diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 354eab6..1373233 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -14,10 +14,15 @@ jobs: secrets: AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }} AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} + pr_title_format_check: uses: ./.github/workflows/pr_title_check.yml + get_config_values: uses: ./.github/workflows/get-repo-config.yml + with: + verify_published_from_main_image: false + quality_checks: uses: ./.github/workflows/quality-checks-devcontainer.yml needs: [get_config_values] @@ -25,6 +30,7 @@ jobs: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + tag_release: needs: get_config_values uses: ./.github/workflows/tag-release-devcontainer.yml @@ -37,5 +43,4 @@ jobs: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} branch_name: ${{ github.event.pull_request.head.ref }} tag_format: ${{ needs.get_config_values.outputs.tag_format }} - verify_published_from_main_image: false secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 66172a2..b6a7975 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,5 +25,4 @@ jobs: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} branch_name: main tag_format: ${{ needs.get_config_values.outputs.tag_format }} - verify_published_from_main_image: true secrets: inherit diff --git a/.github/workflows/tag-release-devcontainer.yml b/.github/workflows/tag-release-devcontainer.yml index 7647e7b..ec6a8ad 100644 --- a/.github/workflows/tag-release-devcontainer.yml +++ b/.github/workflows/tag-release-devcontainer.yml @@ -45,9 +45,6 @@ on: description: "An repository for the extra artifact" required: false type: string - verify_published_from_main_image: - required: true - type: boolean outputs: version_tag: value: ${{ jobs.tag_release.outputs.version_tag }} diff --git a/README.md b/README.md index 3413b65..7a62df5 100644 --- a/README.md +++ b/README.md @@ -9,9 +9,9 @@ The workflows that are available to use are - [Combine Dependabot PRs](#combine-dependabot-prs) - [Dependabot Auto Approve and Merge](#dependabot-auto-approve-and-merge) - [PR Title Check](#pr-title-check) +- [Get Repo Config](#get-repo-config) - [Quality Checks](#quality-checks) - [Quality Checks - Dev Container Version](#quality-checks---dev-container-version) -- [Verify Image Digest and Attestation](#verify-image-digest-and-attestation) - [Tag Release](#tag-release) - [Tag Release - Devcontainer Version](#tag-release---devcontainer-version) @@ -127,6 +127,41 @@ jobs: uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f5c8313a10855d0cc911db6a9cd666494c00045a ``` +## Get Repo Config + +This workflow extracts common config values, including the devcontainer image and version. This image then has its attestations verified, and provides a pinned image reference that can be used in downstream workflows. + +#### Inputs + +- `registry`: Container registry host. Default: `ghcr.io` +- `namespace`: Image namespace/repository prefix. Default: `nhsdigital/eps-devcontainers` +- `owner`: GitHub owner used by `gh attestation verify --owner`. Default: `NHSDigital` +- `verify_published_from_main_image`: If true, verifies attestations published from `refs/heads/main`. Default: `true` +- `predicate_type`: Attestation predicate type. Default: `https://slsa.dev/provenance/v1` + +#### Outputs + +- `tag_format`: The tag format to use for releases. +- `devcontainer_image`: The devcontainer image name as defined in `.devcontainer/devcontainer.json`. +- `devcontainer_version`: The version of the devcontainer image. +- `pinned_image`: The fully-qualified digest-pinned image reference. +- `resolved_digest`: The resolved digest for the devcontainer image. + +#### Example + +To use this workflow in your repository, call it from another workflow file: + +```yaml +name: Release + +on: + workflow_dispatch: + +jobs: + get_config_values: + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f5c8313a10855d0cc911db6a9cd666494c00045a +``` + ## Quality Checks This workflow runs common quality checks. To use this, you must have the following Makefile targets defined @@ -182,7 +217,7 @@ To use this, you must have overridden any common makefile targets described in h - `run_sonar`: Whether to run Sonar checks or not. - `run_docker_scan`: whether to run a scan of Docker images - `docker_images`: csv list of Docker images to scan. These must match images produced by make docker-build -- `runtime_docker_image`: the Docker image to run everything on. This should just be the image name and tag pushed to https://github.com/NHSDigital/eps-devcontainers +- `pinned_image`: A pinned, verified image version upon which to run the container. #### Secret Inputs - `SONAR_TOKEN`: Token used to authenticate to Sonar @@ -201,73 +236,41 @@ on: workflow_dispatch: jobs: + get_config_values: + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f5c8313a10855d0cc911db6a9cd666494c00045a + quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@f5c8313a10855d0cc911db6a9cd666494c00045a + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f5c8313a10855d0cc911db6a9cd666494c00045a needs: [get_config_values] with: - runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}" + pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} run_docker_scan: true docker_images: fhir-facade,validator secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} ``` -## Verify Image Digest and Attestation -This workflow resolves an image reference to a pinned digest and verifies GitHub artifact attestation for that image. - -#### Inputs - -- `runtime_docker_image`: Image reference as `name:tag` (for example `node_24_python_3_12:v1.2.3`) or a fully qualified image reference. -- `registry`: Container registry host. Default: `ghcr.io` -- `namespace`: Image namespace/repository prefix. Default: `nhsdigital/eps-devcontainers` -- `owner`: GitHub owner used by `gh attestation verify --owner`. Default: `NHSDigital` -- `verify_published_from_main_image`: If true, verifies attestations published from `refs/heads/main`. Default: `true` -- `predicate_type`: Attestation predicate type. Default: `https://slsa.dev/provenance/v1` - -#### Outputs - -- `pinned_image`: Fully-qualified digest-pinned image reference. -- `resolved_digest`: Resolved digest for the supplied image reference. - -#### Example - -To use this workflow in your repository, call it from another workflow file: - -```yaml -name: Verify Devcontainer Image - -on: - workflow_dispatch: - -jobs: - verify_attestation: - uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@f5c8313a10855d0cc911db6a9cd666494c00045a - with: - runtime_docker_image: node_24_python_3_12:githubactions-v1.2.3 - registry: ghcr.io - namespace: nhsdigital/eps-devcontainers - owner: NHSDigital - verify_published_from_main_image: true - predicate_type: https://slsa.dev/provenance/v1 -``` - - ## Tag Release This workflow uses the semantic-release npm package to generate a new version tag, changelog, and GitHub release for a repo. #### Inputs - `dry_run`: Whether to run in dry_run mode (do not create tags) or not -- `tagFormat`: Default `v\\${version}`. A template for the version tag. +- `tag_format`: Default `v\\${version}`. A template for the version tag. - `branch_name`: The branch name to base the release on -- `publish_package`: Default false. If true, semantic-release will publish npm package. +- `publish_packages`: comma separated list of package folders to publish to an npm registry - `asdfVersion`: Override the version of asdf to install. - `main_branch`: The branch to use for publishing. Defaults to main +- `extra_artifact_name`: optional param to include an extra artifact in the release +- `extra_artifact_id`: optional param of the extra artifact id to include in the release +- `extra_artifact_run_id`: optional param of the run id to download the extra artifact id to include in the release +- `extra_artifact_repository`: optional param to indicate which repo the run to download the artifact was from #### Outputs - `version_tag`: The version tag created by semantic-release. - `change_set_version`: A timestamped string that can be used for creating changesets. +- `next_version_tag`: The next version tag that will be created. #### Example @@ -282,12 +285,12 @@ on: jobs: tag_release: uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@f5c8313a10855d0cc911db6a9cd666494c00045a - with: - tagFormat: "v\\${version}-beta" - dry_run: true - asdfVersion: 0.18.0 - branch_name: main - publish_package: false + with: + tag_format: "v\\${version}-beta" + dry_run: true + asdfVersion: 0.18.0 + branch_name: main + publish_packages: "" ``` ## Tag Release - Devcontainer Version @@ -297,20 +300,20 @@ This workflow uses the semantic-release npm package to generate a new version ta - `dry_run`: Whether to run in dry_run mode (do not create tags) or not - `branch_name`: The branch name to base the release on -- `runtime_docker_image`: the Docker image to run everything on. This should just be the image name and tag pushed to https://github.com/NHSDigital/eps-devcontainers +- `pinned_image`: A pinned, verified image version upon which to run the container. - `publish_packages`: comma separated list of package folders to publish to an npm registry -- `tagFormat`: Default `v\\${version}`. A template for the version tag. +- `tag_format`: Default `v\\${version}`. A template for the version tag. - `main_branch`: The branch to use for publishing. Defaults to main - `extra_artifact_name`: optional param to include an extra artifact in the release - `extra_artifact_id`: optional param of the extra artifact id to include in the release - `extra_artifact_run_id`: optional param of the run id to download the extra artifact id to include in the release -- `extra_artifact_repository` optional param to indicate which repo the run to download the artifact was from -- `verify_published_from_main_image` indicates if we should verify the image was published from main branch in eps-devcontainers +- `extra_artifact_repository`: optional param to indicate which repo the run to download the artifact was from #### Outputs - `version_tag`: The version tag created by semantic-release. - `change_set_version`: A timestamped string that can be used for creating changesets. +- `next_version_tag`: The next version tag that will be created. #### Example @@ -323,15 +326,18 @@ on: workflow_dispatch: jobs: + get_config_values: + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f5c8313a10855d0cc911db6a9cd666494c00045a + tag_release: uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f5c8313a10855d0cc911db6a9cd666494c00045a needs: [get_config_values] - with: - tagFormat: "v\\${version}-beta" - dry_run: true - runtime_docker_image: "${{ needs.get_config_values.outputs.devcontainer_image }}:githubactions-${{ needs.get_config_values.outputs.devcontainer_version }}" - branch_name: main - publish_package: false + with: + tag_format: "v\\${version}-beta" + dry_run: true + pinned_image: "${{ needs.get_config_values.outputs.pinned_image }}" + branch_name: main + publish_packages: "" ```