feat: Testing

.github/workflows/oci-build-publish.yml

@@ -0,0 +1,152 @@
+name: OCI Build/Publish
+
+on:
+  workflow_call:
+    inputs:
+      artifact:
+        required: false
+        type: string
+      attest:
+        default: true
+        required: false
+        type: boolean
+      build_args:
+        required: false
+        type: string
+      context:
+        required: true
+        type: string
+      image_description:
+        required: false
+        type: string
+      image_name:
+        required: true
+        type: string
+      image_tag:
+        required: true
+        type: string
+      image_title:
+        required: false
+        type: string
+      is_latest:
+        default: false
+        required: true
+        type: boolean
+      push:
+        default: false
+        required: false
+        type: boolean
+      registry:
+        default: ghcr.io
+        required: false
+        type: string
+
+jobs:
+  build-publish:
+    name: OCI Build ${{ inputs.push && '+ Push' || '' }}
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+      packages: write
+      security-events: write
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+
+      - if: ${{ inputs.artifact }}
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.artifact }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ inputs.registry }}/${{ inputs.image_name }}
+          labels: |
+            org.opencontainers.image.description=${{ inputs.image_description || inputs.image_title || inputs.image_name }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.source=${{ github.server_url }}/${{ inputs.context }}
+            org.opencontainers.image.title=${{ inputs.image_title || inputs.image_name }}
+            org.opencontainers.image.version=${{ inputs.image_tag }}
+          tags: |
+            type=raw,value=${{ inputs.image_tag }}
+            type=raw,value=latest,enable=${{ inputs.is_latest }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3
+
+      - name: Log in to the registry
+        if: ${{ inputs.push }}
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
+        with:
+          registry: ${{ inputs.registry }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build ${{ inputs.push && '+ Push' || '' }}
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5
+        id: build
+        env:
+          SOURCE_DATE_EPOCH: 0
+        with:
+          build-args: ${{ inputs.build_args }}
+          cache-from: type=registry,ref=${{ inputs.registry }}/${{ github.repository }}/cache
+          cache-to: type=registry,ref=${{ inputs.registry }}/${{ github.repository }}/cache,mode=max
+          context: ${{ inputs.context }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64
+          # Pushes a provenance attestation to the registry, which can currently confuse
+          # some clients. We skip this process for the time being, and instead attest
+          # our SBOM manually later.
+          provenance: false
+          push: ${{ inputs.push }}
+          tags: ${{ steps.meta.outputs.tags }}
+
+      - name: Generate SBOM
+        if: ${{ inputs.push }}
+        uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0
+        with:
+          artifact-name: ${{ inputs.image_tag }}.sbom.spdx.json
+          format: spdx-json
+          image: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.image_tag }}
+          output-file: ${{ inputs.image_tag }}.sbom.spdx.json
+          upload-artifact: true
+          upload-release-assets: false
+
+      - name: Grype scan
+        if: ${{ inputs.push }}
+        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3
+        id: scan
+        with:
+          add-cpes-if-none: true
+          fail-build: false
+          image: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.image_tag }}
+          severity-cutoff: critical
+
+      - name: Store SARIF report
+        if: ${{ inputs.push }}
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
+        with:
+          name: ${{ inputs.image_tag }}.sarif.json
+          path: ${{ steps.scan.outputs.sarif }}
+
+      - name: Upload scan report
+        if: ${{ inputs.push }}
+        uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3
+        with:
+          category: ${{ inputs.image_name }}-${{ inputs.image_tag }}
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Upload SBOM attestation
+        uses: actions/attest-sbom@aaa2d0a82e0853a3aea99fcf632b9b61cdb534c2 # v1
+        if: ${{ inputs.attest && inputs.push }}
+        id: attest
+        with:
+          subject-name: ${{ inputs.registry }}/${{ inputs.image_name }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          sbom-path: ${{ inputs.image_tag }}.sbom.spdx.json
+          push-to-registry: true

.github/workflows/pre-release.yml

@@ -1,4 +1,4 @@
-name: Test/Pre-Release
+name: Pre-Release
 
 on:
   push:
@@ -14,23 +14,16 @@ env:
   REGISTRY: ghcr.io
 
 jobs:
-  qa-main:
-    name: Call QA
-    uses: ./.github/workflows/test.yml
+  qa:
+    name: 🔹 QA
+    uses: ./.github/workflows/qa.yml
 
-  pre-release:
-    concurrency: publish
-    if: github.ref == 'refs/heads/main'
-    name: Publish
-    needs: qa-main
+  build:
+    name: Build application
+    needs: qa
     permissions:
-      attestations: write
-      contents: read
-      id-token: write
-      packages: write
-      security-events: write
+      contents: write
     runs-on: ubuntu-22.04
-
     steps:
       - name: Checkout
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
@@ -58,86 +51,54 @@ jobs:
       - name: Build
         run: yarn build
 
-      - name: Determine release version
-        run: echo "RELEASE_VERSION=$(node .scripts/release-version.cjs)" >> $GITHUB_ENV
-
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+      - uses: actions/upload-artifact@v4
         with:
-          images: ${{ env.REGISTRY }}/${{ github.repository }}
-          labels: |
-            org.opencontainers.image.description=Updates CloudFlare DNS with IP addresses of running Docker containers.
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
-            org.opencontainers.image.title=Docker CloudFlare DNS
-            org.opencontainers.image.version=${{ env.RELEASE_VERSION }}
-          tags: |
-            type=raw,value=${{ env.RELEASE_VERSION }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3
-
-      - name: Log in to the registry
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build + Push
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5
-        id: build
-        env:
-          SOURCE_DATE_EPOCH: 0
-        with:
-          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository }}/cache
-          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository }}/cache,mode=max
-          context: .
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64
-          # Pushes a provenance attestation to the registry, which can currently confuse
-          # some clients. We skip this process for the time being, and instead attest
-          # our SBOM manually later.
-          provenance: false
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-
-      - name: Generate SBOM
-        uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0
-        with:
-          artifact-name: ${{ env.RELEASE_VERSION }}.sbom.spdx.json
-          format: spdx-json
-          image: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.RELEASE_VERSION }}
-          output-file: ${{ env.RELEASE_VERSION }}.sbom.spdx.json
-          upload-artifact: true
-          upload-release-assets: false
-
-      - name: Grype scan
-        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3
-        id: scan
-        with:
-          add-cpes-if-none: true
-          fail-build: false
-          image: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.RELEASE_VERSION }}
-          severity-cutoff: critical
+          name: build-output
+          path: |
+            output/
+            package.json
+          retention-days: 1
+
+  versions:
+    name: Versions
+    outputs:
+      RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
+    permissions:
+      contents: read
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
 
-      - name: Store SARIF report
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
+      - name: Select NodeJS version
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
         with:
-          name: ${{ env.RELEASE_VERSION }}.sarif.json
-          path: ${{ steps.scan.outputs.sarif }}
+          node-version: ${{ env.NODE_VERSION }}
+          registry-url: https://registry.npmjs.org
 
-      - name: Upload scan report
-        uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v3
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+      - name: Determine versions
+        run: echo "RELEASE_VERSION=$(node .scripts/release-version.cjs)" >> $GITHUB_ENV
 
-      - name: Upload SBOM attestation
-        uses: actions/attest-sbom@aaa2d0a82e0853a3aea99fcf632b9b61cdb534c2 # v1
-        id: attest
-        with:
-          subject-name: ${{ env.REGISTRY }}/${{ github.repository }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          sbom-path: ${{ env.RELEASE_VERSION }}.sbom.spdx.json
-          push-to-registry: true
+  pre-release:
+    concurrency: publish
+    name: 🔹 Publish
+    needs:
+      - build
+      - qa
+      - versions
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+      packages: write
+      security-events: write
+    uses: ./.github/workflows/oci-build-publish.yml
+    with:
+      artifact: build-output
+      context: .
+      image_description: Updates CloudFlare DNS with IP addresses of running Docker containers.
+      image_name: ${{ github.repository }}
+      image_tag: ${{ needs.versions.outputs.RELEASE_VERSION }}
+      image_title: docker-cloudflare-dns
+      is_latest: false
+      push: ${{ github.event_name == 'push' && github.ref_name == 'main' }}

.github/workflows/release.yml

@@ -16,7 +16,7 @@ env:
 jobs:
   qa-tag:
     name: Call QA
-    uses: ./.github/workflows/test.yml
+    uses: ./.github/workflows/qa.yml
 
   release:
     concurrency: publish

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20.14.0-bookworm@sha256:ab71b9da5ba19445dc5bb76bf99c218941db2c4d70ff4de4e0d9ec90920bfe3f
+FROM node:22.2.0
 
 LABEL org.opencontainers.image.description Update Cloudflare DNS with Docker container IP addresses.
 

build.cjs

@@ -6,7 +6,7 @@ esbuild
     outfile: "./output/main.cjs",
     platform: "node",
     sourcemap: true,
-    target: "node20",
+    target: "node22",
     bundle: true,
   })
   .catch(console.error);