stackrox · Molter73 · Jun 26, 2025
@@ -0,0 +1,45 @@
+name: Get latest version
+description: Gets the latest version in a repo, following semver rules
+inputs:
+  repo:
+    required: false
+    default: ${{ github.workspace }}
+    description: Path to the repo to get the version from
+  required-major:
+    required: false
+    default: "0"
+    description: Major version that was requested
+outputs:
+  version:
+    value: ${{ steps.version.outputs.major }}.${{ steps.version.outputs.minor }}
+    description: Latest version in M.m format
+  major:
+    value: ${{ steps.version.outputs.major }}
+    description: Major version
+  minor:
+    value: ${{ steps.version.outputs.minor }}
+    description: Minor version
+runs:
+  using: composite
+  steps:
+    - id: version
+      env:
+        REQUIRED_MAJOR: ${{ steps.inputs.required-major }}
+      shell: bash
+      run: |
+        tag=(0 0)
+        while read -r line; do
+          if [[ "$line" =~ ^([[:digit:]]+)\.([[:digit:]]+)\.x$ ]]; then
+              # If we are doing a release for a specific major
+              # version, we want to limit ourselves to that, so we
+              # ignore newer major versions.
+              if ((tag[0] < BASH_REMATCH[1] && (REQUIRED_MAJOR == 0 || REQUIRED_MAJOR == BASH_REMATCH[1]))); then
+                  tag=("${BASH_REMATCH[1]}" "${BASH_REMATCH[2]}")
+              elif ((tag[0] == BASH_REMATCH[1] && tag[1] < BASH_REMATCH[2])); then
+                  tag=("${BASH_REMATCH[1]}" "${BASH_REMATCH[2]}")
+              fi
+          fi
+        done < <(git tag --merged)
+
+        echo "major=${tag[0]}" >> "$GITHUB_OUTPUT"
+        echo "minor=${tag[1]}" >> "$GITHUB_OUTPUT"
@@ -23,6 +23,8 @@ jobs:
       minor: ${{ steps.final-values.outputs.minor }}
       patch: ${{ steps.patch-version.outputs.value || '0' }}
       release-type: ${{ steps.final-values.outputs.type }}
+      stackrox-major: ${{ steps.stackrox.outputs.major }}
+      stackrox-minor: ${{ steps.stackrox.outputs.minor }}
 
     steps:
       - uses: actions/checkout@v4
@@ -43,25 +45,9 @@ jobs:
 
       - name: Get closest tag to master
         id: latest-tag
-        env:
-          REQUIRED_MAJOR: ${{ steps.required-release.outputs.major }}
-        run: |
-          tag=(0 0)
-          while read -r line; do
-            if [[ "$line" =~ ^([[:digit:]]+)\.([[:digit:]]+)\.x$ ]]; then
-                # If we are doing a release for a specific major
-                # version, we want to limit ourselves to that, so we
-                # ignore newer major versions.
-                if ((tag[0] < BASH_REMATCH[1] && (REQUIRED_MAJOR == 0 || REQUIRED_MAJOR >= BASH_REMATCH[1]))); then
-                    tag=("${BASH_REMATCH[1]}" "${BASH_REMATCH[2]}")
-                elif ((tag[0] == BASH_REMATCH[1] && tag[1] < BASH_REMATCH[2])); then
-                    tag=("${BASH_REMATCH[1]}" "${BASH_REMATCH[2]}")
-                fi
-            fi
-          done < <(git tag --merged)
-
-          echo "major=${tag[0]}" >> "$GITHUB_OUTPUT"
-          echo "minor=${tag[1]}" >> "$GITHUB_OUTPUT"
+        uses: ./.github/actions/get-latest-version
+        with:
+          required-major: ${{ steps.required-release.outputs.major }}
 
       - name: Determine release type and version
         id: final-values
@@ -110,6 +96,26 @@ jobs:
 
           echo "value=$((patch+1))" >> "$GITHUB_OUTPUT"
 
+      - name: Checkout stackrox submodule
+        if: steps.final-values.outputs.type != 'patch'
+        run: |
+          git submodule update --init collector/proto/third_party/stackrox
+
+      - name: Get stackrox version
+        id: stackrox-version-last
+        if: steps.final-values.outputs.type != 'patch'
+        uses: ./github/actions/get-latest-version
+        with:
+          repo: ${{ github.workspace }}/collector/proto/third_party/stackrox
+
+      - name: Adjust stackrox version
+        id: stackrox
+        if: steps.final-values.outputs.type != 'patch'
+        run: |
+          MINOR="$((${{ steps.stackrox-version-last.outputs.minor }}+1))"
+          echo "major=${{ steps.stackrox-version-last.outputs.major }}" >> "$GITHUB_OUTPUT"
+          echo "minor=${MINOR}" >> "$GITHUB_OUTPUT"
+
       - name: Notify tags and branches
         env:
           MAJOR: ${{ steps.final-values.outputs.major }}
@@ -133,6 +139,10 @@ jobs:
             notice "Master tag" "${MAJOR}.${MINOR}.x"
             notice "Release branch" "release-${MAJOR}.${MINOR}"
           fi
+          if [[ "${RELEASE_TYPE}" != "patch" ]]; then
+            notice "Stackrox Major" "${{ steps.stackrox.outputs.major }}"
+            notice "Stackrox minor" "${{ steps.stackrox.outputs.minor }}"
+          fi
 
       - name: Mismatched versions
         if: steps.required-release.outputs.major != 0 && (
@@ -184,7 +194,16 @@ jobs:
           git pull --ff-only
           git tag "${RELEASE}.x"
           git checkout -b "release-${RELEASE}"
-          git commit --no-verify --allow-empty -m "Empty commit to diverge ${RELEASE} from master"
+
+          # Modify values needed for konflux
+          SUFFIX="-${{ needs.determine-version.outputs.stackrox-major }}-${{ needs.determine-version.outputs.stackrox-minor }}"
+          sed -i \
+            -e "/appstudio.openshift.io\/application: / s/$/${SUFFIX}/" \
+            -e "/appstudio.openshift.io\/component: / s/$/${SUFFIX}/" \
+            -e "/serviceAccountName: / s/$/${SUFFIX}/" \
+            .tekton/collector-build.yaml
+
+          git commit --no-verify -m "Commit to diverge ${RELEASE} from master"
 
       - name: Push release branch
         if: needs.determine-version.outputs.release-type != 'patch'

@@ -10,6 +10,11 @@
 
 ## Automated release
 
+**Note**: If stackrox is doing a major version bump, do not use the
+automated release workflow!! Follow the manual instructions below
+instead.
+---
+
 A workflow for automated releases can be found in the 'Actions' tab of
 GitHub. Once in said tab, look for the `Tag a new release` workflow in
 the side bar, select it and use the `Run workflow` button on the far
@@ -44,7 +49,7 @@ git pull
 2. Set the release environment variable, which should be incremented from the previous released version.
 
 ```sh
-export COLLECTOR_RELEASE=3.8
+export COLLECTOR_RELEASE=3.22
 ```
 
 3. Create an internal release tag to mark on the master branch where we forked for the release.
@@ -54,11 +59,22 @@ git tag "${COLLECTOR_RELEASE}.x"
 git push origin "${COLLECTOR_RELEASE}.x"
 ```
 
-4. Create the release branch with an empty commit and push.
+4. Set the ACS version suffix to be used by konflux, this should be the major and minor versions of ACS that will use the collector version being tagged.
+
+```sh
+export STACKROX_SUFFIX=4-8
+```
+
+4. Create the release branch with the required konflux suffixes.
 
 ```sh
 git checkout -b "release-${COLLECTOR_RELEASE}"
-git commit --allow-empty -m "Empty commit to diverge ${COLLECTOR_RELEASE} from master"
+sed -i \
+    -e "/appstudio.openshift.io\/application: / s/$/-${STACKROX_SUFFIX}/" \
+    -e "/appstudio.openshift.io\/component: / s/$/-${STACKROX_SUFFIX}/" \
+    -e "/serviceAccountName: / s/$/-${STACKROX_SUFFIX}/" \
+    .tekton/collector-build.yaml
+git commit -m "Empty commit to diverge ${COLLECTOR_RELEASE} from master"
 git push --set-upstream origin "release-${COLLECTOR_RELEASE}"
 ```
 
@@ -67,7 +83,7 @@ git push --set-upstream origin "release-${COLLECTOR_RELEASE}"
 
 ```sh
 export COLLECTOR_PATCH_NUMBER=0
-export COLLECTOR_RELEASE=3.8
+export COLLECTOR_RELEASE=3.22
 ```
 
 6. Tag and push the release.