chore(build): integrate semantic-release

Author: meysam81

.github/workflows/ci.yml

@@ -1,9 +1,5 @@
 name: ci
 
-concurrency:
-  group: ${{ github.event_name }}-${{ github.ref_name }}
-  cancel-in-progress: ${{ !startsWith(github.ref, 'refs/tags/') }}
-
 on:
   pull_request:
     branches:
@@ -14,198 +10,57 @@ on:
     tags:
       - "*"
 
-env:
-  IMAGE_REPOSITORY: ${{ github.repository }}
-  IMAGE_REGISTRY: ghcr.io
-
 jobs:
-  build-docker-pr:
-    if: github.event_name == 'pull_request'
-    permissions:
-      contents: read
-      packages: write
-      pull-requests: write
+  build-edge:
+    if: |
+      contains(fromJson('["push","pull_request"]'), github.event_name) &&
+      github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Login to Docker Container Registry
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          password: ${{ secrets.GITHUB_TOKEN }}
-          registry: ghcr.io
-          username: ${{ github.actor }}
-      - id: meta
-        name: Docker metadata
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ${{ steps.meta.outputs.tags }}
-            ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}:${{ github.run_id }}
-      - if: contains(github.event.pull_request.labels.*.name, 'check-cves')
-        name: Docker Scout - cves
-        uses: docker/scout-action@v1
-        with:
-          command: cves
-          ignore-unchanged: true
-          image: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}:${{ github.run_id }}
-          only-fixed: true
-          only-severities: medium,high,critical
-          sarif-file: sarif.output.json
-          summary: true
-      - if: contains(github.event.pull_request.labels.*.name, 'check-cves')
-        name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          if-no-files-found: warn
-          name: scout-results
-          path: sarif.output.json
+      - name: Build docker
+        uses: meysam81/build-docker@main
+        with:
+          cosign: true
+          image-extra-tags: |
+            ghcr.io/${{ github.repository }}:${{ github.run_id }}
+            ghcr.io/${{ github.repository }}:latest
+          image-name: ghcr.io/${{ github.repository }}
+          kubescape: true
+          kubescape-upload-sarif: true
 
-  build-docker-edge:
+  semantic-release:
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    permissions:
-      contents: read
-      packages: write
-      security-events: write
     runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Login to Docker Container Registry
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          password: ${{ secrets.GITHUB_TOKEN }}
-          registry: ghcr.io
-          username: ${{ github.actor }}
-      - id: meta
-        name: Docker metadata
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ${{ steps.meta.outputs.tags }}
-            ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}:${{ github.run_id }}
-            ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}:latest
-      - name: Docker Scout - cves
-        uses: docker/scout-action@v1
-        with:
-          command: cves
-          ignore-unchanged: true
-          image: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}:${{ github.run_id }}
-          only-fixed: true
-          only-severities: medium,high,critical
-          sarif-file: sarif.output.json
-          summary: true
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          if-no-files-found: warn
-          name: scout-results
-          path: sarif.output.json
-
-  build-docker-stable:
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
     permissions:
-      contents: read
+      contents: write
       packages: write
-    runs-on: ubuntu-latest
+      issues: write
+      pull-requests: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Login to Docker Container Registry
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          password: ${{ secrets.GITHUB_TOKEN }}
-          registry: ghcr.io
-          username: ${{ github.actor }}
-      - id: meta
-        name: Docker metadata
-        uses: docker/metadata-action@v5
         with:
-          images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}
-      - name: Build and push
-        uses: docker/build-push-action@v6
+          fetch-depth: 0
+      - name: Setup bun
+        uses: oven-sh/setup-bun@v2
         with:
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ${{ steps.meta.outputs.tags }}
-            ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}:${{ github.ref_name }}
-      - name: Docker Scout - cves
-        uses: docker/scout-action@v1
-        with:
-          command: cves
-          ignore-unchanged: true
-          image: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPOSITORY }}:${{ github.ref_name }}
-          only-fixed: true
-          only-severities: medium,high,critical
-          sarif-file: sarif.output.json
-          summary: true
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          if-no-files-found: warn
-          name: scout-results
-          path: sarif.output.json
-
-  github-release:
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - continue-on-error: true
+          bun-version: latest
+      - name: Install bun deps
+        run: bun install
+      - id: semantic-release
+        name: Release
         env:
-          GH_TOKEN: ${{ github.token }}
-        name: Create release
-        run: |
-          gh release create ${{ github.ref_name }} -t ${{ github.ref_name }} --generate-notes
+          GITHUB_TOKEN: ${{ github.token }}
+        run: bunx semantic-release@v24
+      - if: steps.semantic-release.outputs.version != ''
+        name: Build docker
+        uses: meysam81/build-docker@main
+        with:
+          cosign: true
+          image-extra-tags: |
+            ghcr.io/${{ github.repository }}:${{ steps.semantic-release.outputs.version }}
+          image-name: ghcr.io/${{ github.repository }}
+          kubescape: true
+          kubescape-upload-sarif: true
+          ref: ${{ steps.semantic-release.outputs.version }}

.gitignore

@@ -1 +1,2 @@
 .secrets
+node_modules/

.pre-commit-config.yaml

@@ -1,3 +1,16 @@
+ci:
+  autofix_commit_msg: |
+    [pre-commit.ci] auto fixes from pre-commit.com hooks
+
+    [skip ci]
+  autofix_prs: true
+  autoupdate_commit_msg: |
+    [pre-commit.ci] pre-commit autoupdate
+
+    [skip ci]
+  autoupdate_schedule: weekly
+  submodules: false
+
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
@@ -59,3 +72,7 @@ repos:
       - id: ruff
         args: [ --fix ]
       - id: ruff-format
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.7
+    hooks:
+      - id: actionlint

.releaserc

@@ -0,0 +1,14 @@
+---
+branches:
+  - main
+plugins:
+  - - "@semantic-release/commit-analyzer"
+    - preset: angular
+      releaseRules:
+        - type: chore
+          release: patch
+  - "@semantic-release/release-notes-generator"
+  - "@semantic-release/git"
+  - "@semantic-release/github"
+  - - "@semantic-release/exec"
+    - successCmd: echo version=v${nextRelease.version} >> $GITHUB_OUTPUT