diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8629263bc..709123c2a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,4 +1,6 @@ -version: 2 +'daily' + +: 2 updates: - package-ecosystem: 'npm' directory: '/' @@ -16,3 +18,5 @@ updates: rebase-strategy: 'disabled' schedule: interval: 'daily' +- name: Run Gemini CLI + uses: google-github-actions/run-gemini-cli@v0.1.18 diff --git a/.github/workflows/blank.yml b/.github/workflows/blank.yml new file mode 100644 index 000000000..f8ba191c8 --- /dev/null +++ b/.github/workflows/blank.yml @@ -0,0 +1,166 @@ +# Copyright The Conforma Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +name: Release + +on: + workflow_dispatch: + schedule: + - cron: '0 9 * * 3' # every Wednesday + +permissions: + contents: read + +env: + TRACKED_PATHS: "acceptance/ policy/" + +jobs: + + get_info: + + runs-on: ubuntu-latest + outputs: + latest_tag: ${{ steps.get_info.outputs.latest_tag }} + latest_tag_sha: ${{ steps.get_info.outputs.latest_tag_sha }} + changed: ${{ steps.get_info.outputs.changed }} + next_version: ${{ steps.get_info.outputs.next_version }} + + steps: + + - name: Harden Runner + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + disable-telemetry: true + + - name: Checkout code + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + + - name: Get info + id: get_info + run: | + set -e + git fetch --tags + source hack/derive-version.sh $TRACKED_PATHS + + echo latest_tag=$LATEST_TAG | tee -a "$GITHUB_OUTPUT" + echo latest_tag_sha=$LATEST_TAG_SHA | tee -a "$GITHUB_OUTPUT" + echo changed=$HAVE_CHANGED | tee -a "$GITHUB_OUTPUT" + echo next_version=$NEXT_VERSION | tee -a "$GITHUB_OUTPUT" + + generate_release_notes: + + needs: get_info + if: needs.get_info.outputs.changed == 'true' + timeout-minutes: 15 + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Harden Runner + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + disable-telemetry: true + + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + + - name: Fetch tags + id: fetch_tags + run: | + git fetch --tags + + - name: Generate release notes + uses: google-github-actions/run-gemini-cli@v0 + with: + gemini_api_key: ${{ secrets.GEMINI_API_KEY }} + settings: |- + { + "sandbox": true, + "autoAccept": true + } + prompt: | + Make a release notes based on all notable changes since the tag + ${{needs.get_info.outputs.latest_tag}}. + Categorize it nicely with emojis, output as Markdown. + For each change that you mention in the release notes: + - Summarize the change in one line + - Put jira link in the beginning of the line, if the change has a + jira link in the commit message + Include all changes that have jira link in the commit message. + Don't create a title for the release. + Preface the release notes with a brief summary of the release. + The summary should also refer to changes in policies and policy rules. + Also save the release notes in a file named "release-notes.md". + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: release-notes + path: release-notes.md + if-no-files-found: error + + + create_release: + needs: [get_info, generate_release_notes] + if: ${{ needs.get_info.outputs.changed == 'true' && needs.generate_release_notes.result == 'success'}} + permissions: + contents: write + runs-on: ubuntu-latest + + steps: + + - name: Harden Runner + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + disable-telemetry: true + + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + + - name: Tag + run: | + set -e + git fetch --tags + git config --local user.email "action@github.com" + git config --local user.name "GitHub Action" + + source hack/add-auto-tag.sh + git push -f --tags + + - name: Download artifact + uses: actions/download-artifact@v5 + with: + name: release-notes + + - name: Create a release + uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2 + with: + name: ${{ needs.get_info.outputs.next_version }} + tag_name: ${{ needs.get_info.outputs.next_version }} + body_path: "release-notes.md" + make_latest: false + generate_release_notes: false diff --git a/.gitignore b/.gitignore index a17027bd8..4fd98f951 100644 --- a/.gitignore +++ b/.gitignore @@ -68,3 +68,8 @@ gha-creds-*.json # Ignore local secrets file for act .secrets +# gemini-cli settings +.gemini/ + +# GitHub App credentials +gha-creds-*.json