feat: github-action + github-tags datasource + overhaul cicd (#136)

Co-authored-by: kvanzuijlen <kvanzuijlen@users.noreply.github.com>

Author: kvanzuijlen

.dockerignore

@@ -0,0 +1,18 @@
+.git
+.github/
+.idea/
+.venv/
+.cache/
+dist/
+docs/
+site/
+.golangci.yaml
+.prettierignore
+.goreleaser.yaml
+action.yml
+Dockerfile
+LICENSE
+mkdocs.yaml
+poetry.lock
+pyproject.toml
+README.md

.github/renovate.json5

@@ -1,23 +1,7 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
   extends: ["config:best-practices"],
-  customDatasources: {
-    goreleaser: {
-      defaultRegistryUrlTemplate: "https://goreleaser.com/static/releases.json",
-      transformTemplates: [
-        '{"releases":$.{"version":$.tag_name,"changelogUrl":$join(["https://github.com/goreleaser/goreleaser/releases/tag/",$.tag_name]),"sourceUrl":"https://github.com/goreleaser/goreleaser","homepage":"https://goreleaser.com/"},"sourceUrl":"https://github.com/goreleaser/goreleaser","homepage":"https://goreleaser.com/"}',
-      ],
-    },
-  },
   customManagers: [
-    {
-      currentValueTemplate: "nonroot",
-      customType: "regex",
-      datasourceTemplate: "docker",
-      depNameTemplate: "gcr.io/distroless/static",
-      fileMatch: "^Dockerfile",
-      matchStrings: ['ARG BASE_IMAGE_DIGEST="(?<currentDigest>.*)"'],
-    },
     {
       customType: "regex",
       fileMatch: "(^|\\/)(?:workflow-templates|\\.github\\/(?:workflows|actions))\\/.+\\.ya?ml$",

.github/workflows/build.yaml

@@ -8,18 +8,18 @@ on:
 jobs:
   build:
     name: build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Setup Go environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: "go.mod"
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
-          version: v2.0.1 # renovate: datasource=custom.goreleaser depName=goreleaser packageName=goreleaser/goreleaser
+          version: v2.13.2 # renovate: datasource=github-tags depName=goreleaser packageName=goreleaser/goreleaser
           args: build --single-target --snapshot --clean --output ./version
         env:
           GORELEASER_CURRENT_TAG: ${{ steps.draft_release.outputs.tag_name }}
@@ -37,18 +37,89 @@ jobs:
 
   docker-build:
     name: docker build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
-      - name: Build Docker image
-        run: VERSION=$(git rev-parse --short HEAD) make docker-build docker-build-x-platform
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      - name: Get current date
+        id: date
+        run: echo "date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+      - name: Extract base image info
+        id: base_image
+        run: |
+          BASE_IMAGE_FULL=$(grep -i '^FROM' Dockerfile | tail -n 1 | awk '{print $2}')
+          if [[ "$BASE_IMAGE_FULL" == "scratch" ]]; then
+            echo "name=scratch" >> $GITHUB_OUTPUT
+            echo "digest=" >> $GITHUB_OUTPUT
+          else
+            echo "name=$(echo "$BASE_IMAGE_FULL" | cut -d'@' -f1)" >> $GITHUB_OUTPUT
+            echo "digest=$(echo "$BASE_IMAGE_FULL" | cut -d'@' -f2)" >> $GITHUB_OUTPUT
+          fi
+      - name: Build Docker image (multi-platform)
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          platforms: |
+            linux/amd64
+            linux/arm64
+            linux/arm/v8
+            linux/ppc64le
+            linux/arm/v7
+          tags: ghcr.io/version-cli/version:dev
+          labels: |
+            authors=Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com>
+            org.opencontainers.image.created=${{ steps.date.outputs.date }}
+            org.opencontainers.image.authors=Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com>
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.documentation="https://www.version-cli.app"
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.version=${{ github.sha }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.vendor="version-cli"
+            org.opencontainers.image.licenses=# TODO: add license
+            org.opencontainers.image.ref.name=${{ github.sha }}
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.base.digest=${{ steps.base_image.outputs.name }}
+            org.opencontainers.image.base.name=${{ steps.base_image.outputs.digest }}
+          build-args: |
+            VERSION=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - name: Build Docker image (smoke test)
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          platforms: linux/amd64
+          load: true
+          tags: ghcr.io/version-cli/version:dev
+          labels: |
+            authors=Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com>
+            org.opencontainers.image.created=${{ steps.date.outputs.date }}
+            org.opencontainers.image.authors=Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com>
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.documentation="https://www.version-cli.app"
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.version=${{ github.sha }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.vendor="version-cli"
+            org.opencontainers.image.licenses=# TODO: add license
+            org.opencontainers.image.ref.name=${{ github.sha }}
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.base.digest=${{ steps.base_image.outputs.name }}
+            org.opencontainers.image.base.name=${{ steps.base_image.outputs.digest }}
+          build-args: |
+            VERSION=${{ github.sha }}
+          cache-from: type=gha
       - name: Version test
         id: version
         run: |-
-          echo "output=$(docker run ghcr.io/version-cli/version:latest bump 0.1.0)" >> "$GITHUB_OUTPUT"
+          echo "output=$(docker run ghcr.io/version-cli/version:dev bump 0.1.0)" >> "$GITHUB_OUTPUT"
       - name: Failed
         if: ${{ steps.version.outputs.output != '0.1.1' }}
         run: |-

.github/workflows/check_pr_labels.yaml

@@ -12,7 +12,7 @@ on:
 
 jobs:
   fail-by-label:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Fail if PR is labeled "do-not-merge"
         if: contains(github.event.pull_request.labels.*.name, 'do-not-merge')

.github/workflows/ci.yaml

@@ -13,45 +13,93 @@ jobs:
       id-token: "write"
       packages: "write"
     name: release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       tag_name: ${{ steps.draft_release.outputs.tag_name }}
     steps:
-      - name: Checkout action code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
 
       - name: Create GitHub App Token
         id: app-token
-        uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         with:
           app-id: ${{ secrets.VERSION_CLI_UPDATER_APP_ID }}
           private-key: ${{ secrets.VERSION_CLI_UPDATER_PRIVATE_KEY }}
 
       - name: Draft release
         id: draft_release
-        uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+        uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         with:
           disable-autolabeler: true
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      - name: Get current date
+        id: date
+        run: echo "date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+      - name: Extract base image info
+        id: base_image
+        run: |
+          BASE_IMAGE_FULL=$(grep -i '^FROM' Dockerfile | tail -n 1 | awk '{print $2}')
+          if [[ "$BASE_IMAGE_FULL" == "scratch" ]]; then
+            echo "name=scratch" >> $GITHUB_OUTPUT
+            echo "digest=" >> $GITHUB_OUTPUT
+          else
+            echo "name=$(echo "$BASE_IMAGE_FULL" | cut -d'@' -f1)" >> $GITHUB_OUTPUT
+            echo "digest=$(echo "$BASE_IMAGE_FULL" | cut -d'@' -f2)" >> $GITHUB_OUTPUT
+          fi
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build Docker image
-        run: VERSION=${{ steps.draft_release.outputs.tag_name }} make docker-push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          platforms: |
+            linux/amd64
+            linux/arm64
+            linux/arm/v8
+            linux/ppc64le
+            linux/arm/v7
+          push: true
+          tags: |
+            ghcr.io/version-cli/version:latest
+            ghcr.io/version-cli/version:${{ steps.draft_release.outputs.tag_name }}
+          labels: |
+            authors=Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com>
+            org.opencontainers.image.created=${{ steps.date.outputs.date }}
+            org.opencontainers.image.authors=Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com>
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.documentation="https://www.version-cli.app"
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.version=${{ steps.draft_release.outputs.tag_name }}
+            org.opencontainers.image.revision=${{ steps.draft_release.outputs.tag_name }}
+            org.opencontainers.image.vendor="version-cli"
+            org.opencontainers.image.licenses=# TODO: add license
+            org.opencontainers.image.ref.name=${{ steps.draft_release.outputs.tag_name }}
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.base.digest=${{ steps.base_image.outputs.name }}
+            org.opencontainers.image.base.name=${{ steps.base_image.outputs.digest }}
+          build-args: |
+            VERSION=${{ steps.draft_release.outputs.tag_name }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Publish release
-        uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+        uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         if: steps.draft_release.outputs.tag_name != ''
         with:
           version: ${{ steps.draft_release.outputs.tag_name }}
@@ -61,20 +109,20 @@ jobs:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: Checkout action code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
           ref: ${{ steps.draft_release.outputs.tag_name }}
 
       - name: Setup Go environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: "go.mod"
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
-          version: v2.0.1 # renovate: datasource=custom.goreleaser depName=goreleaser packageName=goreleaser/goreleaser
+          version: v2.13.2 # renovate: datasource=github-tags depName=goreleaser packageName=goreleaser/goreleaser
           args: release --skip=publish --clean
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
@@ -89,28 +137,29 @@ jobs:
           FILES: dist/version_*.tar.gz dist/version_*.zip dist/version_*_checksums.txt
 
   docs-deploy:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: ${{ always() }}
     needs: release
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
       - name: Configure Git Credentials
         run: |
           git config user.name version-cli[bot]
           git config user.email 41898282+github-actions[bot]@users.noreply.github.com
       - name: Install Poetry
-        # renovate: datasource=github-tags depName=poetry packageName=python-poetry/poetry
-        run: pipx install poetry==1.8.2
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5
+        env:
+          poetry_version: 2.2.1 # renovate: datasource=github-tags depName=poetry packageName=python-poetry/poetry
+        run: pipx install poetry==$poetry_version
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version-file: pyproject.toml
           cache: "poetry"
       - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+      - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           key: mkdocs-material-${{ env.cache_id }}
           path: .cache
@@ -126,6 +175,7 @@ jobs:
           GOOGLE_ANALYTICS_KEY: ${{ secrets.GOOGLE_ANALYTICS_KEY }}
           MKDOCS_GIT_COMMITTERS_APIKEY: ${{ github.token }}
           EXCLUDE_SHIELDS_IO_PRIVACY: true
+          VERSION_CLI_VERSION: ${{ needs.release.outputs.tag_name }}
       - name: Deploy release docs
         if: ${{ github.event_name == 'workflow_dispatch' && needs.release.result == 'success' }}
         run: |-
@@ -136,3 +186,4 @@ jobs:
         env:
           GOOGLE_ANALYTICS_KEY: ${{ secrets.GOOGLE_ANALYTICS_KEY }}
           MKDOCS_GIT_COMMITTERS_APIKEY: ${{ github.token }}
+          VERSION_CLI_VERSION: ${{ needs.release.outputs.tag_name }}

.github/workflows/labeler.yaml

@@ -10,9 +10,9 @@ permissions:
 
 jobs:
   triage:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         with:
           disable-releaser: true
         env:

.github/workflows/prettier.yaml

@@ -8,22 +8,22 @@ on:
 
 jobs:
   prettier:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.head_ref }} # so PRs resolve to correct branch
           fetch-depth: 0 # needed for only_changed below
           persist-credentials: false
       - name: Create GitHub App Token
         id: app-token
-        uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         with:
           app-id: ${{ secrets.VERSION_CLI_UPDATER_APP_ID }}
           private-key: ${{ secrets.VERSION_CLI_UPDATER_PRIVATE_KEY }}
       - name: Prettify code
-        uses: creyD/prettier_action@31355f8eef017f8aeba2e0bc09d8502b13dbbad1 # v4.3
+        uses: creyD/prettier_action@8c18391fdc98ed0d884c6345f03975edac71b8f0 # v4.6
         with:
           commit_message: "Prettier"
           only_changed: True

.gitignore

@@ -6,3 +6,5 @@
 /version*
 /.cache/
 /site/
+# Added by goreleaser init:
+build/