Release drafter (#28)

* Updates to release drafter

.github/release-drafter.yml

@@ -1,5 +1,5 @@
-name-template: '$NEXT_PATCH_VERSION'
-tag-template: '$NEXT_PATCH_VERSION'
+name-template: ${{ env.version }}
+tag-template: ${{ env.version }}
 categories:
   - title: '🚀 Features'
     labels:
@@ -24,6 +24,7 @@ categories:
 change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
 change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
 prerelease-identifier: 'alpha' # will create a prerelease with version number x.x.x-alpha.x
+include-pre-releases: true
 version-resolver:
   major:
     labels:
@@ -38,9 +39,9 @@ version-resolver:
 template: |
   ## Download
   ```bash
-  docker pull ghcr.io/dsiemienas03/ccdc-ansible:$NEXT_PATCH_VERSION
+  docker pull ghcr.io/dsiemienas03/ccdc-ansible:$tag
   ```
 
   ## Changes
 
-  $CHANGES
+  $CHANGES

.github/workflows/docker_build.yml

@@ -33,7 +33,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.2.2
         with:
           submodules: "recursive"
           fetch-depth: 1
@@ -45,7 +45,7 @@ jobs:
           cosign-release: "v2.2.4"
 
       - name: Cache Repository
-        uses: actions/cache@v4
+        uses: actions/cache@v4.2.0
         with:
           path: ./
           key: ${{ runner.os }}-repo-${{ github.sha }}
@@ -90,7 +90,7 @@ jobs:
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Restore Cached Repository
-        uses: actions/cache@v4
+        uses: actions/cache@v4.2.0
         with:
           path: ./
           key: ${{ runner.os }}-repo-${{ github.sha }}
@@ -150,7 +150,7 @@ jobs:
       - setup
     steps:
       - name: Restore Cached Repository
-        uses: actions/cache@v4
+        uses: actions/cache@v4.2.0
         with:
           path: ./
           key: ${{ runner.os }}-repo-${{ github.sha }}
@@ -159,7 +159,7 @@ jobs:
         uses: docker/setup-buildx-action@v3.8.0 # v3.6.1
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/docker_release.yml

@@ -27,7 +27,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.2.2
         with:
           submodules: "recursive"
 
@@ -57,10 +57,10 @@ jobs:
       tags: ${{ steps.meta.outputs.tags }}
       labels: ${{ steps.meta.outputs.labels }}
     needs:
-        - setup
+      - setup
     steps:
       - name: Restore Cached Repository
-        uses: actions/cache@v4
+        uses: actions/cache@v4.2.0
         with:
           path: ./
           key: ${{ runner.os }}-repo-${{ github.sha }}
@@ -82,7 +82,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.0.0
         if: ${{ github.event_name != 'pull_request' }}
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -119,7 +119,6 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
-
   dockerhub-release:
     if: github.event_name == 'release'
     runs-on: ubuntu-latest
@@ -136,7 +135,7 @@ jobs:
       digest: ${{ steps.build-and-push-docker.outputs.digest }}
     steps:
       - name: Restore Cached Repository
-        uses: actions/cache@v4
+        uses: actions/cache@v4.2.0
         with:
           path: ./
           key: ${{ runner.os }}-repo-${{ github.sha }}
@@ -145,7 +144,7 @@ jobs:
         uses: docker/setup-buildx-action@v3.8.0 # v3.6.1
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -161,7 +160,6 @@ jobs:
             type=ref,event=tag
             type=raw,value=${{ github.event.release.tag_name }}
 
-
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image to Docker Hub
@@ -174,7 +172,6 @@ jobs:
           labels: ${{ steps.meta2.outputs.labels }}
           provenance: mode=max
 
-
   Docker-Scout:
     if: github.event_name == 'release'
     runs-on: ubuntu-latest
@@ -184,7 +181,7 @@ jobs:
       # This is used to complete the identity challenge
       # with sigstore/fulcio when running outside of PRs.
       id-token: write
-    needs: 
+    needs:
       - dockerhub-release
       - github-release
     steps:
@@ -197,7 +194,7 @@ jobs:
       - name: Docker Scout
         id: docker-scout
         if: ${{ github.event_name == 'pull_request' }}
-        uses: docker/scout-action@v1
+        uses: docker/scout-action@v1.16.1
         with:
           command: cves, recommendations, sbom
           image: ${{ needs.github-release.outputs.tags }}
@@ -221,8 +218,7 @@ jobs:
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
-
-
+
       - name: Sign the published Docker image on Docker hub
         if: ${{ github.event_name != 'pull_request' }}
         env:

.github/workflows/release-drafter.yml

@@ -1,6 +1,9 @@
 name: Release Drafter
 
 on:
+  # push:
+  #   branches:
+  #     - main
   # branches to consider in the event; optional, defaults to all
   # pull_request event is required only for autolabeler
   pull_request:
@@ -11,7 +14,7 @@ on:
   #   types: [opened, reopened, synchronize]
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   update_release_draft:
@@ -23,16 +26,27 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v4.2.2
+        with:
+          fetch-depth: 2
+      - name: Get version
+        id: get_version
+        run: echo "version=$(cat VERSION)" >> $GITHUB_ENV
+      - name: Sanity check
+        run: |
+          echo "Version: ${{ env.version }}"
       # (Optional) GitHub Enterprise requires GHE_HOST variable set
       # - name: Set GHE_HOST
       #  run: |
       #    echo "GHE_HOST=${GITHUB_SERVER_URL##https:\/\/}" >> $GITHUB_ENV
 
       # Drafts your next Release notes as Pull Requests are merged into "master"
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@v6.1.0
         # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
         # with:
-        #   config-name: my-config.yml
-        #   disable-autolabeler: true
+        # #   config-name: my-config.yml
+        # # disable-autolabeler: false
+        # # current-version: ${{ steps.get_version.outputs.version }}
+          # tag: ${{ env.version }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-publish.yml

@@ -0,0 +1,45 @@
+name: Release Publish
+
+on:
+  push:
+    paths:
+      - "VERSION"
+    branches:
+      - main
+  # branches to consider in the event; optional, defaults to all
+  # pull_request event is required only for autolabeler
+  # pull_request:
+  #   # Only following types are handled by the action, but one can default to all as well
+  #   types: [opened, reopened, synchronize]
+  # pull_request_target event is required for autolabeler to support PRs from forks
+  # pull_request_target:
+  #   types: [opened, reopened, synchronize]
+
+permissions:
+  contents: write
+
+jobs:
+  publish_release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4.2.2
+        with:
+          fetch-depth: 2
+      - name: Get version
+        id: get_version
+        run: echo "version=$(cat VERSION)" >> $GITHUB_ENV
+      # (Optional) GitHub Enterprise requires GHE_HOST variable set
+      # - name: Set GHE_HOST
+      #  run: |
+      #    echo "GHE_HOST=${GITHUB_SERVER_URL##https:\/\/}" >> $GITHUB_ENV
+
+      # Drafts your next Release notes as Pull Requests are merged into "master"
+      - uses: release-drafter/release-drafter@v6.1.0
+        # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
+        with:
+          #   config-name: my-config.yml
+          disable-autolabeler: false
+          publish: true
+          version: ${{ env.version }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

VERSION

@@ -0,0 +1 @@
+2025.2.2