justinthelaw · justinthelaw · Feb 29, 2024 · Feb 29, 2024 · Feb 29, 2024 · Feb 29, 2024
@@ -12,10 +12,8 @@
 name: CodeQL Scans
 
 on:
-  push:
-    branches: [ "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [main]
   schedule:
     - cron: '28 15 * * 6'
 

@@ -1,9 +1,8 @@
 name: Lint Manifests
 
 on:
-  push:
   pull_request:
-      branches: ['main']
+      branches: [main]
 
 jobs:
   lint-helm:

@@ -1,9 +1,8 @@
 name: Node Lint and Format
 
 on:
-    push:
     pull_request:
-        branches: ['main']
+        branches: [main]
 
 jobs:
   eslint:

@@ -12,7 +12,7 @@ on:
   schedule:
     - cron: '32 21 * * 2'
   push:
-    branches: [ "main" ]
+    branches: [main]
 
 # Declare default permissions as read only.
 permissions: read-all

@@ -1,9 +1,8 @@
 name: Playwright Tests
 
 on:
-    push:
-    pull_request:
-        branches: ['main']
+  pull_request:
+      branches: [main]
 
 jobs:
   playwright:

@@ -1,6 +1,8 @@
 name: Python Lint and Format
 
-on: [pull_request, push]
+on:
+  pull_request:
+      branches: [main]
 
 jobs:
   ruff:

@@ -1,7 +1,8 @@
 name: Python Test
 
-on: [pull_request, push]
-
+on:
+  pull_request:
+      branches: [main]
 jobs:
     pytest:
         runs-on: ubuntu-latest

@@ -1,31 +1,53 @@
-name: Build and Publish
+name: Release Please and Publish
 
 on:
   push:
-    tags:
-      - "v*.*.*"
-      - dev
+    branches:
+      - main
 
 env:
   REGISTRY_IMAGE: justinthelaw/repository-template
   REGISTRY: ghcr.io
 
 jobs:
+  release-please:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      pull-requests: write
+
+    outputs:
+      release_created: ${{ steps.release-flag.outputs.release_created }}
+
+    steps:
+      - name: Create Release Tag
+        id: tag # generates a new tag PR
+        uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4
+        with:
+          command: manifest # use configs in release-please-config.json
+
+      - name: Create Publish Flag
+        id: release-flag # only triggers when a release tag is actually pushed
+        run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> $GITHUB_OUTPUT
+
   docker-build:
     runs-on: ubuntu-latest
+    needs: release-please # only triggers if new release tag is pushed
+    if: ${{ needs.release-please.outputs.release_created == 'true'}}
     strategy:
       fail-fast: false
       matrix:
         platform:
           - linux/amd64
           - linux/arm64
     steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v4
+      - name: Checkout Repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Docker Metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
           images: ${{ env.REGISTRY_IMAGE }}
           tags: |
@@ -38,21 +60,21 @@ jobs:
             type=sha
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and Push Digest
         id: build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v4.1.0
         with:
           context: .
           platforms: ${{ matrix.platform }}
@@ -67,7 +89,7 @@ jobs:
           touch "/tmp/digests/${digest#sha256:}"
 
       - name: Upload Digest
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: digests
           path: /tmp/digests/*
@@ -76,28 +98,27 @@ jobs:
 
   docker-merge:
     runs-on: ubuntu-latest
-    needs:
-      - docker-build
+    needs: docker-build
     steps:
       - name: Download Digests
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@87c55149d96e628cc2ef7e6fc2aab372015aec85 # v4.1.3
         with:
           name: digests
           path: /tmp/digests
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker Metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
           images: ${{ env.REGISTRY }}/${{ env.REGISTRY_IMAGE }}
           tags: |
@@ -121,9 +142,11 @@ jobs:
 
   zarf-publish:
     runs-on: ubuntu-latest
-    needs:
-      - docker-merge
+    needs: docker-merge
     steps:
+    - name: Checkout Repo
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
     - name: Install Zarf
       uses: defenseunicorns/setup-zarf@f95763914e20e493bb5d45d63e30e17138f981d6 # v1.0.0
 

@@ -1,4 +1,5 @@
 name: Validate Labels
+
 on:
   pull_request:
     types: [labeled, unlabeled, opened, edited, synchronize]