Add simple 'checks' workflow for PR and Merge events

This workflow automates the following tasks: 1. On pull requests to the 'main' branch, it runs a basic CI check. 2. On pushes or merges to the 'main' branch, it runs the CI check. If successful, it triggers the 'release' job, which performs the following actions: - Determines the current version (e.g., v1.0.1) and increments it to create a new version (e.g., v1.0.2). - Creates a new version release with the updated tag (e.g., v1.0.2). resolves: HACBS-2725 Signed-off-by: Sean Conroy [email protected]
enterprise-contract · Oct 10, 2023 · de49e09 · de49e09
1 parent 1a052b6
commit de49e09
Showing 1 changed file with 58 additions and 0 deletions.
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -0,0 +1,58 @@
+name: Checks
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  ci: 
+    runs-on: ubuntu-latest
+    outputs:
+      status: ${{ job.status }}
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name : Run EC Validate (keyless)
+      uses: ./
+      with:
+        image: ghcr.io/enterprise-contract/golden-container:latest
+        identity: https:\/\/github\.com\/(slsa-framework\/slsa-github-generator|enterprise-contract\/golden-container)\/
+        issuer: https://token.actions.githubusercontent.com
+
+    # - name : Run EC Validate (Long_Lived)
+    #   uses: ./
+    #   with:
+    #     image: quay.io/redhat-appstudio/ec-golden-image:latest
+    #     key: ${{ vars.PUBLIC_KEY }}
+    #     policy: github.com/enterprise-contract/config//slsa3 #FIXME Commented out because the golden-image on quay.io is failing due to a violation in the image. 
+    #     extra-params: --ignore-rekor
+
+  release:
+    runs-on: ubuntu-latest
+    needs: ci 
+    permissions:
+      contents: write
+    if: needs.ci.outputs.status == 'success' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request'
+    steps:
+    - name: Setup GitHub Auth for gh cli
+      run: echo ${{ secrets.GHTOKEN }} | gh auth login --with-token
+    - name: Get Latest Version Tag and Increment 
+      run: |
+        # Find the version tag and then increment new version with v prefix eg. v1.0.1 -> v1.0.2
+        latestVTag=$(gh api -H 'Accept: application/vnd.github.v3+json' /repos/${{ github.repository }}/releases/latest -q '.tag_name')
+        echo "newVersion=v$(echo ${latestVTag#v} | awk -F. '{$NF = $NF + 1;} 1' OFS=.)" >> $GITHUB_ENV
+    
+    - name: Create New Version Release
+      uses: softprops/action-gh-release@v1
+      with:
+        name: ${{ env.newVersion }} Release
+        body: ""
+        tag_name: ${{ env.newVersion }}
+        generate_release_notes: true
+        draft: false
+        prerelease: false