workflow:feat - Automating the release notes

.github/CODEOWNERS

@@ -1,4 +1,4 @@
 # GitHub code owners
 # See https://github.com/blog/2392-introducing-code-owners
-* @wiliansilvazup @matheusalcantarazup @lucasbrunozup @nathanmartinszup @iancardosozup
+* @wiliansilvazup @lucasbrunozup @nathanmartinszup @iancardosozup @matheusalcantarazup @oliveirafelipezup
 

.github/workflows/release-alpha.yml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: ReleaseAlpha
+name: release-alpha
 
 on:
   push:
@@ -25,6 +25,7 @@ jobs:
     permissions:
       contents: write
       packages: write
+      issues:   write
     runs-on: ubuntu-latest
     env:
       COSIGN_KEY_LOCATION: "/tmp/cosign.key"

.github/workflows/release-beta.yml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: ReleaseBeta
+name: release-beta
 
 on:
   workflow_dispatch:
@@ -27,11 +27,12 @@ jobs:
     permissions:
       contents: write
       packages: write
+      issues:   write
     runs-on: ubuntu-latest
     env:
       COSIGN_KEY_LOCATION: "/tmp/cosign.key" #private key used to sing the artefacts and images location.
       COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
-
+    if: contains('["wiliansilvazup","matheusalcantarazup","lucasbrunozup","nathanmartinszup","iancardosozup","oliveirafelipezup"]', github.actor)
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -66,7 +67,7 @@ jobs:
         uses: crazy-max/ghaction-import-gpg@v4
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          passphrase: ${{ secrets.GPG_PASSWORD }}
           git_user_signingkey: true
           git_commit_gpgsign: true
 
@@ -93,9 +94,9 @@ jobs:
       - name: Checkout Release Branch
         run: mage CheckoutReleaseBranch ${{ steps.updated-version.outputs.nextReleaseBranchName }}
 
-      # Creates a tag with the next version created during the last step, but still don't publish it.
-      - name: Create tag
-        run: mage CreateLocalTag ${{ steps.updated-version.outputs.nextBetaVersion }}
+      # Creates a tag with the next version created during the last step
+      - name: Create and push tag
+        run: mage -v createAndPushTag ${{ steps.updated-version.outputs.nextBetaVersion }}
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
@@ -105,8 +106,15 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
           GORELEASER_CURRENT_TAG: ${{ steps.updated-version.outputs.nextBetaVersion }}
+          GORELEASER_PREVIOUS_TAG: ${{ steps.updated-version.outputs.actualBetaVersion }}
 
       # Publish the release and tag using mage
       - name: Push All
-        run: mage GitPushAll
+        if: ${{ success() }}
+        run: mage -v gitPushAll
+
+      - name: Remove updates
+        if: ${{ !success() }}
+        run: mage -v removeTag ${{ steps.updated-version.outputs.nextBetaVersion }}

.github/workflows/release.yml → .github/workflows/release-final.yml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: Release
+name: release-final
 
 on:
   workflow_dispatch:
@@ -26,15 +26,16 @@ on:
 
 permissions: read-all
 jobs:
-  Release:
+  ReleaseFinal:
     permissions:
       contents: write
       packages: write
+      issues:   write
     runs-on: ubuntu-latest
     env:
       COSIGN_KEY_LOCATION: "/tmp/cosign.key" #private key used to sing the artefacts and images location.
       COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
-
+    if: contains('["wiliansilvazup","matheusalcantarazup","lucasbrunozup","nathanmartinszup","iancardosozup","oliveirafelipezup"]', github.actor)
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -69,7 +70,7 @@ jobs:
         uses: crazy-max/ghaction-import-gpg@v4
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          passphrase: ${{ secrets.GPG_PASSWORD }}
           git_user_signingkey: true
           git_commit_gpgsign: true
 
@@ -96,9 +97,9 @@ jobs:
       - name: Checkout Release Branch
         run: mage CheckoutReleaseBranch ${{ steps.updated-version.outputs.nextReleaseBranchName }}
 
-      # Creates a tag with the next version created during the last step, but still don't publish it.
-      - name: Create tag
-        run: mage CreateLocalTag ${{ steps.updated-version.outputs.nextReleaseVersion }}
+      # Creates a tag with the next version created during the last step
+      - name: Create and push tag
+        run: mage -v createAndPushTag ${{ steps.updated-version.outputs.nextReleaseVersion }}
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
@@ -108,11 +109,14 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
           GORELEASER_CURRENT_TAG: ${{ steps.updated-version.outputs.nextReleaseVersion }}
+          GORELEASER_PREVIOUS_TAG: ${{ steps.updated-version.outputs.actualReleaseVersion }}
 
       # This step updates the defaults.json to the platform version passed in the workflow input for all microservices.
       # The README.md and kustomization.yaml also are updated to match the new operator version that ir being released.
       - name: Update versioning files
+        if: ${{ success() }}
         run: mage UpdateVersioningFiles
         env:
           HORUSEC_PLATFORM_VERSION: ${{ github.event.inputs.horusecPlatformVersion }}
@@ -122,6 +126,7 @@ jobs:
       # The changes made in the last step are committed to the branch that the workflow was triggered, this commit is not
       # going to trigger any workflow cause the skip ci in the commit message.
       - name: Commit changes
+        if: ${{ success() }}
         uses: EndBug/add-and-commit@v8.0.2
         with:
           push: true
@@ -137,17 +142,23 @@ jobs:
       # workflow is started from a branch that isn't the main branch, for example a release branch.
       # When the workflow it's triggered to run on main, the commit it's going to be made directly to the main branch.
       - name: Cherry pick
+        if: ${{ success() }}
         id: cherry-pick
         run: mage CherryPick
 
       # This step utilizes an action to create a pull request with the branch that was cherry picked on the last step
       # into the main branch. As the last commit, this also needs to run only when the release workflow is started from a
       # branch that isn't the main branch. Others workflows should be skipped cause of the skip ci in the pull request title.
       - name: Create Pull Request
+        if: ${{ success() }}
         uses: repo-sync/pull-request@v2
         with:
           source_branch: "${{ steps.cherry-pick.outputs.cherryPickBranchName }}"
           destination_branch: "main"
           pr_title: "versioning:release - [skip ci] automatic pull request updating versioning files"
           pr_body: "This is a automatic pull request that contains changes to files that need to be updated with the new release version. Where the commit ${{ steps.cherry-pick.outputs.commitShaToPick }} was cherry picked from the release branch, which already contains all the necessary changes."
           github_token: ${{ secrets.HORUSEC_PUSH_TOKEN }}
+
+      - name: Remove updates
+        if: ${{ !success() }}
+        run: mage -v removeTag ${{ steps.updated-version.outputs.nextReleaseVersion }}

.github/workflows/release-rc.yml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: ReleaseRC
+name: release-rc
 
 on:
   workflow_dispatch:
@@ -27,11 +27,12 @@ jobs:
     permissions:
       contents: write
       packages: write
+      issues:   write
     runs-on: ubuntu-latest
     env:
       COSIGN_KEY_LOCATION: "/tmp/cosign.key" #private key used to sing the artefacts and images location.
       COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
-
+    if: contains('["wiliansilvazup","matheusalcantarazup","lucasbrunozup","nathanmartinszup","iancardosozup","oliveirafelipezup"]', github.actor)
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -66,7 +67,7 @@ jobs:
         uses: crazy-max/ghaction-import-gpg@v4
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          passphrase: ${{ secrets.GPG_PASSWORD }}
           git_user_signingkey: true
           git_commit_gpgsign: true
 
@@ -93,9 +94,9 @@ jobs:
       - name: Checkout Release Branch
         run: mage CheckoutReleaseBranch ${{ steps.updated-version.outputs.nextReleaseBranchName }}
 
-      # Creates a tag with the next version created during the last step, but still don't publish it.
-      - name: Create tag
-        run: mage CreateLocalTag ${{ steps.updated-version.outputs.nextRCVersion }}
+      # Creates a tag with the next version created during the last step
+      - name: Create and push tag
+        run: mage -v createAndPushTag ${{ steps.updated-version.outputs.nextRCVersion }}
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
@@ -105,8 +106,15 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
           GORELEASER_CURRENT_TAG: ${{ steps.updated-version.outputs.nextRCVersion }}
+          GORELEASER_PREVIOUS_TAG: ${{ steps.updated-version.outputs.actualRCVersion }}
 
       # Publish the release and tag using mage
       - name: Push All
-        run: mage GitPushAll
+        if: ${{ success() }}
+        run: mage -v gitPushAll
+
+      - name: Remove updates
+        if: ${{ !success() }}
+        run: mage -v removeTag ${{ steps.updated-version.outputs.nextRCVersion }}

.goreleaser.yml

@@ -28,18 +28,49 @@ builds:
     goarch:
       - amd64
     binary: horusec-operator
+
 changelog:
-  skip: true
+  skip: false
+  use: github
+  groups:
+  - title: 'Features'
+    regexp: "^.*:(feature|feat)\\s-.*$"
+    order: 0
+  - title: 'Bug fixes'
+    regexp: "^.*:(bugfix|fix)\\s-.*$"
+    order: 1
+  - title: 'Hotfixes'
+    regexp: "^.*:hotfix\\s-.*$"
+    order: 2
+  - title: 'Chores'
+    regexp: "^.*:chore\\s-.*$"
+    order: 3
+  - title: Others
+    order: 999
+  filters:
+    exclude:
+      - '^deps:chore.*$'
+      - '^Commit\sfrom\sGitHub\sActions.*$'
+      - '^build(deps):.*$'
+      - '^Update\sdependency.*$'
+      - '^versioning:release.*$'
+
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
 archives:
   - format: binary
 release:
-  draft: true
+  prerelease: auto
+  draft: false
+  mode: append
   extra_files:
     - glob: ./deployments/cosign.pub
-  ids:
-    -
+  footer: |
+    ## Docker images
+    - `docker pull horuszup/horusec-operator:{{ .Tag }}`
+
+    **Full Changelog**: https://github.com/ZupIT/horusec-operator/compare/{{ .PreviousTag }}...{{ .Tag }}
+
 signs:
   - cmd: cosign
     stdin: '{{ .Env.COSIGN_PWD }}'
@@ -58,7 +89,7 @@ dockers:
       - horusec-operator
   - image_templates:
       - "horuszup/horusec-operator:{{ .Tag }}"
-    skip_push: false
+    skip_push: "false"
     dockerfile: ./deployments/dockerfiles/Dockerfile.gorelease
   - image_templates:
       - "horuszup/horusec-operator:latest"

config/samples/sample_install_dependencies.sh

@@ -34,7 +34,6 @@ export POSTGRES_PASSWORD=$(kubectl get secret postgresql -o jsonpath="{.data.pos
 export RABBITMQ_USERNAME="user"
 export RABBITMQ_PASSWORD=$(kubectl get secret rabbitmq -o jsonpath="{.data.rabbitmq-password}" | base64 --decode)
 export JWT_SECRET="4ff42f67-5929-fc52-65f1-3afc77ad86d5"
-export CONFIDENTIAL_CLIENT_SECRET="4ff42f67-5929-fc52-65f1-3afc77ad86d5"
 
 # waits for postgres to be ready
 kubectl wait --for=condition=ready pod postgresql-0 --timeout 300s
@@ -48,5 +47,3 @@ kubectl create secret generic horusec-analytic-database --from-literal="username
 kubectl create secret generic horusec-broker --from-literal="username=$RABBITMQ_USERNAME" --from-literal="password=$RABBITMQ_PASSWORD"
 
 kubectl create secret generic horusec-jwt --from-literal=jwt-token=$JWT_SECRET
-
-kubectl create secret generic horusec-keycloak-client --from-literal="client-secret=$CONFIDENTIAL_CLIENT_SECRET"