chore(ci): run commitlint on main branch as well (#104)

.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: ci
+name: CI
 
 on:
   pull_request:
@@ -12,60 +12,8 @@ permissions:
   pull-requests: read
 
 jobs:
-  files-changed:
+  setup-and-lint:
     runs-on: ubuntu-latest
-    outputs:
-      packages: ${{ steps.filter.outputs.changes }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3
-        id: filter
-        with:
-          predicate-quantifier: 'every'
-          filters: |
-            scan-docker-image: 
-              - 'security-actions/scan-docker-image/**'
-              - '!**/*.md'
-            sca: 
-              - 'security-actions/sca/**'
-              - '!**/*.md'
-            scan-rust: 
-              - 'security-actions/scan-rust/**'
-              - '!**/*.md'
-            semgrep: 
-              - 'security-actions/semgrep/**'
-              - '!**/*.md'
-            sign-docker-image: 
-              - 'security-actions/sign-docker-image/**'
-              - '!**/*.md'
-            code-build-actions: 
-              - 'code-build-actions/build-js-sdk/**'
-              - '!**/*.md'
-            lua-lint: 
-              - 'code-check-actions/lua-lint/**'
-              - '!**/*.md'
-            rust-lint: 
-              - 'code-check-actions/rust-lint/**'
-              - '!**/*.md'
-            slack-actions: 
-              - 'slack-actions/workflow-notification/**'
-              - '!**/*.md'
-            cleanup: 
-              - 'pr-previews/cleanup/**'
-              - '!**/*.md'
-            up-to-date: 
-              - 'pr-previews/up-to-date/**'
-              - '!**/*.md'
-            validate: 
-              - 'pr-previews/validate/**'
-              - '!**/*.md'
-
-  setup-dependencies:
-    needs: files-changed
-    runs-on: ubuntu-latest
-    if: ${{ needs.files-changed.outputs.packages != '[]' }}
-    outputs:
-      nodeVersion: ${{ steps.node-version.outputs.nodeVersion }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -88,71 +36,34 @@ jobs:
           pnpm install --frozen-lockfile
 
       - name: Commit lint
-        if: github.event_name == 'pull_request'
         uses: wagoid/commitlint-github-action@v5
         with:
           failOnWarnings: true
-
-  build:
-    needs: [ files-changed, setup-dependencies ]
-    if: ${{ needs.files-changed.outputs.packages != '[]' }}
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        package: ${{ fromJSON(needs.files-changed.outputs.packages) }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - uses: pnpm/action-setup@v4
-        with:
-          version: 9
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: 'pnpm'
-
-      - name: Restore Dependencies
-        run: |
-          pnpm install --frozen-lockfile
-
-      - name: Run Tests
-        run: |
-          pnpm lint
-
-
-  no-file-change:
-    needs: [ files-changed ]
-    if: ${{ needs.files-changed.outputs.packages == '[]' }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: No Changes Detected
-        run: echo "No changes detected in the monitored packages. Skipping build and tests."
-
+
+      - name: Run ESLint
+        run: pnpm lint
 
   slack_notification:
     name: Slack Notification
     runs-on: ubuntu-latest
-    needs: build
+    needs: setup-and-lint
     if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       # Success Notification
-      - name: Send Success Notification
-        if: ${{ needs.build.result == 'success' }}
+      - name: Send Success Slack Notification
+        if: ${{ needs.setup-and-lint.result == 'success' }}
         uses: ./slack-actions/workflow-notification
         with:
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL_NOTIFY_PUBLIC_SHARED_ACTIONS }}
           status: success
           success-message: ":white_check_mark: ${{ github.workflow }} workflow successfully ran within ${{ github.repository }}"
 
       # Failure Notification
-      - name: Send Failure Notification
-        if: ${{ needs.build.result == 'failure' }}
+      - name: Send Failure Slack alert
+        if: ${{ needs.setup-and-lint.result == 'failure' }}
         uses: ./slack-actions/workflow-notification
         with:
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL_ALERT_PUBLIC_SHARED_ACTIONS }}

.github/workflows/release.yml

@@ -14,7 +14,6 @@ permissions:
 jobs:
   release:
     name: Release
-    if: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -37,68 +36,37 @@ jobs:
         with:
           node-version: 20
           cache: 'pnpm'
-
+
+      # This is needed since we only cache ~/.pnpm_store instead of entire node_modules    
       - name: Install dependencies
         run: pnpm install
 
       - name: Setup Git Config
         shell: bash
         run: |
           git checkout ${{ github.head_ref }}
-          git config --local user.name "${{ vars.GH_APP__KONG__BOT_USERNAME }}"
-          git config --local user.email "${{ vars.GH_APP__KONG__BOT_EMAIL }}"
+          git config --local user.name "kong-security-bot"
+          git config --local user.email "[email protected]"
 
       # This step will create a tag and also release
       - name: Provision tags and make a release
-        if: ${{ github.event_name == 'workflow_run' && github.ref == 'refs/heads/main' }}
+        if: ${{ (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }}
         env:
           GH_TOKEN: ${{ secrets.SECURITY_BOT_PSA_PAT }}
         shell: bash
         run: |
           pnpm version:ci
-
-
-  dry-run:
-    name: Dry Run
-    runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'workflow_dispatch' }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.SECURITY_BOT_PSA_PAT }}
-
-      - uses: pnpm/action-setup@v4
-        name: Install pnpm
-        with:
-          version: 9
-          run_install: false
-
-      - name: Install Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: 'pnpm'
-
-      - name: Install dependencies
-        run: pnpm install
-
-      - name: Setup Git Config
-        shell: bash
-        run: |
-          git checkout ${{ github.head_ref }}
-          git config --local user.name "${{ vars.GH_APP__KONG__BOT_USERNAME }}"
-          git config --local user.email "${{ vars.GH_APP__KONG__BOT_EMAIL }}"
-
+      
       - name: Dry-run for tagging and releases
+        if: ${{ github.ref != 'refs/heads/main' }}
         shell: bash
         run: pnpm version:dry-run
 
   slack_notification:
     name: Slack Notification
     runs-on: ubuntu-latest
     needs: release
-    if: ${{ github.event_name == 'workflow_run' && github.ref == 'refs/heads/main' }}
+    if: ${{ (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') || github.event_name == 'workflow_run' }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

code-build-actions/build-js-sdk/CHANGELOG.md

@@ -0,0 +1,36 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
+
+# 4.0.0 (2025-01-03)
+
+
+### ✨ Features
+
+* **release:** independent releases for Public Shared Actions ([c945314](https://github.com/Kong/public-shared-actions/commit/c945314f424d1d8e53a1f7618266362630f03704))
+
+
+### 🐛 Bug Fixes
+
+* **build-js-sdk:** hardcode src as the output directory ([#49](https://github.com/Kong/public-shared-actions/issues/49)) ([4517bad](https://github.com/Kong/public-shared-actions/commit/4517bad0f9414091f830ddc739cfc3df214d903a))
+* use input string instead of boolean ([#50](https://github.com/Kong/public-shared-actions/issues/50)) ([3d93b96](https://github.com/Kong/public-shared-actions/commit/3d93b96af46a4f38d62cb65ab0c221aa3531522c))
+
+
+### ♻️ Chores
+
+* move build-js-sdk to public ([#34](https://github.com/Kong/public-shared-actions/issues/34)) ([7119dd2](https://github.com/Kong/public-shared-actions/commit/7119dd21a38e4fc6e879f9c9fff2e593966c43a5))
+
+
+### Breaking changes
+
+* **release:** - Each project within Public Shared Action is now treated as an independent package.
+- Each package will have its own versioned release.
+- Releases tag example "@security-actions/scan-docker-image@1.1.0".
+- Markdown (.md) files will be ignored when determining changes for releases.
+
+* feat(semgrep): update semgrep image name
+
+* fix(ci): update filter file change step to exclude .md README .jpeg
+
+* chore(deps): update dependencies and release workflow

code-build-actions/build-js-sdk/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@code-build-actions/build-js-sdk",
-  "version": "3.0.0",
+  "version": "4.0.0",
   "description": "This action builds a JavaScript SDK and updates an existing PR with the generated files",
   "main": "index.js",
   "repository": {

code-check-actions/lua-lint/CHANGELOG.md

@@ -0,0 +1,42 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
+
+# 4.0.0 (2025-01-03)
+
+
+### ✨ Features
+
+* **lua-lint:** add an option to make the action fail if the linting fails ([#121](https://github.com/Kong/public-shared-actions/issues/121)) ([a98be01](https://github.com/Kong/public-shared-actions/commit/a98be0184f832cb24a9dd233f99074e8ba17b488))
+* **release:** independent releases for Public Shared Actions ([c945314](https://github.com/Kong/public-shared-actions/commit/c945314f424d1d8e53a1f7618266362630f03704))
+
+
+### 🐛 Bug Fixes
+
+* **lint:** does not specify global standard in luacheck command line arguments ([#57](https://github.com/Kong/public-shared-actions/issues/57)) ([2804623](https://github.com/Kong/public-shared-actions/commit/28046231055b99899d55d32eda2a5f4a6075db36))
+
+
+### 📦 Code Refactoring
+
+* **sca:** Separate linters and sca for rust ([#46](https://github.com/Kong/public-shared-actions/issues/46)) ([b037b99](https://github.com/Kong/public-shared-actions/commit/b037b9950d987b47b5caf3d418fa09ffc046e6ca))
+
+
+### ♻️ Chores
+
+* **ci:** configurable failure mode for semgrep ([#55](https://github.com/Kong/public-shared-actions/issues/55)) ([bc77fa6](https://github.com/Kong/public-shared-actions/commit/bc77fa65f43dfb6b3ef0b9d258c02faf5892aab1))
+* **readme:** Add vulnerability migration and breakglass strategy for SCA and CVE action ([#107](https://github.com/Kong/public-shared-actions/issues/107)) ([ad89a25](https://github.com/Kong/public-shared-actions/commit/ad89a255ff44a03377215b8bccbfdc17c8c7fb46))
+
+
+### Breaking changes
+
+* **release:** - Each project within Public Shared Action is now treated as an independent package.
+- Each package will have its own versioned release.
+- Releases tag example "@security-actions/scan-docker-image@1.1.0".
+- Markdown (.md) files will be ignored when determining changes for releases.
+
+* feat(semgrep): update semgrep image name
+
+* fix(ci): update filter file change step to exclude .md README .jpeg
+
+* chore(deps): update dependencies and release workflow

code-check-actions/lua-lint/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@code-check-actions/lua-lint",
-  "version": "3.0.0",
+  "version": "4.0.0",
   "description": "This action analyzes all changed lua files using [lunarmodules/luacheck](https://github.com/lunarmodules/luacheck)",
   "main": "index.js",
   "repository": {

code-check-actions/rust-lint/CHANGELOG.md

@@ -0,0 +1,36 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
+
+# 4.0.0 (2025-01-03)
+
+
+### ✨ Features
+
+* **release:** independent releases for Public Shared Actions ([c945314](https://github.com/Kong/public-shared-actions/commit/c945314f424d1d8e53a1f7618266362630f03704))
+
+
+### 📦 Code Refactoring
+
+* **sca:** Separate linters and sca for rust ([#46](https://github.com/Kong/public-shared-actions/issues/46)) ([b037b99](https://github.com/Kong/public-shared-actions/commit/b037b9950d987b47b5caf3d418fa09ffc046e6ca))
+
+
+### ♻️ Chores
+
+* **ci:** configurable failure mode for semgrep ([#55](https://github.com/Kong/public-shared-actions/issues/55)) ([bc77fa6](https://github.com/Kong/public-shared-actions/commit/bc77fa65f43dfb6b3ef0b9d258c02faf5892aab1))
+* **readme:** Add vulnerability migration and breakglass strategy for SCA and CVE action ([#107](https://github.com/Kong/public-shared-actions/issues/107)) ([ad89a25](https://github.com/Kong/public-shared-actions/commit/ad89a255ff44a03377215b8bccbfdc17c8c7fb46))
+
+
+### Breaking changes
+
+* **release:** - Each project within Public Shared Action is now treated as an independent package.
+- Each package will have its own versioned release.
+- Releases tag example "@security-actions/scan-docker-image@1.1.0".
+- Markdown (.md) files will be ignored when determining changes for releases.
+
+* feat(semgrep): update semgrep image name
+
+* fix(ci): update filter file change step to exclude .md README .jpeg
+
+* chore(deps): update dependencies and release workflow

code-check-actions/rust-lint/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@code-check-actions/rust-lint",
-  "version": "3.0.0",
+  "version": "4.0.0",
   "description": "This action uses Rust Clippy for code quality checks",
   "main": "index.js",
   "repository": {

package.json

@@ -17,7 +17,8 @@
     "version": "pnpm i --no-frozen-lockfile && git add .",
     "version:ci": "lerna version --yes --create-release github",
     "version:dry-run": "pnpm run version:ci --no-push",
-    "lint": "eslint '**/*.{js,jsx,ts,tsx,vue}' --ignore-path '.eslintignore'"
+    "lint": "eslint '**/*.{js,jsx,ts,tsx,vue}' --ignore-path '.eslintignore'",
+    "prepare": "lefthook run pre-commit"
   },
   "keywords": [],
   "devDependencies": {
@@ -32,6 +33,7 @@
     "conventional-changelog-metahub": "^4.0.1",
     "cz-conventional-changelog": "^3.3.0",
     "eslint": "^8.33.0",
+    "lefthook": "^1.10.1",
     "lerna": "^7.1.4"
   },
   "config": {