n3iwf/.github/workflows/push.yml at main · omec-project/n3iwf · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# SPDX-License-Identifier: Apache-2.0
# Copyright 2024 Intel Corporation
name: Release Pipeline

on:
  push:
    branches:
      - main
    paths:
      - "VERSION"

permissions:
  contents: read

jobs:
  tag-github:
    permissions:
      contents: write
      actions: read
      id-token: write
    uses: omec-project/.github/.github/workflows/tag-github.yml@ead90c247b15898cf138fa31300ee71de83905bd # v0.0.21
    secrets: inherit

  release-image:
    needs: tag-github
    permissions:
      contents: read
      packages: write
      actions: read
      id-token: write
      attestations: write
    uses: omec-project/.github/.github/workflows/release-image.yml@ead90c247b15898cf138fa31300ee71de83905bd # v0.0.21
    with:
      changed: ${{ needs.tag-github.outputs.changed }}
      version: ${{ needs.tag-github.outputs.version }}
    secrets: inherit

  update-version:
    needs: tag-github
    permissions:
      contents: write
      pull-requests: write
      actions: read
      id-token: write
    uses: omec-project/.github/.github/workflows/update-version.yml@ead90c247b15898cf138fa31300ee71de83905bd # v0.0.21
    with:
      changed: ${{ needs.tag-github.outputs.changed }}
      version: ${{ needs.tag-github.outputs.version }}
    secrets: inherit

  branch-release:
    needs: tag-github
    permissions:
      contents: write
      actions: read
      id-token: write
    uses: omec-project/.github/.github/workflows/branch-release.yml@ead90c247b15898cf138fa31300ee71de83905bd # v0.0.21
    with:
      release_branch: ${{ needs.tag-github.outputs.release_branch }}
      version_branch: ${{ needs.tag-github.outputs.version_branch }}
    secrets: inherit

  sbom-source:
    needs: tag-github
    permissions:
      contents: read
      actions: read
    uses: omec-project/.github/.github/workflows/sbom-source.yml@ead90c247b15898cf138fa31300ee71de83905bd # v0.0.21
    with:
      changed: ${{ needs.tag-github.outputs.changed }}
      branch_name: ${{ github.ref }}
      artifact_name: ${{ github.event.repository.name }}-${{ needs.tag-github.outputs.version }}.spdx.json
      sbom_format: spdx-json
      path: .

  grype-scan:
    needs: [tag-github, sbom-source]
    permissions:
      contents: read
      actions: read
      security-events: write # Required for SARIF upload to Code Scanning
    uses: omec-project/.github/.github/workflows/grype-scan.yml@ead90c247b15898cf138fa31300ee71de83905bd # v0.0.21
    with:
      changed: ${{ needs.tag-github.outputs.changed }}
      artifact_name: ${{ github.event.repository.name }}-${{ needs.tag-github.outputs.version }}.spdx.json