Merge pull request #86 from defenseunicorns/update-unicorn-flavor

chore(main): update scorecard
defenseunicorns · Oct 29, 2024 · 2758fc9 · 2758fc9
2 parents 38acd84 + cf3f5bd
commit 2758fc9
Show file tree

Hide file tree

Showing 36 changed files with 883 additions and 644 deletions.
diff --git a/.github/workflows/ci-docs-shim.yaml b/.github/workflows/ci-docs-shim.yaml
@@ -1,3 +1,6 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
 name: CI Docs Shim
 
 on:
@@ -6,15 +9,13 @@ on:
     types: [milestoned, opened, synchronize]
 
 jobs:
-  run-test:
-    name: ${{ matrix.type }} ${{ matrix.flavor }}
-    runs-on: "ubuntu-latest"
-    timeout-minutes: 20
+  validate:
     strategy:
       matrix:
-        flavor: [upstream, registry1, unicorn]
         type: [install, upgrade]
-    steps:
-      - name: Shim for ${{ matrix.type }} ${{ matrix.flavor }}
-        run: |
-          echo "Documentation-only change detected; marking ${{ matrix.type }} ${{ matrix.flavor }} as successful."
+        flavor: [upstream, registry1, unicorn]
+    uses: defenseunicorns/uds-common/.github/workflows/callable-ci-docs-shim.yaml@2a5e66fceb5c506008d5f69f42abcf38ccf86b44 # v1.2.0
+    with:
+      flavor: ${{ matrix.flavor }}
+      type: ${{ matrix.type }}
+    secrets: inherit # Inherits all secrets from the parent workflow.
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
@@ -1,15 +1,13 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
 name: Metadata
 
 on:
-  # This workflow is triggered on pull requests to the main branch.
   pull_request:
     branches: [main]
     types: [milestoned, opened, edited, synchronize]
 
-  # This allows other repositories to call this workflow in a reusable way
-  workflow_call:
-
 jobs:
   validate:
-    name: Validate
-    uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@24c8a2a48eeb33773b76b3587c489cb17496c9e0 # v0.12.0
+    uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@2a5e66fceb5c506008d5f69f42abcf38ccf86b44 # v1.2.0
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -1,35 +1,16 @@
-name: Scan
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+name: Lint
 
 on:
   # This workflow is triggered on pull requests to the main branch.
   pull_request:
     branches: [main]
-    types: [milestoned, opened, synchronize]
+    # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).
+    types: [milestoned, opened, edited, synchronize]
 
 jobs:
-  validate:
-    runs-on: ubuntu-latest
-    name: Lint
-    permissions:
-      contents: read # Allows reading the repo contents
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          fetch-depth: 0
-
-      - name: Environment setup
-        uses: defenseunicorns/uds-common/.github/actions/setup@24c8a2a48eeb33773b76b3587c489cb17496c9e0 # v0.12.0
-        with:
-          registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
-          registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
-          ghToken: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install lint deps
-        run: |
-          uds run lint:deps
-
-      - name: Lint the repository
-        run: |
-          uds run lint:yaml
+  run:
+    uses: defenseunicorns/uds-common/.github/workflows/callable-lint.yaml@2a5e66fceb5c506008d5f69f42abcf38ccf86b44 # v1.2.0
+    secrets: inherit
diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,45 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
+jobs:
+  tag-new-version:
+    permissions: write-all
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release-flag.outputs.release_created }}
+    steps:
+      - name: Create Release Tag
+        id: tag
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
+      - id: release-flag
+        run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> "$GITHUB_OUTPUT"
+
+  publish:
+    permissions:
+      contents: read # Allows reading the content of the repository.
+      packages: write # Allows reading the content of the repository's packages.
+      id-token: write
+    needs: tag-new-version
+    if: ${{ needs.tag-new-version.outputs.release_created == 'true' }}
+    strategy:
+      matrix:
+        flavor: [upstream, registry1, unicorn]
+        architecture: [amd64]
+    uses: defenseunicorns/uds-common/.github/workflows/callable-publish.yaml@2a5e66fceb5c506008d5f69f42abcf38ccf86b44 # v1.2.0
+    with:
+      flavor: ${{ matrix.flavor }}
+      runsOn: uds-marketplace-ubuntu-big-boy-8-core
+    secrets: inherit # Inherits all secrets from the parent workflow.
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml