From e6de43c3f143409941debcd61a52abbc8138d47d Mon Sep 17 00:00:00 2001 From: Nikita Ruban Date: Tue, 13 May 2025 07:59:23 +0000 Subject: [PATCH 1/4] chore: update version and enhance Docker CI workflow - Changed package version from 1.0.0 to 0.1.0 to reflect initial development stage. - Modified Docker CI workflow to trigger on release events instead of pushes to main, improving deployment strategy. - Enhanced image tagging logic to support versioning based on release tags and added conditional scanning for both release and pull request images. - Introduced a new workflow for automated release management using release-please action, streamlining the release process. --- .github/workflows/docker-image.yml | 50 +++++++++++++++------------- .github/workflows/release-please.yml | 21 ++++++++++++ package.json | 2 +- 3 files changed, 48 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/release-please.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 086f536..a633664 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,13 +1,13 @@ name: Docker Image CI on: - push: - branches: ['main'] + release: + types: [created] pull_request: branches: ['main'] jobs: - build-and-scan: + build-scan-publish: runs-on: ubuntu-latest permissions: @@ -17,10 +17,10 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Login to GitHub Container Registry - # Only run this step if we're pushing to main - if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ghcr.io @@ -33,43 +33,45 @@ jobs: with: images: ghcr.io/${{ github.repository_owner }}/quicksilver tags: | - type=raw,value=latest,enable=${{ github.event_name == 'push' }} - type=sha,prefix=sha- - type=ref,event=branch - type=ref,event=pr + type=raw,value=latest,enable=${{ github.event_name == 'release' }} + type=raw,value=${{ github.event.release.tag_name }},enable=${{ github.event_name == 'release' }} + type=sha,prefix=sha-,enable=${{ github.event_name == 'pull_request' }} + type=ref,event=pr,enable=${{ github.event_name == 'pull_request' }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Build and Scan + - name: Build and conditionally Push/Load + id: build uses: docker/build-push-action@v5 with: context: . - push: false - load: true + # Push only on release events, load for PRs + push: ${{ github.event_name == 'release' }} + load: ${{ github.event_name == 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner on Release Image + if: github.event_name == 'release' uses: aquasecurity/trivy-action@master with: - image-ref: ghcr.io/${{ github.repository_owner }}/quicksilver:latest + image-ref: ghcr.io/${{ github.repository_owner }}/quicksilver:${{ github.event.release.tag_name }} format: 'table' exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - # Only push if this is a push to main (not a PR) - - name: Push Docker Image - if: github.event_name == 'push' - uses: docker/build-push-action@v5 + - name: Run Trivy vulnerability scanner on PR Image + if: github.event_name == 'pull_request' + uses: aquasecurity/trivy-action@master with: - context: . - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max + image-ref: ghcr.io/${{ github.repository_owner }}/quicksilver:sha-${{ github.sha }} + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..22a6edc --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,21 @@ +name: release-please + +on: + push: + branches: + - main + +permissions: + contents: write + pull-requests: write + +jobs: + release-please: + runs-on: ubuntu-latest + steps: + - name: Run Release Please + uses: google-github-actions/release-please-action@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-type: node + changelog-notes-type: github diff --git a/package.json b/package.json index 0c7ae2c..6dd46fc 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "quicksilver", - "version": "1.0.0", + "version": "0.1.0", "description": "", "main": "index.js", "type": "module", From 9d11b7c722110fb527503cbfea701c1efd8f0120 Mon Sep 17 00:00:00 2001 From: Nikita Ruban Date: Tue, 13 May 2025 08:05:19 +0000 Subject: [PATCH 2/4] chore: enhance Docker image tagging for pull requests - Updated Docker CI workflow to use full SHA and PR number for tagging images in pull request events, improving traceability and consistency in image management. --- .github/workflows/docker-image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index a633664..b46794d 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -35,7 +35,8 @@ jobs: tags: | type=raw,value=latest,enable=${{ github.event_name == 'release' }} type=raw,value=${{ github.event.release.tag_name }},enable=${{ github.event_name == 'release' }} - type=sha,prefix=sha-,enable=${{ github.event_name == 'pull_request' }} + # For pull requests, use full SHA and PR number + type=raw,value=sha-${{ github.sha }},enable=${{ github.event_name == 'pull_request' }} type=ref,event=pr,enable=${{ github.event_name == 'pull_request' }} - name: Set up Docker Buildx From a160a98ca6a1ba20080d460c2d0b318b551fc9b7 Mon Sep 17 00:00:00 2001 From: Nikita Ruban Date: Tue, 13 May 2025 08:21:38 +0000 Subject: [PATCH 3/4] chore: update release-please action token for improved security - Changed the token used in the release-please GitHub Action from GITHUB_TOKEN to RELEASE_PLEASE_PAT, enhancing security by utilizing a more specific personal access token for release management. --- .github/workflows/release-please.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 22a6edc..2083fa3 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -16,6 +16,6 @@ jobs: - name: Run Release Please uses: google-github-actions/release-please-action@v4 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.RELEASE_PLEASE_PAT }} release-type: node changelog-notes-type: github From 7a6f81c8971bc179093e8b37a70a2c568b130c1b Mon Sep 17 00:00:00 2001 From: Nikita Ruban Date: Tue, 13 May 2025 08:53:43 +0000 Subject: [PATCH 4/4] chore: update release-please action token - Changed the token used in the release-please GitHub Action from RELEASE_PLEASE_PAT back to GITHUB_TOKEN --- .github/workflows/release-please.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 2083fa3..22a6edc 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -16,6 +16,6 @@ jobs: - name: Run Release Please uses: google-github-actions/release-please-action@v4 with: - token: ${{ secrets.RELEASE_PLEASE_PAT }} + token: ${{ secrets.GITHUB_TOKEN }} release-type: node changelog-notes-type: github