From c8395d9e41b6328216b131a9a663e2afe81efbaf Mon Sep 17 00:00:00 2001 From: borislavr Date: Thu, 19 Mar 2026 11:47:40 +0300 Subject: [PATCH 1/4] chore(deps): update workflow templates to use latest action versions --- workflow-templates/check-license.yaml | 2 +- workflow-templates/dev-mvn-docker-build.yml | 2 +- workflow-templates/helm-charts-release.yaml | 10 +- workflow-templates/maven-release-v2.yaml | 2 +- .../maven-release.properties.json | 12 - workflow-templates/maven-release.yaml | 220 ------------------ workflow-templates/maven-snapshot-deploy.yaml | 2 +- workflow-templates/npm-publish.yaml | 2 +- workflow-templates/npm-release.yaml | 38 ++- workflow-templates/python-release.yaml | 6 +- workflow-templates/security-scan-apihub.yml | 4 +- .../security-scan-with-config.yml | 16 +- workflow-templates/security-scan.yml | 14 +- 13 files changed, 48 insertions(+), 282 deletions(-) delete mode 100644 workflow-templates/maven-release.properties.json delete mode 100644 workflow-templates/maven-release.yaml diff --git a/workflow-templates/check-license.yaml b/workflow-templates/check-license.yaml index 94173c21..a942ec69 100644 --- a/workflow-templates/check-license.yaml +++ b/workflow-templates/check-license.yaml @@ -18,4 +18,4 @@ permissions: jobs: check-license: name: "Check Go Modules Licenses" - uses: netcracker/qubership-workflow-hub/.github/workflows/go-check-license.yaml@v2.0.10 + uses: netcracker/qubership-workflow-hub/.github/workflows/go-check-license.yaml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 diff --git a/workflow-templates/dev-mvn-docker-build.yml b/workflow-templates/dev-mvn-docker-build.yml index 356c4967..f74110c9 100644 --- a/workflow-templates/dev-mvn-docker-build.yml +++ b/workflow-templates/dev-mvn-docker-build.yml @@ -74,7 +74,7 @@ jobs: java-version: ${{ github.event.inputs.java-version || '21' }} - name: "Generate metadata" - uses: netcracker/qubership-workflow-hub/actions/metadata-action@main + uses: netcracker/qubership-workflow-hub/actions/metadata-action@m5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 id: metadata - name: "Prepare tags" diff --git a/workflow-templates/helm-charts-release.yaml b/workflow-templates/helm-charts-release.yaml index 608cf95a..8627fa02 100644 --- a/workflow-templates/helm-charts-release.yaml +++ b/workflow-templates/helm-charts-release.yaml @@ -40,7 +40,7 @@ jobs: steps: - name: Check if tag exists id: check_tag - uses: netcracker/qubership-workflow-hub/actions/tag-action@8d542a426ce561c7dce745f6b9cee068d1d7e101 # v2.0.10 + uses: netcracker/qubership-workflow-hub/actions/tag-action@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: tag-name: '${{ inputs.release }}' ref: ${{ github.ref }} @@ -100,7 +100,7 @@ jobs: run: | echo "IMAGE=${{ matrix.component.name }}" >> $GITHUB_ENV - name: Docker build - uses: netcracker/qubership-workflow-hub/actions/docker-action@8d542a426ce561c7dce745f6b9cee068d1d7e101 # v2.0.10 + uses: netcracker/qubership-workflow-hub/actions/docker-action@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: ref: ${{ github.ref }} download-artifact: false @@ -135,7 +135,7 @@ jobs: - name: "Chart release" id: update-versions - uses: netcracker/qubership-workflow-hub/actions/charts-values-update-action@8d542a426ce561c7dce745f6b9cee068d1d7e101 # v2.0.10 + uses: netcracker/qubership-workflow-hub/actions/charts-values-update-action@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: release-version: ${{ inputs.release }} config-file: .qubership/helm-charts-release-config.yaml @@ -170,7 +170,7 @@ jobs: echo "IMAGE_VERSION=${IMAGE_VER}" >> $GITHUB_ENV - name: Docker build - uses: netcracker/qubership-workflow-hub/actions/docker-action@8d542a426ce561c7dce745f6b9cee068d1d7e101 # v2.0.10 + uses: netcracker/qubership-workflow-hub/actions/docker-action@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: ref: release-${{ inputs.release }} download-artifact: false @@ -213,7 +213,7 @@ jobs: with: artifact-ids: ${{ needs.chart-release.outputs.charts-artifact }} - name: "Upload Assets" - uses: netcracker/qubership-workflow-hub/actions/assets-action@8d542a426ce561c7dce745f6b9cee068d1d7e101 # v2.0.10 + uses: netcracker/qubership-workflow-hub/actions/assets-action@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: tag: ${{ inputs.release }} item-path: "./*.tgz" diff --git a/workflow-templates/maven-release-v2.yaml b/workflow-templates/maven-release-v2.yaml index 899f5e83..d8d8f54e 100644 --- a/workflow-templates/maven-release-v2.yaml +++ b/workflow-templates/maven-release-v2.yaml @@ -191,7 +191,7 @@ jobs: permissions: contents: write if: ${{ needs.deploy.result == 'success' }} - uses: netcracker/qubership-workflow-hub/.github/workflows/release-drafter.yml@8d542a426ce561c7dce745f6b9cee068d1d7e101 #v2.0.10 + uses: netcracker/qubership-workflow-hub/.github/workflows/release-drafter.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: version: ${{ needs.deploy.outputs.release-version }} publish: true diff --git a/workflow-templates/maven-release.properties.json b/workflow-templates/maven-release.properties.json deleted file mode 100644 index d10bca4e..00000000 --- a/workflow-templates/maven-release.properties.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "name": "Qubership Release And Upload to Maven Central", - "description": "Release And Upload to Maven Central workflow template. It can be used to create GitHub release and upload artifacts to Maven Central.", - "categories": [ - "Java", - "Automation", - "Maven" - ], - "filePatterns": [ - "^pom.xml" - ] -} diff --git a/workflow-templates/maven-release.yaml b/workflow-templates/maven-release.yaml deleted file mode 100644 index dfd5d873..00000000 --- a/workflow-templates/maven-release.yaml +++ /dev/null @@ -1,220 +0,0 @@ ---- - -# This GitHub Actions workflow is designed to be triggered when a release is marked as a full release. -# The workflow performs the following tasks: -# 1. Checks if the tag already exists. -# 2. Updates the version in the pom.xml file. -# 3. Commits the changes to the repository. -# 4. Builds the project using Maven. -# 5. Runs tests. -# 6. Tags the commit with the release version. -# 7. Deploys the artifact to the Maven repository. -# 8. Builds and publishes a Docker image. -# 9. Creates a GitHub release. - -# To make it work for your project, you need to adjust the pom.xml and add configuration file for GitHub release. -# Please find detailed instructions: -# https://github.com/netcracker/qubership-workflow-hub?tab=readme-ov-file#maven-project-release-workflow - -name: Release And Deploy Maven Artifact - -on: - workflow_dispatch: - inputs: - version: - required: true - default: '1.0.0' - type: string - description: 'Release version (e.g., 1.0.0)' - java-version: - required: false - type: string - default: "21" - description: 'Java version (e.g., 21)' - build-docker: - required: false - type: boolean - default: true - description: 'Release docker image if there is Docker file' - profile: - type: choice - default: 'central' - description: 'Release mode (github or central)' - required: true - options: - - github - - central - dry-run: - required: false - type: boolean - default: false - description: 'Dry run' - -permissions: - contents: read - -jobs: - check-tag: - name: "Check If Tag Exists" - runs-on: ubuntu-latest - steps: - - name: "Input parameters" - run: | - echo "Version: ${{ github.event.inputs.version }}" >> $GITHUB_STEP_SUMMARY - echo "Java version: ${{ github.event.inputs.java-version }}" >> $GITHUB_STEP_SUMMARY - - - name: "Checkout code" - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - persist-credentials: false - - - name: "Check if tag exists" - id: check_tag - uses: netcracker/qubership-workflow-hub/actions/tag-checker@v2.1.2 - with: - tag: 'v${{ github.event.inputs.version }}' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: "Output result" - run: | - echo "Tag exists: ${{ steps.check_tag.outputs.exists }}" - echo "Tag name: v${{ github.event.inputs.version }}" - - - name: "Fail if tag exists" - if: steps.check_tag.outputs.exists == 'true' - run: | - echo "Tag already exists: v${{ github.event.inputs.version }}" >> $GITHUB_STEP_SUMMARY - echo "Tag already exists: v${{ github.event.inputs.version }}" - exit 1 - - update-pom-version: - name: "Update pom.xml Version" - permissions: - contents: write - needs: [check-tag] - runs-on: ubuntu-latest - outputs: - artifact_id: ${{ steps.config.outputs.artifact_id }} - steps: - - name: "Checkout code" - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - fetch-depth: 0 - persist-credentials: false - - - name: "Update pom.xml version" - id: config - uses: netcracker/qubership-workflow-hub/actions/pom-updater@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 - with: - new_value: ${{ github.event.inputs.version }} - - - name: "Commit Changes" - uses: netcracker/qubership-workflow-hub/actions/commit-and-push@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 - with: - commit_message: "Update pom.xml version to ${{ github.event.inputs.version }}" - - mvn-package: - name: "Maven Package Build" - needs: [update-pom-version] - uses: netcracker/qubership-workflow-hub/.github/workflows/maven-publish.yml@396774180000abdb825cbf150b56cc59c6913db8 #v2.0.5 - with: - maven-command: "--batch-mode package" - java-version: ${{ github.event.inputs.java-version }} - upload-artifact: true - artifact-id: ${{ needs.update-pom-version.outputs.artifact_id }} - ref: ${{ github.ref }} - secrets: - maven-username: ${{ secrets.MAVEN_USER }} - maven-token: ${{ secrets.MAVEN_PASSWORD }} - gpg-passphrase: ${{ secrets.MAVEN_GPG_PASSPHRASE }} - gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} - - tests: - name: "Run Tests" - needs: [mvn-package] - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - persist-credentials: false - - - name: Run tests - run: echo "Running tests here" - - tag: - name: "Create Tag" - permissions: - contents: write - needs: [tests] - uses: netcracker/qubership-workflow-hub/.github/workflows/tag-creator.yml@396774180000abdb825cbf150b56cc59c6913db8 #v2.0.5 - with: - tag-name: "v${{ github.event.inputs.version }}" - - mvn-deploy: - name: "Maven Deploy" - needs: [update-pom-version, tag] - permissions: - contents: write - packages: write - uses: netcracker/qubership-workflow-hub/.github/workflows/maven-publish.yml@396774180000abdb825cbf150b56cc59c6913db8 #v2.0.5 - with: - maven-command: ${{ (github.event.inputs.dry-run == 'true' && '--batch-mode package') || github.event.inputs.profile == 'github' && '--batch-mode deploy -P github' || '--batch-mode deploy -P central' }} - java-version: ${{ github.event.inputs.java-version }} - upload-artifact: false - artifact-id: ${{ needs.update-pom-version.outputs.artifact_id }} - server-id: ${{ inputs.profile }} - ref: ${{ github.ref }} - secrets: - maven-username: ${{ secrets.MAVEN_USER }} - maven-token: ${{ secrets.MAVEN_PASSWORD }} - gpg-passphrase: ${{ secrets.MAVEN_GPG_PASSPHRASE }} - gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} - - check-dockerfile: - name: "Check Dockerfile Existence" - runs-on: ubuntu-latest - needs: [update-pom-version, tag] - outputs: - dockerfile_exists: ${{ steps.check_dockerfile.outputs.df_exists }} - steps: - - name: "Checkout code" - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - persist-credentials: false - - name: "Check Dockerfile existence" - id: check_dockerfile - shell: bash - run: | - if [[ -f Dockerfile ]]; then - echo "df_exists=exists" >> "$GITHUB_OUTPUT" - else - echo "Dockerfile does not exist. Docker build stage will be skipped" - echo "df_exists=notexists" >> "$GITHUB_OUTPUT" - fi - echo "GITHUB_OUTPUT:" - cat "$GITHUB_OUTPUT" - - docker-build-publish: - name: "Docker Build and Publish" - permissions: - contents: read - packages: write - needs: [update-pom-version, tag, check-dockerfile] - if: ${{ github.event.inputs.build-docker == 'true' && needs.check-dockerfile.outputs.dockerfile_exists == 'exists' }} - uses: netcracker/qubership-workflow-hub/.github/workflows/docker-publish.yml@6b356d28e46b2d4683cccb1d91f92643d7f0c513 #v2.0.11 - with: - ref: "v${{ github.event.inputs.version }}" - artifact-id: ${{ needs.update-pom-version.outputs.artifact_id }} - dry-run: ${{ inputs.dry-run }} - - github-release: - name: "Create GitHub Release" - permissions: - contents: write - needs: [tag] - uses: netcracker/qubership-workflow-hub/.github/workflows/release-drafter.yml@8d542a426ce561c7dce745f6b9cee068d1d7e101 #v2.0.10 - with: - version: ${{ github.event.inputs.version }} - publish: false diff --git a/workflow-templates/maven-snapshot-deploy.yaml b/workflow-templates/maven-snapshot-deploy.yaml index 005570c8..4a82aa7b 100644 --- a/workflow-templates/maven-snapshot-deploy.yaml +++ b/workflow-templates/maven-snapshot-deploy.yaml @@ -34,7 +34,7 @@ jobs: persist-credentials: false - name: "Deploy Maven Snapshot Artifact" - uses: netcracker/qubership-workflow-hub/actions/maven-snapshot-deploy@v2.1.2 + uses: netcracker/qubership-workflow-hub/actions/maven-snapshot-deploy@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: java-version: '21' # Specify the Java version to use for the build target-store: 'github' # or 'central' for Maven Central repository diff --git a/workflow-templates/npm-publish.yaml b/workflow-templates/npm-publish.yaml index c70fef66..0d745f37 100644 --- a/workflow-templates/npm-publish.yaml +++ b/workflow-templates/npm-publish.yaml @@ -47,7 +47,7 @@ permissions: jobs: npm-publish: name: "NPM Package Publish" - uses: Netcracker/qubership-workflow-hub/.github/workflows/re-npm-publish.yml@v2.1.1 + uses: Netcracker/qubership-workflow-hub/.github/workflows/re-npm-publish.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: version: ${{ github.event_name == 'workflow_dispatch' && inputs.version || '' }} scope: ${{ github.event_name == 'workflow_dispatch' && inputs.scope || '@netcracker' }} diff --git a/workflow-templates/npm-release.yaml b/workflow-templates/npm-release.yaml index cd24e300..80376e45 100644 --- a/workflow-templates/npm-release.yaml +++ b/workflow-templates/npm-release.yaml @@ -90,29 +90,20 @@ jobs: - name: "Check if tag exists" id: check_tag - uses: netcracker/qubership-workflow-hub/actions/tag-checker@v2.1.2 + uses: netcracker/qubership-workflow-hub/actions/tag-action@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: - tag: 'v${{ github.event.inputs.version }}' + tag-name: 'v${{ github.event.inputs.version }}' + ref: ${{ github.ref }} + create-tag: false + check-tag: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: "Output result" - run: | - echo "Tag exists: ${{ steps.check_tag.outputs.exists }}" - echo "Tag name: v${{ github.event.inputs.version }}" - - - name: "Fail if tag exists" - if: steps.check_tag.outputs.exists == 'true' - run: | - echo "Tag already exists: v${{ github.event.inputs.version }}" >> $GITHUB_STEP_SUMMARY - echo "Tag already exists: v${{ github.event.inputs.version }}" - exit 1 - npm-test: name: "NPM Package Test (Dry Run)" needs: [check-tag] if: always() - uses: Netcracker/qubership-workflow-hub/.github/workflows/re-npm-publish.yml@v2.1.1 + uses: Netcracker/qubership-workflow-hub/.github/workflows/re-npm-publish.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: version: '' dry-run: true @@ -122,7 +113,7 @@ jobs: name: "NPM Package Publish" if: ${{ !inputs.dry-run }} needs: [npm-test] - uses: Netcracker/qubership-workflow-hub/.github/workflows/re-npm-publish.yml@v2.1.1 + uses: Netcracker/qubership-workflow-hub/.github/workflows/re-npm-publish.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: version: ${{ inputs.version }} scope: ${{ inputs.scope }} @@ -138,15 +129,22 @@ jobs: name: "Create Git Tag" if: ${{ !inputs.dry-run }} needs: [npm-publish] - uses: netcracker/qubership-workflow-hub/.github/workflows/tag-creator.yml@v2.0.5 - with: - tag-name: "v${{ github.event.inputs.version }}" + steps: + - name: Create tag + uses: netcracker/qubership-workflow-hub/actions/tag-action@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 + with: + tag-name: 'v${{ github.event.inputs.version }}' + ref: ${{ github.ref }} + create-tag: true + check-tag: false + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} github-release: name: "Create GitHub Release" if: ${{ !inputs.dry-run }} needs: [tag] - uses: netcracker/qubership-workflow-hub/.github/workflows/release-drafter.yml@v2.0.10 + uses: netcracker/qubership-workflow-hub/.github/workflows/release-drafter.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: version: ${{ github.event.inputs.version }} publish: false diff --git a/workflow-templates/python-release.yaml b/workflow-templates/python-release.yaml index 0c550517..a131ceb9 100644 --- a/workflow-templates/python-release.yaml +++ b/workflow-templates/python-release.yaml @@ -59,7 +59,7 @@ jobs: - name: Check if tag exists if: ${{ inputs.version != '' }} id: check_tag - uses: netcracker/qubership-workflow-hub/actions/tag-action@v2.1.2 + uses: netcracker/qubership-workflow-hub/actions/tag-action@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: tag-name: 'v${{ inputs.version }}' ref: ${{ github.ref }} @@ -94,7 +94,7 @@ jobs: - name: "Publish to PyPI" id: publish - uses: netcracker/qubership-workflow-hub/actions/poetry-publisher@v2.1.2 + uses: netcracker/qubership-workflow-hub/actions/poetry-publisher@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: package_version: ${{ inputs.version }} poetry_version_bump: ${{ inputs.poetry-version-options }} @@ -118,7 +118,7 @@ jobs: contents: write pull-requests: write needs: [publish] - uses: netcracker/qubership-workflow-hub/.github/workflows/release-drafter.yml@v2.0.10 + uses: netcracker/qubership-workflow-hub/.github/workflows/release-drafter.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: version: ${{ needs.publish.outputs.published-version }} publish: true diff --git a/workflow-templates/security-scan-apihub.yml b/workflow-templates/security-scan-apihub.yml index 9e2ef52c..626d8aa1 100644 --- a/workflow-templates/security-scan-apihub.yml +++ b/workflow-templates/security-scan-apihub.yml @@ -86,7 +86,7 @@ jobs: package: ${{ fromJson(needs.debug-packages.outputs.packages) }} name: "Run Security Scan (matrix)" - uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@6b356d28e46b2d4683cccb1d91f92643d7f0c513 #v2.0.11 + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: target: ${{ inputs.target || 'docker' }} image: ${{ format('{0}:{1}', matrix.package.path, inputs.tag || 'dev') }} @@ -95,7 +95,7 @@ jobs: needs: debug-packages if: ${{ inputs.image != '' && inputs.image != null }} name: "Run Security Scan (single image)" - uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@6b356d28e46b2d4683cccb1d91f92643d7f0c513 #v2.0.11 + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: target: ${{ inputs.target || 'docker' }} image: ${{ inputs.image }} diff --git a/workflow-templates/security-scan-with-config.yml b/workflow-templates/security-scan-with-config.yml index c3cb9f5e..d25cf79d 100644 --- a/workflow-templates/security-scan-with-config.yml +++ b/workflow-templates/security-scan-with-config.yml @@ -105,7 +105,7 @@ jobs: package: ${{ fromJson(needs.load-config.outputs.packages) }} name: "Scan (matrix)" - uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@6b356d28e46b2d4683cccb1d91f92643d7f0c513 #v2.0.11 + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: target: ${{ inputs.target || 'docker' }} image: ${{ format('{0}:{1}', matrix.package.image, inputs.tag || matrix.package.security_tag) }} @@ -127,7 +127,7 @@ jobs: package: ${{ fromJson(needs.load-config.outputs.packages) }} name: "Scan (matrix, manual overrides)" - uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@6b356d28e46b2d4683cccb1d91f92643d7f0c513 #v2.0.11 + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: target: ${{ inputs.target || 'docker' }} image: ${{ format('{0}:{1}', matrix.package.image, inputs.tag || matrix.package.security_tag) }} @@ -144,12 +144,12 @@ jobs: packages: read if: ${{ inputs.image != '' && inputs.image != null }} name: "Scan (single image)" - uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@6b356d28e46b2d4683cccb1d91f92643d7f0c513 #v2.0.11 + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: target: ${{ inputs.target || 'docker' }} image: ${{ inputs.image }} - only-high-critical: ${{ inputs.only-high-critical || true }} - trivy-scan: ${{ inputs.trivy-scan || true }} - grype-scan: ${{ inputs.grype-scan || true }} - only-fixed: ${{ inputs.only-fixed || true }} - continue-on-error: ${{ inputs.continue-on-error || true }} + only-high-critical: ${{ inputs.only-high-critical }} + trivy-scan: ${{ inputs.trivy-scan }} + grype-scan: ${{ inputs.grype-scan }} + only-fixed: ${{ inputs.only-fixed }} + continue-on-error: ${{ inputs.continue-on-error }} diff --git a/workflow-templates/security-scan.yml b/workflow-templates/security-scan.yml index 411fbe40..c6f19b86 100644 --- a/workflow-templates/security-scan.yml +++ b/workflow-templates/security-scan.yml @@ -85,7 +85,7 @@ jobs: package: ${{ fromJson(needs.debug-packages.outputs.packages) }} name: "Run Security Scan (matrix)" - uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@6b356d28e46b2d4683cccb1d91f92643d7f0c513 #v2.0.11 + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: target: ${{ inputs.target || 'docker' }} image: ${{ format('{0}:{1}', matrix.package.path, inputs.tag || 'latest') }} @@ -94,12 +94,12 @@ jobs: needs: debug-packages if: ${{ inputs.image != '' && inputs.image != null }} name: "Run Security Scan (single image)" - uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@6b356d28e46b2d4683cccb1d91f92643d7f0c513 #v2.0.11 + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2 with: target: ${{ inputs.target || 'docker' }} image: ${{ inputs.image }} - only-high-critical: ${{ inputs.only-high-critical || true }} - trivy-scan: ${{ inputs.trivy-scan || true }} - grype-scan: ${{ inputs.grype-scan || true }} - only-fixed: ${{ inputs.only-fixed || true }} - continue-on-error: ${{ inputs.continue-on-error || true }} + only-high-critical: ${{ inputs.only-high-critical }} + trivy-scan: ${{ inputs.trivy-scan }} + grype-scan: ${{ inputs.grype-scan }} + only-fixed: ${{ inputs.only-fixed }} + continue-on-error: ${{ inputs.continue-on-error }} From 593dba06039ba6c7ba070d10f80641c55610ace7 Mon Sep 17 00:00:00 2001 From: borislavr Date: Thu, 19 Mar 2026 11:55:59 +0300 Subject: [PATCH 2/4] chore: crlf -> lf --- README.md | 1 - docs/workflows/maven-release.md | 96 --------------------------------- 2 files changed, 97 deletions(-) delete mode 100644 docs/workflows/maven-release.md diff --git a/README.md b/README.md index d653ccc5..b35981ab 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,6 @@ In this repository in folder [workflow-templates](./workflow-templates/) you can | [**Lint and Test Charts**](./docs/workflows/lint-test-chart.md) | Lint and test Helm Charts | Manual trigger (workflow_dispatch), Pull request (pull_request) | [lint-test-chart.yaml](./workflow-templates/lint-test-chart.yaml) | | [**Lint Codebase**](./docs/workflows/super-linter.md) | Lint codebase using GitHub Super-Linter. Runs multiple linters on changed files for supported languages. See [.github/super-linter.env](.github/super-linter.env) and [.github/linters/](.github/linters/) for configuration. | On push, pull request, manual trigger | [super-linter.yaml](./workflow-templates/super-linter.yaml) | | [**Maven Release v2**](./docs/workflows/maven-release-v2.md) | Enhanced Maven release with dry-run, Docker build, and GitHub release support. Requires `pom.xml` [configuration](./docs/maven-publish-pom-preparation_doc.md) and [.github/release-drafter-config.yml](./config/examples/release-drafter-config.yml) config file. | Manual trigger (workflow_dispatch) | [maven-release-v2.yaml](./workflow-templates/maven-release-v2.yaml) | -| [**Maven Release**](./docs/workflows/maven-release.md) | Release and upload Java artifacts to Maven Central or GitHub Packages, create GitHub release | Manual trigger (workflow_dispatch) | [maven-release.yaml](./workflow-templates/maven-release.yaml) | | [**Maven Snapshot Deploy**](./docs/workflows/maven-snapshot-deploy.md) | Deploy Maven snapshot artifacts to GitHub Packages or Maven Central | On push to non-main/non-release branches | [maven-snapshot-deploy.yaml](./workflow-templates/maven-snapshot-deploy.yaml) | | [**PR Assigner**](./docs/workflows/pr-assigner.md) | Automatically assign reviewers to PRs based on config or CODEOWNERS | On PR events | [pr-assigner.yml](./workflow-templates/pr-assigner.yml) | | [**PR Conventional Commits**](./docs/workflows/pr-conventional-commits.md) | Check if PR commits follow conventional commit messages | On PR events | [pr-conventional-commits.yaml](./workflow-templates/pr-conventional-commits.yaml) | diff --git a/docs/workflows/maven-release.md b/docs/workflows/maven-release.md deleted file mode 100644 index 063fbeac..00000000 --- a/docs/workflows/maven-release.md +++ /dev/null @@ -1,96 +0,0 @@ -# Maven Release - -## Overview - -The Maven Release workflow is designed to be triggered when a release is marked as a full release. It performs a comprehensive release process including version management, building, testing, tagging, and deployment to Maven repositories. - -## Trigger - -This workflow is triggered manually via `workflow_dispatch` with configurable input parameters. - -## Workflow Details - -### Jobs - -#### `check-tag` -- **Runner**: `ubuntu-latest` -- **Purpose**: Validates input parameters and checks if the release tag already exists -- **Uses**: `netcracker/qubership-workflow-hub/actions/tag-checker@v1.0.4` - -#### `update-pom-version` -- **Runner**: `ubuntu-latest` -- **Purpose**: Updates the version in pom.xml and commits changes -- **Dependencies**: Requires `check-tag` job completion -- **Outputs**: `artifact_id` from configuration - -### Steps - -#### check-tag Job -1. **Input parameters** - - Displays version and Java version in workflow summary - -2. **Checkout code** - - Uses `actions/checkout@v4` - - Checks out the repository code - -3. **Check if tag exists** - - Validates if the release tag already exists - - Prevents duplicate releases - -4. **Output result** - - Logs tag existence status and tag name - -5. **Fail if tag exists** - - Terminates workflow if tag already exists - -#### update-pom-version Job -1. **Checkout code** - - Uses `actions/checkout@v4` - - Fetches complete repository history - -2. **Update pom.xml** - - Updates version information in pom.xml file - -## Configuration - -### Required Input Parameters -- `version` (string, required): Release version (e.g., 1.0.0) - -### Optional Input Parameters -- `java-version` (string, optional): Java version to use (default: "21") -- `build-docker` (boolean, optional): Release docker image if Dockerfile exists (default: true) -- `profile` (choice, required): Release mode - 'github' or 'central' (default: 'central') -- `dry-run` (boolean, optional): Enable dry-run mode (default: false) - -### Permissions -- `contents: write` - For updating pom.xml and creating releases -- `packages: write` - For publishing Maven artifacts - -## Usage - -This workflow is particularly useful for: -- Automating Maven project releases -- Publishing artifacts to Maven Central or GitHub Packages -- Creating GitHub releases with proper versioning -- Building and publishing Docker images alongside Maven artifacts -- Ensuring release quality through comprehensive testing - -## Features - -- **Version management**: Automatically updates pom.xml with release version -- **Tag validation**: Prevents duplicate releases -- **Multiple deployment targets**: Supports Maven Central and GitHub Packages -- **Docker integration**: Optionally builds and publishes Docker images -- **Dry-run support**: Test releases without actual deployment -- **Comprehensive testing**: Runs tests before deployment - -## Categories -- Java -- Automation -- Maven - -## Labels -- maven -- release -- java -- central From f9cb1173159b474ab831747281a4cd6a01f4187d Mon Sep 17 00:00:00 2001 From: borislavr Date: Thu, 19 Mar 2026 13:00:18 +0300 Subject: [PATCH 3/4] chore: remove obsolete workflow documentation for CDXGen and 3rd-party security scan. Added missing documentation. --- README.md | 2 + docs/workflows/bump-test-workflows-version.md | 67 +++++++ docs/workflows/cdxgen.md | 83 -------- docs/workflows/docker-release.md | 63 +++++++ workflow-templates/3rd-party-sec-scan.yaml | 178 ------------------ 5 files changed, 132 insertions(+), 261 deletions(-) create mode 100644 docs/workflows/bump-test-workflows-version.md delete mode 100644 docs/workflows/cdxgen.md create mode 100644 docs/workflows/docker-release.md delete mode 100644 workflow-templates/3rd-party-sec-scan.yaml diff --git a/README.md b/README.md index b35981ab..117f8ff8 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ In this repository in folder [workflow-templates](./workflow-templates/) you can | ------------- | ----------- | -------------------------- | ------------- | | [**Add License Headers**](./docs/workflows/license-header.md) | Checks or adds license header into source code files. Requires a [`.licenserc.yaml`](./config/examples/.licenserc.yaml) config file in the root folder. | On `push` and `workflow_dispatch` events | [license-header.yml](./workflow-templates/license-header.yml) | | [**Automatic PR Labeler**](./docs/workflows/automatic-pr-labeler.md) | Automatically label PRs based on conventional commit messages. Requires a [auto-labeler-config.yaml](./config/examples/auto-labeler-config.yaml) config file in the `.github` folder | On PR events | [automatic-pr-labeler.yaml](./workflow-templates/automatic-pr-labeler.yaml) | +| [**Bump qubership-test-pipelines version**](./docs/workflows/bump-test-workflows-version.md) | This workflow automatically bumps references to `netcracker/qubership-test-pipelines` in all `.github/workflows/*.yaml` workflow files to the latest release commit SHA, and updates `pipeline_branch` to the same SHA value. | Manual trigger (workflow_dispatch) | [bump-test-workflows-version.yaml](./workflow-templates/bump-test-workflows-version.yaml) | | [**Check Go Modules Licenses**](./docs/workflows/check-license.md) | Check the licenses of Go modules in the repository using a configurable allowlist. Fails if any module has a disallowed or missing license. Requires a [.wwhrd.yml](./config/examples/.wwhrd.yml) config file in the repository root. | On push | [check-license.yaml](./workflow-templates/check-license.yaml) | | [**CLA Assistant**](./docs/workflows/cla.md) | Check if PR authors have signed the Contributor License Agreement | On PR events | [cla.yaml](./workflow-templates/cla.yaml) | | [**Cleanup Old Docker**](./docs/workflows/cleanup-old-docker-container.md) | Clean up old Docker container versions in GitHub Packages | Scheduled (cron), manual trigger | [cleanup-old-docker-container.yaml](./workflow-templates/cleanup-old-docker-container.yaml) | @@ -37,6 +38,7 @@ In this repository in folder [workflow-templates](./workflow-templates/) you can | [**CI: Dev Docker Build Multiple Images**](./docs/workflows/dev-docker-build-multiple-images.md) | Workflow to build and publish multiple Docker images based on configuration file (.qubership/docker.cfg) | Manual trigger (workflow_dispatch), Pull request, Push | [dev-docker-build-multiple-images.yml](./workflow-templates/dev-docker-build-multiple-images.yml) | | [**CI: Dev Docker Build Selective**](./docs/workflows/dev-docker-build-selective.md) | Workflow to build and publish multiple Docker images based on configuration file (.qubership/docker.cfg) It builds only changed images based on the changeset detected. | Manual trigger (workflow_dispatch), Pull request, Push | [dev-docker-build-single-image.yml](./workflow-templates/dev-docker-build-selective.yml) | | [**Dev Maven Docker Build**](./docs/workflows/dev-mvn-docker-build.md) | Development build for Maven projects, with Docker image build and artifact publishing | Manual trigger (workflow_dispatch) | [dev-mvn-docker-build.yml](./workflow-templates/dev-mvn-docker-build.yml) | +| [**Docker Images Release**](./docs/workflows/docker-release.md) | Releases Docker images and creates a GitHub release tag using configuration in `.qubership/docker-build-config.cfg`. | Manual trigger (workflow_dispatch) | [docker-release.yaml](./workflow-templates/docker-release.yaml) | | [**Go Build**](./docs/workflows/go-build.md) | Build and test Go projects, upload coverage to SonarCloud | On push to main, on pull request | [go-build.yaml](./workflow-templates/go-build.yaml) | | [**Helm Charts Release**](./docs/workflows/helm-charts-release.md) | Release Helm charts and Docker images, create GitHub release. Requires a lot of configuration. Please read workflow file comments. Configuration examples: [.github/helm-charts-release-config.yaml](./config/examples/helm-charts-release-config.yaml) [.github/docker.cfg](./config/examples/docker.cfg) [.github/release-drafter-config.yml](./config/examples/release-drafter-config.yml) | Manual trigger (workflow_dispatch) | [helm-charts-release.yaml](./workflow-templates/helm-charts-release.yaml) | | [**Link Checker**](./docs/workflows/link-checker.md) | Check Markdown files for broken links using lychee | On push, manual trigger | [link-checker.yaml](./workflow-templates/link-checker.yaml) | diff --git a/docs/workflows/bump-test-workflows-version.md b/docs/workflows/bump-test-workflows-version.md new file mode 100644 index 00000000..4964263b --- /dev/null +++ b/docs/workflows/bump-test-workflows-version.md @@ -0,0 +1,67 @@ +# Bump qubership-test-pipelines version + +## Purpose + +This workflow automatically bumps references to `netcracker/qubership-test-pipelines` in all `.github/workflows/*.yaml` workflow files to the latest release commit SHA, and updates `pipeline_branch` to the same SHA value. + +It is useful to keep downstream workflow definitions aligned with the latest test-pipeline version and avoid manual PR churn. + +## Trigger + +- `on: workflow_dispatch` (manual run) + +## Required permissions + +In `jobs.bump.permissions`: + +- `contents: write` +- `pull-requests: write` + +The run also requires a PAT in repository secrets with: + +- `GH_ACCESS_TOKEN` containing `contents: write` and `workflows: write`. + +## Job: `bump` + +Runs on: +- `ubuntu-latest` + +### Steps + +1. **Get latest release tag SHA** + - `curl` latest release from: + - `https://api.github.com/repos/netcracker/qubership-test-pipelines/releases/latest` + - resolves tag name and tag object SHA into: + - `latest_release_tag` + - `latest_release_tag_sha` + - stores in `GITHUB_ENV` + +2. **Checkout** + - `uses: actions/checkout@v6` + - `ref: main` + - `persist-credentials: true` + - `token: ${{ secrets.GH_ACCESS_TOKEN }}` + +3. **Update version** + - env `GH_TOKEN: ${{ github.token }}` + - config git user: + - `github-actions[bot]@qubership.com` + - `Git Hub Actions [Bot]` + - For each workflow file under `./.github/workflows` containing `uses: netcracker/qubership-test-pipelines`: + - update `uses: ... @` plus comment `# ` + - update `pipeline_branch: ''` + - If `git status` shows changes: + - branch `feature/bump-test-pipelines-version-` + - commit message: + - `chore: bump netcracker/qubership-test-pipelines version to '' []` + - push branch + - create PR: + - via `gh pr create --base main --head --title ... --body ...` + - Else: + - prints `No changes.` + +## Notes + +- The workflow uses the release tag's Git object SHA, not the tag name, as version pin. +- It ensures both `uses: ...` and `pipeline_branch:` are updated in sync. +- Requires `gh` CLI auth context in runner. diff --git a/docs/workflows/cdxgen.md b/docs/workflows/cdxgen.md deleted file mode 100644 index 49b8cd06..00000000 --- a/docs/workflows/cdxgen.md +++ /dev/null @@ -1,83 +0,0 @@ -# CDXGen - -## Overview - -The CDXGen workflow generates SBOM (Software Bill of Materials) files for the repository and vulnerability scan reports using CycloneDX. The workflow runs on push to the main branch and can also be triggered manually. - -## Trigger - -This workflow is triggered when: -- Code is pushed to the `main` branch -- Manually via `workflow_dispatch` with optional input parameters - -## Workflow Details - -### Jobs - -#### `cdxgen` -- **Runner**: `ubuntu-latest` -- **Purpose**: Generates CycloneDX SBOM and vulnerability reports - -#### `deploy-pages` (Conditional) -- **Runner**: `ubuntu-latest` -- **Purpose**: Deploys the generated report to GitHub Pages -- **Condition**: Only runs when `generate_cdx_report` input is true - -### Steps - -#### cdxgen Job -1. **cdxgen** - - Uses `netcracker/qubership-workflow-hub/actions/cdxgen@v1.0.4` - - Generates SBOM and vulnerability reports - - Accepts `generate_cdx_report` input parameter - -#### deploy-pages Job -1. **Deploy to GitHub Pages** - - Uses `actions/deploy-pages@v4` - - Deploys the generated report to GitHub Pages - - Requires `id-token: write` and `pages: write` permissions - -2. **Summary** - - Outputs the GitHub Pages URL for the CycloneDX report - -## Configuration - -### Input Parameters (Manual Trigger) -- `generate_cdx_report` (boolean, optional): Whether to generate CycloneDX report and deploy to GitHub Pages - -### Permissions -- `contents: read` - For reading repository contents -- `id-token: write` - For GitHub Pages deployment (conditional) -- `pages: write` - For GitHub Pages deployment (conditional) - -### Environment -- `github-pages` - For GitHub Pages deployment - -## Supported File Patterns -- `*/**/go.mod` - Go modules -- `*/**/pom.xml` - Maven projects -- `*/**/requirements.txt` - Python requirements -- `*/**/Dockerfile` - Docker containers -- `*/**/pyproject.toml` - Python projects - -## Usage - -This workflow is particularly useful for: -- Generating SBOM files for compliance and security audits -- Identifying vulnerabilities in dependencies -- Maintaining an up-to-date inventory of software components -- Deploying vulnerability reports to GitHub Pages for easy access - -## Categories -- Go -- Maven -- Python -- Docker -- Automation -- Utilities - -## Labels -- sbom -- security -- vulnerability-scan -- cyclonedx diff --git a/docs/workflows/docker-release.md b/docs/workflows/docker-release.md new file mode 100644 index 00000000..6c161b16 --- /dev/null +++ b/docs/workflows/docker-release.md @@ -0,0 +1,63 @@ +# Docker Images Release + +## Purpose + +Releases Docker images and creates a GitHub release tag using configuration in `.qubership/docker-build-config.cfg`. + +The workflow validates a `release` tag, builds/publishes images via `qubership-workflow-hub` actions, and runs Release Drafter. + +## Trigger + +- `workflow_dispatch` with input: + - `release` (string, required) + +## Permissions + +- `contents: read` (top-level) + +Job-specific permissions: +- `create-tag` job: `contents: write` +- `docker-build` job: `contents: read`, `packages: write` +- `github-release` job: `contents: write`, `packages: write` + +## Concurrency + +- group: `${{ github.workflow }}-${{ github.ref }}` +- cancel-in-progress: `true` + +## Jobs + +### `check-tag` + +- `netcracker/qubership-workflow-hub/actions/tag-action@...` to ensure `v${{ inputs.release }}` does not already exist + +### `load-docker-build-components` + +- Checkout code +- Read `.qubership/docker-build-config.cfg` +- Validate format: `components` array and `platforms` string +- Output `components` and `platforms` for matrix build + +### `create-tag` + +- Create git tag `v${{ inputs.release }}` (write permission) + +### `docker-build` + +- Matrix over components from config +- For each component: + - set `IMAGE_VERSION=${{ inputs.release }}` + - use `netcracker/qubership-workflow-hub/actions/docker-action@...` to build and publish + +### `github-release` + +- Checkout tag `v${{ inputs.release }}` +- Run `netcracker/release-drafter@...` with: + - `config-name: release-drafter-config.yml` + - `publish: true` + - `name/tag/version: ${{ inputs.release }}` + +## Configuration files + +- `.qubership/docker-build-config.cfg` (example: `config/examples/docker.cfg`) +- `.github/release-drafter-config.yml` (example: `config/examples/release-drafter-config.yml`) diff --git a/workflow-templates/3rd-party-sec-scan.yaml b/workflow-templates/3rd-party-sec-scan.yaml deleted file mode 100644 index cebeb8c3..00000000 --- a/workflow-templates/3rd-party-sec-scan.yaml +++ /dev/null @@ -1,178 +0,0 @@ ---- - -# Workflow to scan Docker images vulnerabilities by Grape and Trivy -# To make it work create a configuration file .qubership/3rd-party-sec-scan-config.yaml -# Example configuration file can be found there: config/examples/3rd-party-sec-scan-config.yaml -name: Security Scan Docker images -run-name: > - Security Scan -on: - workflow_dispatch: - inputs: - only-high-critical: - description: "Scope only HIGH + CRITICAL" - required: false - default: true - type: boolean - trivy-scan: - description: "Trivy scan" - required: false - default: true - type: boolean - grype-scan: - description: "Grype scan" - required: false - default: true - type: boolean - continue-on-error: - description: "Continue on error" - required: false - default: true - type: boolean - only-fixed: - description: "Ignore unfixed vulnerabilities" - required: false - default: true - type: boolean - schedule: - - cron: "0 3 * * 0" # every Sunday at 03:00 UTC -permissions: - contents: read - -env: - CONFIG_FILE: .qubership/3rd-party-sec-scan-config.yaml - REPORT_BRANCH: reports -jobs: - load-config: - runs-on: ubuntu-latest - outputs: - packages: ${{ steps.config.outputs.packages }} - steps: - - name: Checkout - uses: actions/checkout@v5 - - name: Read config - id: config - run: | - echo "only-high-critical: ${{ inputs.only-high-critical }}" - echo "trivy-scan: ${{ inputs.trivy-scan }}" - echo "grype-scan: ${{ inputs.grype-scan }}" - echo "continue-on-error: ${{ inputs.continue-on-error }}" - echo "only-fixed: ${{ inputs.only-fixed }}" - echo "1. ===================================================================================" - yq -oj '.' $CONFIG_FILE - echo "2. ===================================================================================" - yq -oj '.' $CONFIG_FILE | jq -c 'to_entries | map({repo: .key, image: .value[]}) | {packages: .}' - echo "3. ===================================================================================" - - packages=$(yq -oj '.' $CONFIG_FILE | jq -c 'to_entries | map({repo: .key, image: .value[]})') - echo "packages=$packages" >> $GITHUB_OUTPUT - - security-scan-matrix: - needs: load-config - permissions: - security-events: write - contents: read - packages: read - strategy: - fail-fast: false - matrix: - package: "${{ fromJson(needs.load-config.outputs.packages) }}" - name: "${{ matrix.package.image }}" - uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@v2.0.11 - with: - target: 'docker' - image: ${{ matrix.package.image }} - only-high-critical: ${{ (github.event_name == 'schedule' && true) || inputs.only-high-critical }} - trivy-scan: ${{ (github.event_name == 'schedule' && true) || inputs.trivy-scan }} - grype-scan: ${{ (github.event_name == 'schedule' && true) || inputs.grype-scan }} - continue-on-error: ${{ (github.event_name == 'schedule' && true) || inputs.continue-on-error }} - only-fixed: ${{ (github.event_name == 'schedule' && true) || inputs.only-fixed }} - upload-sarif-to-security: false - - create-report: - needs: [security-scan-matrix] - if: always() - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout - uses: actions/checkout@v5 - with: - path: repo - persist-credentials: true - fetch-depth: 0 - - - name: Ensure branch exists - working-directory: repo - run: | - cp ${CONFIG_FILE} ${GITHUB_WORKSPACE}/ - if git ls-remote --exit-code --heads origin "${{ env.REPORT_BRANCH }}" >/dev/null 2>&1; then - git fetch origin "${{ env.REPORT_BRANCH }}" - git checkout "${{ env.REPORT_BRANCH }}" - else - git checkout -b "${{ env.REPORT_BRANCH }}" - git push -u origin "${{ env.REPORT_BRANCH }}" - fi - - - name: Download artifacts - uses: actions/download-artifact@v7 - with: - pattern: '*.sarif' - path: ./sarif - merge-multiple: true - - - name: Generate report - env: - ACTOR: ${{ github.actor }} - run: | - ### Generating CSV report - mkdir -p repo - cur_date=$(date +%Y-%m-%d) - cur_time=$(date +%H-%M-%S) - cur_date_time=${cur_date}_${cur_time} - report_file_name=report-${cur_date_time}.csv - report_dir=repo/reports/${cur_date} - mkdir -p $report_dir - report_file_path=${report_dir}/${report_file_name} - echo "Report file path: ${report_file_path}" - for component in $(yq 'keys | .[]' ${CONFIG_FILE//*\//} | paste -sd ' ' -); do - echo "[INFO]: Processing $component's images..." - images=$(yq -r '.["'${component}'"] | join(" ")' ${CONFIG_FILE//*\//}) - for image in $images; do - echo "Image: $image" - SHORT_NAME=${image##*/} - SAFE_NAME=${SHORT_NAME//:/_} - SAFE_NAME=${SAFE_NAME//\//_} - SAFE_NAME=${SAFE_NAME//-/_} - echo "Safe name: $SAFE_NAME" - echo "[DEBUG]: find ./sarif -name grype-${SAFE_NAME}*.csv -o -name trivy-${SAFE_NAME}*.csv" - - for f in $(find ./sarif -name grype-${SAFE_NAME}*.csv -o -name trivy-${SAFE_NAME}*.csv); do - echo "File: $f" - echo "\"Component\",$(head -n 1 "$f")" > "${f}__new" - tail -n +2 "$f" | sed "s/^/\"${component}\",/" >> "${f}__new" - done - done - done - :> ${report_file_path} - i=0 - for f in $(find ./sarif -name *.csv__new | sort); do - if [ $i -eq 0 ]; then - cat $f >> ${report_file_path} - else - tail -n +2 $f >> ${report_file_path} - fi - i=$((i + 1)) - done - - - name: Commit and Push Report - env: - ACTOR: ${{ github.actor }} - run: | - cd repo - git config --global user.name "$ACTOR" - git config --global user.email "$ACTOR@users.noreply.github.com" - git add . - git commit -m "CSV report ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" || echo "No changes" - git push origin "${REPORT_BRANCH}" From 06c49ef78e4bcce6c7f31b3ef4a9daa3405fc59f Mon Sep 17 00:00:00 2001 From: borislavr Date: Thu, 19 Mar 2026 13:13:40 +0300 Subject: [PATCH 4/4] chore: correct capitalization in workflow documentation for bump-test-workflows and docker-release --- docs/workflows/bump-test-workflows-version.md | 2 +- docs/workflows/docker-release.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/workflows/bump-test-workflows-version.md b/docs/workflows/bump-test-workflows-version.md index 4964263b..ad4d9c43 100644 --- a/docs/workflows/bump-test-workflows-version.md +++ b/docs/workflows/bump-test-workflows-version.md @@ -44,7 +44,7 @@ Runs on: 3. **Update version** - env `GH_TOKEN: ${{ github.token }}` - - config git user: + - config Git user: - `github-actions[bot]@qubership.com` - `Git Hub Actions [Bot]` - For each workflow file under `./.github/workflows` containing `uses: netcracker/qubership-test-pipelines`: diff --git a/docs/workflows/docker-release.md b/docs/workflows/docker-release.md index 6c161b16..15e95385 100644 --- a/docs/workflows/docker-release.md +++ b/docs/workflows/docker-release.md @@ -40,7 +40,7 @@ Job-specific permissions: ### `create-tag` -- Create git tag `v${{ inputs.release }}` (write permission) +- Create Git tag `v${{ inputs.release }}` (write permission) ### `docker-build`