diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9e37389..20eef74 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -12,10 +12,8 @@ name: CodeQL Scans on: - push: - branches: [ "main" ] pull_request: - branches: [ "main" ] + branches: [main] schedule: - cron: '28 15 * * 6' diff --git a/.github/workflows/manifest-lint.yaml b/.github/workflows/manifest-lint.yaml index 7d5b003..83fc766 100644 --- a/.github/workflows/manifest-lint.yaml +++ b/.github/workflows/manifest-lint.yaml @@ -1,9 +1,8 @@ name: Lint Manifests on: - push: pull_request: - branches: ['main'] + branches: [main] jobs: lint-helm: diff --git a/.github/workflows/node-lint.yaml b/.github/workflows/node-lint.yaml index 774408e..150ff6c 100644 --- a/.github/workflows/node-lint.yaml +++ b/.github/workflows/node-lint.yaml @@ -1,9 +1,8 @@ name: Node Lint and Format on: - push: pull_request: - branches: ['main'] + branches: [main] jobs: eslint: diff --git a/.github/workflows/openssf.yaml b/.github/workflows/openssf.yaml index 0e46b57..bb4c56b 100644 --- a/.github/workflows/openssf.yaml +++ b/.github/workflows/openssf.yaml @@ -12,7 +12,7 @@ on: schedule: - cron: '32 21 * * 2' push: - branches: [ "main" ] + branches: [main] # Declare default permissions as read only. permissions: read-all diff --git a/.github/workflows/playwright-tests.yaml b/.github/workflows/playwright-tests.yaml index 5b3aa6d..4ea8a24 100644 --- a/.github/workflows/playwright-tests.yaml +++ b/.github/workflows/playwright-tests.yaml @@ -1,9 +1,8 @@ name: Playwright Tests on: - push: - pull_request: - branches: ['main'] + pull_request: + branches: [main] jobs: playwright: diff --git a/.github/workflows/python-lint.yaml b/.github/workflows/python-lint.yaml index 1541e65..8afb1d6 100644 --- a/.github/workflows/python-lint.yaml +++ b/.github/workflows/python-lint.yaml @@ -1,6 +1,8 @@ name: Python Lint and Format -on: [pull_request, push] +on: + pull_request: + branches: [main] jobs: ruff: diff --git a/.github/workflows/python-test.yaml b/.github/workflows/python-test.yaml index e074762..3dc98c2 100644 --- a/.github/workflows/python-test.yaml +++ b/.github/workflows/python-test.yaml @@ -1,7 +1,8 @@ name: Python Test -on: [pull_request, push] - +on: + pull_request: + branches: [main] jobs: pytest: runs-on: ubuntu-latest diff --git a/.github/workflows/publish-artifacts.yaml b/.github/workflows/release-please-publish.yaml similarity index 60% rename from .github/workflows/publish-artifacts.yaml rename to .github/workflows/release-please-publish.yaml index 0e21be6..fac16de 100644 --- a/.github/workflows/publish-artifacts.yaml +++ b/.github/workflows/release-please-publish.yaml @@ -1,18 +1,40 @@ -name: Build and Publish +name: Release Please and Publish on: push: - tags: - - "v*.*.*" - - dev + branches: + - main env: REGISTRY_IMAGE: justinthelaw/repository-template REGISTRY: ghcr.io jobs: + release-please: + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + + outputs: + release_created: ${{ steps.release-flag.outputs.release_created }} + + steps: + - name: Create Release Tag + id: tag # generates a new tag PR + uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4 + with: + command: manifest # use configs in release-please-config.json + + - name: Create Publish Flag + id: release-flag # only triggers when a release tag is actually pushed + run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> $GITHUB_OUTPUT + docker-build: runs-on: ubuntu-latest + needs: release-please # only triggers if new release tag is pushed + if: ${{ needs.release-please.outputs.release_created == 'true'}} strategy: fail-fast: false matrix: @@ -20,12 +42,12 @@ jobs: - linux/amd64 - linux/arm64 steps: - - name: Checkout Repository - uses: actions/checkout@v4 + - name: Checkout Repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Docker Metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.REGISTRY_IMAGE }} tags: | @@ -38,13 +60,13 @@ jobs: type=sha - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} @@ -52,7 +74,7 @@ jobs: - name: Build and Push Digest id: build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v4.1.0 with: context: . platforms: ${{ matrix.platform }} @@ -67,7 +89,7 @@ jobs: touch "/tmp/digests/${digest#sha256:}" - name: Upload Digest - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: digests path: /tmp/digests/* @@ -76,20 +98,19 @@ jobs: docker-merge: runs-on: ubuntu-latest - needs: - - docker-build + needs: docker-build steps: - name: Download Digests - uses: actions/download-artifact@v3 + uses: actions/download-artifact@87c55149d96e628cc2ef7e6fc2aab372015aec85 # v4.1.3 with: name: digests path: /tmp/digests - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} @@ -97,7 +118,7 @@ jobs: - name: Docker Metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.REGISTRY }}/${{ env.REGISTRY_IMAGE }} tags: | @@ -121,9 +142,11 @@ jobs: zarf-publish: runs-on: ubuntu-latest - needs: - - docker-merge + needs: docker-merge steps: + - name: Checkout Repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Install Zarf uses: defenseunicorns/setup-zarf@f95763914e20e493bb5d45d63e30e17138f981d6 # v1.0.0 diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml deleted file mode 100644 index 1a20938..0000000 --- a/.github/workflows/release-please.yaml +++ /dev/null @@ -1,19 +0,0 @@ -name: Release Please - -on: - push: - branches: - - main - -jobs: - release-please: - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - steps: - - name: Create release tag - id: tag - uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4 - with: - command: manifest # use configs in release-please-config.json diff --git a/.github/workflows/scan-labels.yaml b/.github/workflows/scan-labels.yaml index 4dfcac8..956cc1a 100644 --- a/.github/workflows/scan-labels.yaml +++ b/.github/workflows/scan-labels.yaml @@ -1,4 +1,5 @@ name: Validate Labels + on: pull_request: types: [labeled, unlabeled, opened, edited, synchronize]