releases: publish nightly builds of dev (#12137)

valentijnscholten · web-flow · commit 339874b4e083 · 2025-04-30T17:37:32.000-06:00
* GHA: nightly dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* cleanup

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build

* nightly-dev build
diff --git a/.github/workflows/release-1-create-pr.yml b/.github/workflows/release-1-create-pr.yml
@@ -25,25 +25,25 @@ jobs:
       - name: Checkout from_branch branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ github.event.inputs.from_branch }}
+          ref: ${{ inputs.from_branch }}
 
       - name: Create release branch
-        if: ${{ !startsWith(github.event.inputs.from_branch, 'release/') }}
+        if: ${{ !startsWith(inputs.from_branch, 'release/') }}
         run: |
-          echo "NEW_BRANCH=release/${{ github.event.inputs.release_number }}" >> $GITHUB_ENV
+          echo "NEW_BRANCH=release/${{ inputs.release_number }}" >> $GITHUB_ENV
 
       - name: Use existing release branch
-        if: startsWith(github.event.inputs.from_branch, 'release/')
+        if: startsWith(inputs.from_branch, 'release/')
         run: |
-          echo "NEW_BRANCH=${{ github.event.inputs.from_branch }}" >> $GITHUB_ENV
+          echo "NEW_BRANCH=${{ inputs.from_branch }}" >> $GITHUB_ENV
 
       - name: Configure git
         run: |
           git config --global user.name "${{ env.GIT_USERNAME }}"
           git config --global user.email "${{ env.GIT_EMAIL }}"
 
       - name: Push branch
-        if: "!startsWith('${{ github.event.inputs.from_branch }}', 'release/')"
+        if: "!startsWith('${{ inputs.from_branch }}', 'release/')"
         run: git push origin HEAD:${NEW_BRANCH}
 
       - name: Checkout release branch
@@ -53,9 +53,9 @@ jobs:
 
       - name: Update version numbers in key files
         run: |
-          sed -ri 's/__version__ = ".*"/__version__ = "${{ github.event.inputs.release_number }}"/' dojo/__init__.py
-          sed -ri 's/"version": ".*"/"version": "${{ github.event.inputs.release_number }}"/' components/package.json
-          sed -ri 's/appVersion: ".*"/appVersion: "${{ github.event.inputs.release_number }}"/' helm/defectdojo/Chart.yaml
+          sed -ri 's/__version__ = ".*"/__version__ = "${{ inputs.release_number }}"/' dojo/__init__.py
+          sed -ri 's/"version": ".*"/"version": "${{ inputs.release_number }}"/' components/package.json
+          sed -ri 's/appVersion: ".*"/appVersion: "${{ inputs.release_number }}"/' helm/defectdojo/Chart.yaml
 
           if grep "\-dev" helm/defectdojo/Chart.yaml; then
               echo "x.y.z-dev found in Chart.yaml, probably releasing a new minor version"
diff --git a/.github/workflows/release-2-tag-docker-push.yml b/.github/workflows/release-2-tag-docker-push.yml
@@ -10,6 +10,7 @@ on:
       # the actual branch that can be chosen on the UI is made irrelevant by further steps
       # because someone will forget one day to change it.
       release_number:
+        type: string
         description: 'Release version (x.y.z format)'
         required: true
 
@@ -27,41 +28,51 @@ jobs:
           git config --global user.name "${{ env.GIT_USERNAME }}"
           git config --global user.email "${{ env.GIT_EMAIL }}"
 
-      - name: Create new tag ${{ github.event.inputs.release_number }}
+      - name: Create new tag ${{ inputs.release_number }}
         # at this point, the PR from the 1st workflow is merged into master.
         run: |
-          git tag -a ${{ github.event.inputs.release_number }} -m "[bot] release ${{ github.event.inputs.release_number }}"
-          git push origin ${{ github.event.inputs.release_number }}
-
-  release-helm-chart:
-    needs: tag
-    uses: ./.github/workflows/release-x-manual-helm-chart.yml
-    with:
-      release_number: ${{ github.event.inputs.release_number }}
-    secrets: inherit
+          git tag -a ${{ inputs.release_number }} -m "[bot] release ${{ inputs.release_number }}"
+          git push origin ${{ inputs.release_number }}
 
   publish-docker-containers:
+    needs: tag
     strategy:
-        matrix:
+      matrix:
           platform: ['linux/amd64', 'linux/arm64']
-        fail-fast: false
-    needs: tag
+      fail-fast: false
     uses: ./.github/workflows/release-x-manual-docker-containers.yml
     with:
-      release_number: ${{ github.event.inputs.release_number }}
+      release_number: ${{ inputs.release_number }}
       platform: ${{ matrix.platform }}
     secrets: inherit
 
   publish-container-digests:
     needs: publish-docker-containers
     uses: ./.github/workflows/release-x-manual-merge-container-digests.yml
     with:
-        release_number: ${{ github.event.inputs.release_number }}
+      release_number: ${{ inputs.release_number }}
+    secrets: inherit
+
+  # for releases we need to tag the images with the latest tag
+  # this could be parametrized in the merge-container-digests workflow
+  # but it's simpler to just add a explicit workflow for this here
+  tag-as-latest:
+    needs: publish-container-digests
+    uses: ./.github/workflows/release-x-manual-tag-as-latest.yml
+    with:
+      release_number: ${{ inputs.release_number }}
+    secrets: inherit
+
+  release-helm-chart:
+    needs: publish-container-digests
+    uses: ./.github/workflows/release-x-manual-helm-chart.yml
+    with:
+      release_number: ${{ inputs.release_number }}
     secrets: inherit
 
   release-drafter:
     needs: publish-container-digests
     uses: ./.github/workflows/release-drafter.yml
     with:
-      version: ${{ github.event.inputs.release_number }}
+      version: ${{ inputs.release_number }}
     secrets: inherit
diff --git a/.github/workflows/release-3-master-into-dev.yml b/.github/workflows/release-3-master-into-dev.yml
@@ -29,7 +29,7 @@ jobs:
 
       - name: Create merge back branch
         run: |
-          echo "NEW_BRANCH=master-into-dev/${{ github.event.inputs.release_number_new }}-${{ github.event.inputs.release_number_dev }}" >> $GITHUB_ENV
+          echo "NEW_BRANCH=master-into-dev/${{ inputs.release_number_new }}-${{ inputs.release_number_dev }}" >> $GITHUB_ENV
 
       - name: Configure git
         run: |
@@ -46,9 +46,9 @@ jobs:
 
       - name: Update version numbers in key files
         run: |
-          sed -ri 's/__version__ = ".*"/__version__ = "${{ github.event.inputs.release_number_dev }}"/' dojo/__init__.py
-          sed -ri 's/"version": ".*"/"version": "${{ github.event.inputs.release_number_dev }}"/' components/package.json
-          sed -ri 's/appVersion: ".*"/appVersion: "${{ github.event.inputs.release_number_dev }}"/' helm/defectdojo/Chart.yaml
+          sed -ri 's/__version__ = ".*"/__version__ = "${{ inputs.release_number_dev }}"/' dojo/__init__.py
+          sed -ri 's/"version": ".*"/"version": "${{ inputs.release_number_dev }}"/' components/package.json
+          sed -ri 's/appVersion: ".*"/appVersion: "${{ inputs.release_number_dev }}"/' helm/defectdojo/Chart.yaml
           CURRENT_CHART_VERSION=$(grep -oP 'version: (\K\S*)?' helm/defectdojo/Chart.yaml | head -1)
           sed -ri "0,/version/s/version: \S+/$(echo "version: $CURRENT_CHART_VERSION" | awk -F. -v OFS=. 'NF==1{print ++$NF}; NF>1{$NF=sprintf("%0*d", length($NF), ($NF+1)); print}')-dev/" helm/defectdojo/Chart.yaml
 
@@ -60,8 +60,8 @@ jobs:
 
       - name: Create upgrade notes to documentation
         run: |
-          minorv=$(echo ${{ github.event.inputs.release_number_dev }} | cut -d '.' -f -2)
-          patchv=$(echo ${{ github.event.inputs.release_number_dev }} | cut -d '-' -f -1)
+          minorv=$(echo ${{ inputs.release_number_dev }} | cut -d '.' -f -2)
+          patchv=$(echo ${{ inputs.release_number_dev }} | cut -d '-' -f -1)
           weight=$(date +%Y%m%d)
           echo -n "---
           title: 'Upgrading to DefectDojo Version $minorv.x'
@@ -72,7 +72,7 @@ jobs:
           There are no special instructions for upgrading to $minorv.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/$patchv) for the contents of the release.
           " > docs/content/en/open_source/upgrading/$minorv.md
           git add docs/content/en/open_source/upgrading/$minorv.md
-        if: endsWith(github.event.inputs.release_number_new, '.0') && endsWith(github.event.inputs.release_number_dev, '.0-dev')
+        if: endsWith(inputs.release_number_new, '.0') && endsWith(inputs.release_number_dev, '.0-dev')
 
       - name: Push version changes
         uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
@@ -91,7 +91,7 @@ jobs:
             github.rest.pulls.create({
               owner: '${{ env.GITHUB_ORG }}',
               repo: 'django-DefectDojo',
-              title: 'Release: Merge back ${{ github.event.inputs.release_number_new }} into dev from: ${{ env.NEW_BRANCH }}',
+              title: 'Release: Merge back ${{ inputs.release_number_new }} into dev from: ${{ env.NEW_BRANCH }}',
               body: `Release triggered by \`${ process.env.GITHUB_ACTOR }\``,
               head: '${{ env.NEW_BRANCH }}',
               base: 'dev'
@@ -110,7 +110,7 @@ jobs:
 
       - name: Create merge back branch
         run: |
-          echo "NEW_BRANCH=master-into-bugfix/${{ github.event.inputs.release_number_new }}-${{ github.event.inputs.release_number_dev }}" >> $GITHUB_ENV
+          echo "NEW_BRANCH=master-into-bugfix/${{ inputs.release_number_new }}-${{ inputs.release_number_dev }}" >> $GITHUB_ENV
 
       - name: Configure git
         run: |
@@ -127,9 +127,9 @@ jobs:
 
       - name: Update version numbers in key files
         run: |
-          sed -ri "s/__version__ = '.*'/__version__ = '${{ github.event.inputs.release_number_dev }}'/" dojo/__init__.py
-          sed -ri "s/appVersion: \".*\"/appVersion: \"${{ github.event.inputs.release_number_dev }}\"/" helm/defectdojo/Chart.yaml
-          sed -ri "s/\"version\": \".*\"/\"version\": \"${{ github.event.inputs.release_number_dev }}\"/" components/package.json
+          sed -ri "s/__version__ = '.*'/__version__ = '${{ inputs.release_number_dev }}'/" dojo/__init__.py
+          sed -ri "s/appVersion: \".*\"/appVersion: \"${{ inputs.release_number_dev }}\"/" helm/defectdojo/Chart.yaml
+          sed -ri "s/\"version\": \".*\"/\"version\": \"${{ inputs.release_number_dev }}\"/" components/package.json
           CURRENT_CHART_VERSION=$(grep -oP 'version: (\K\S*)?' helm/defectdojo/Chart.yaml | head -1)
           sed -ri "0,/version/s/version: \S+/$(echo "version: $CURRENT_CHART_VERSION" | awk -F. -v OFS=. 'NF==1{print ++$NF}; NF>1{$NF=sprintf("%0*d", length($NF), ($NF+1)); print}')-dev/" helm/defectdojo/Chart.yaml
 
@@ -156,7 +156,7 @@ jobs:
             github.rest.pulls.create({
               owner: '${{ env.GITHUB_ORG }}',
               repo: 'django-DefectDojo',
-              title: 'Release: Merge back ${{ github.event.inputs.release_number_new }} into bugfix from: ${{ env.NEW_BRANCH }}',
+              title: 'Release: Merge back ${{ inputs.release_number_new }} into bugfix from: ${{ env.NEW_BRANCH }}',
               body: `Release triggered by \`${ process.env.GITHUB_ACTOR }\``,
               head: '${{ env.NEW_BRANCH }}',
               base: 'bugfix'
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -29,19 +29,19 @@ jobs:
         id: create_release
         uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         with:
-          version: ${{ github.event.inputs.version }}  
+          version: ${{ inputs.version }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   # Generate the OAS schemas in another workflow
   oas-fetch:
     needs: update_release_draft
     uses: ./.github/workflows/fetch-oas.yml
     with:
-      version: ${{ github.event.inputs.version }} 
+      version: ${{ inputs.version }}
     secrets: inherit
   # Upload the OAS schemas to the release object
   add-oas-to-release:
-    needs: 
+    needs:
       - update_release_draft
       - oas-fetch
     runs-on: ubuntu-latest
@@ -73,4 +73,4 @@ jobs:
           asset_name: oas.json
           asset_content_type: application/json
 
-    
+
diff --git a/.github/workflows/release-nightly-dev.yml b/.github/workflows/release-nightly-dev.yml
@@ -0,0 +1,20 @@
+name: "Release-Nightly: Build & Push DEV"
+
+env:
+  GIT_USERNAME: "DefectDojo release bot"
+  GIT_EMAIL: "dojo-release-bot@users.noreply.github.com"
+
+on:
+  schedule:
+    # every day at 5:00 UTC
+    # in this case inputs are all null/empty, hence the default values are used below
+    - cron: "* 5 * * *"
+  workflow_dispatch:
+
+jobs:
+  nightly-build-dev:
+    uses: ./.github/workflows/release-x-nightly.yml
+    with:
+        branch-to-build: 'dev'
+        tag-to-apply: 'nightly-dev'
+    secrets: inherit
diff --git a/.github/workflows/release-x-manual-docker-containers.yml b/.github/workflows/release-x-manual-docker-containers.yml
@@ -57,7 +57,7 @@ jobs:
       - name: Checkout tag
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ github.event.inputs.release_number }}
+          ref: ${{ inputs.release_number }}
 
       - name: Set up Docker Buildx
         id: buildx
@@ -74,6 +74,8 @@ jobs:
           file: ./Dockerfile.${{ matrix.docker-image }}-${{ matrix.os }}
           context: .
           outputs: type=image,"name=${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}",push-by-digest=true,name-canonical=true
+          cache-from: type=gha,scope=${{ matrix.docker-image}}-${{ matrix.os }}-${{ env.PLATFORM }}-${{ github.head_ref || github.ref_name }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.docker-image}}-${{ matrix.os }}-${{ env.PLATFORM }}-${{ github.head_ref || github.ref_name }}
 
         # export the digest to a file
       - name: Export digest
diff --git a/.github/workflows/release-x-manual-helm-chart.yml b/.github/workflows/release-x-manual-helm-chart.yml
@@ -26,35 +26,35 @@ jobs:
   release-chart:
     runs-on: ubuntu-latest
     steps:
-      
+
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: master
           fetch-depth: 0
-      
+
       # This action is deprecated. Not sure if it is even being used anymore...
       # - name: Get upload URL
       #   id: get-upload-url
       #   uses: pdamianik/release-tag-to-upload-url-action@v1.0.1
       #   with:
       #     tag: ${{ github.event.inputs.release_number }}
       #     token: ${{ github.token }}
-      
+
       - name: Configure git
         run: |
           git config --global user.name "${{ env.GIT_USERNAME }}"
           git config --global user.email "${{ env.GIT_EMAIL }}"
-      
+
       - name: Set up Helm
         uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
-      
+
       - name: Configure HELM repos
         run: |-
              helm repo add bitnami https://charts.bitnami.com/bitnami
              helm dependency list ./helm/defectdojo
              helm dependency update ./helm/defectdojo
-      
+
       - name: Add yq
         uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd # v4.45.1
 
@@ -71,7 +71,7 @@ jobs:
           mkdir build
           helm package helm/defectdojo/ --destination ./build
           echo "chart_version=$(ls build | cut -d '-' -f 2 | sed 's|\.tgz||')" >> $GITHUB_ENV
-      
+
       - name: Create release ${{ github.event.inputs.release_number }}
         uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
@@ -84,7 +84,7 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
         env:
           GITHUB_REPOSITORY: DefectDojo/django-DefectDojo
-      
+
       - name: Update Helm repository index
         id: update-helm-repository-index
         run: |
diff --git a/.github/workflows/release-x-manual-merge-container-digests.yml b/.github/workflows/release-x-manual-merge-container-digests.yml
@@ -33,7 +33,6 @@ jobs:
             os: [alpine, debian]
 
     steps:
-
       # deduce docker org name from git repo to make the build also work in forks
     - id: Set-docker-org
       run: echo "DOCKER_ORG=$(echo ${GITHUB_REPOSITORY%%/*} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
@@ -60,26 +59,24 @@ jobs:
       working-directory: ${{ runner.temp }}/digests
       run: |
         set -x
-        docker buildx imagetools create -t "${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ github.event.inputs.release_number }}-${{ matrix.os }}" --progress=plain \
+        docker buildx imagetools create -t "${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ inputs.release_number }}-${{ matrix.os }}" --progress=plain \
         $(printf '${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}@sha256:%s ' *)
 
       # just for logging
     - name: Inspect OS specific image
       run: |
-        docker buildx imagetools inspect ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ github.event.inputs.release_number }}-${{ matrix.os }}
+        docker buildx imagetools inspect ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ inputs.release_number }}-${{ matrix.os }}
 
-      # debian images are the default / official ones, so these get the os-less tag and the latest tag
-    - name: Create default manifest list and push
+      # debian images are the default / official ones, so these get the os-less tag
+    - name: Tag Debian with os-less tags
       if: ${{ matrix.os  == 'debian' }}
       working-directory: ${{ runner.temp }}/digests
       run: |
         set -x
-        docker buildx imagetools create -t "${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ github.event.inputs.release_number }}" ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ github.event.inputs.release_number }}-${{ matrix.os }}
-        docker buildx imagetools create -t "${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:latest" ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ github.event.inputs.release_number }}-${{ matrix.os }}
+        docker buildx imagetools create -t "${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ inputs.release_number }}" ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ inputs.release_number }}-${{ matrix.os }}
 
       # just for logging
     - name: Inspect default images
       if: ${{ matrix.os  == 'debian' }}
       run: |
-          docker buildx imagetools inspect ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ github.event.inputs.release_number }}
-          docker buildx imagetools inspect ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:latest
+          docker buildx imagetools inspect ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ inputs.release_number }}
diff --git a/.github/workflows/release-x-manual-tag-as-latest.yml b/.github/workflows/release-x-manual-tag-as-latest.yml
diff --git a/.github/workflows/release-x-nightly.yml b/.github/workflows/release-x-nightly.yml
