Add simple 'checks' workflow for PR and Merge events

This workflow automates the following tasks: 1. On pull requests to the 'main' branch, it runs a basic CI check. 2. On pushes or merges to the 'main' branch, it runs the CI check. If successful, it triggers the 'release' job, which performs the following actions: - Deletes the 'latest' release and its associated tag. - Determines the current version (e.g., v1.0.1) and increments it to create a new version (e.g., v1.0.2). - Creates a new version release with the updated tag (e.g., v1.0.2). - Create or updates the 'latest' EC Validate Release resolves: HACBS-2725 Signed-off-by: Sean Conroy [email protected] -- INSERT --
enterprise-contract · Oct 6, 2023 · 7673751 · 7673751
1 parent 8e39760
commit 7673751
Showing 1 changed file with 82 additions and 0 deletions.
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -0,0 +1,82 @@
+name: Checks
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  ci: 
+    runs-on: ubuntu-latest
+    outputs:
+      status: ${{ job.status }}
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name : Run EC Validate (keyless)
+      uses: ./
+      with:
+        image: ghcr.io/enterprise-contract/golden-container:latest
+        identity: https:\/\/github\.com\/(slsa-framework\/slsa-github-generator|enterprise-contract\/golden-container)\/
+        issuer: https://token.actions.githubusercontent.com
+
+    - name : Run EC Validate (Long_Lived)
+      uses: ./
+      with:
+        image: quay.io/redhat-appstudio/ec-golden-image:latest
+        key: ${{ vars.PUBLIC_KEY }}
+        policy: "" #TODO Ignore until image is fixed 
+        extra-params: --ignore-rekor
+
+
+  release:
+    runs-on: ubuntu-latest
+    needs: ci
+    if: needs.ci.outputs.status == 'success' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request'
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - name: Setup GitHub Auth for gh cli
+      run: echo ${{ secrets.GHTOKEN }} | gh auth login --with-token
+    - name: Delete latest release and tag
+      run: |
+        latestTag=$(gh api -H 'Accept: application/vnd.github.v3+json' /repos/${{ github.repository }}/releases/latest -q '.tag_name')
+        latestId=$(gh api -H 'Accept: application/vnd.github.v3+json' /repos/${{ github.repository }}/releases/latest -q '.id')
+        
+        # Delete the latest release
+        gh api --method DELETE -H 'Accept: application/vnd.github.v3+json' "/repos/${{ github.repository }}/releases/${latestId}"
+        
+        # Delete the tag associated with the latest release
+        git push --delete origin $latestTag
+
+        # Find the version tag and then increment new version with v prefix eg. v1.0.1 -> v1.0.2
+        latestVTag=$(gh api -H 'Accept: application/vnd.github.v3+json' /repos/${{ github.repository }}/releases/latest -q '.tag_name')
+        echo "newVersion=v$(echo ${latestVTag#v} | awk -F. '{$NF = $NF + 1;} 1' OFS=.)" >> $GITHUB_ENV
+    
+    - name: Create New Version Release
+      uses: softprops/action-gh-release@v1
+      with:
+        name: Latest Version ${{ env.newVersion }} Release
+        body: sha is ${{ github.sha }}
+        tag_name: ${{ env.newVersion }}
+        generate_release_notes: true
+        draft: false
+        prerelease: false
+
+    - name: Create or Update 'latest' EC Validate Release
+      uses: softprops/action-gh-release@v1
+      with:
+        name: Latest Release 
+        body: Latest stable release.
+        tag_name: latest
+        generate_release_notes: true
+        draft: false
+        prerelease: false
+