 || verlte $1 $2
-          }
-
-          main="$(verlt $MAIN_OUTPUT_TAG $MAIN_OUTPUT_NEWTAG && true || false)"
-          pre="$(verlt $PRE_OUTPUT_TAG $PRE_OUTPUT_NEWTAG && true || false)"
-
-          if $main && $pre
-          then
-            echo "The tags were created correctly" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "Tags not created correctly" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-
-          # todo add test for #none bump
-
+          chmod +x .github/workflows/scripts/tag_check.sh
+          ./.github/workflows/scripts/tag_check.sh "${{ steps.test_main.outputs.old_tag }}" "${{ steps.test_main.outputs.new_tag }}" "${{ steps.test_main.outputs.part }}" "${{ steps.test_pre.outputs.old_tag }}" "${{ steps.test_pre.outputs.new_tag }}" "${{ steps.test_pre.outputs.part }}"