ci: add automatic release on package.json version change

.github/git-chglog/CHANGELOG.tpl.md

@@ -0,0 +1,27 @@
+{{ range .Versions }}
+{{ range .CommitGroups -}}
+### {{ .Title }}
+
+{{ range .Commits -}}
+* {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
+{{ end }}
+{{ end -}}
+
+{{- if .RevertCommits -}}
+### Reverts
+
+{{ range .RevertCommits -}}
+* {{ .Revert.Header }}
+{{ end }}
+{{ end -}}
+
+{{- if .NoteGroups -}}
+{{ range .NoteGroups -}}
+### {{ .Title }}
+
+{{ range .Notes }}
+{{ .Body }}
+{{ end }}
+{{ end -}}
+{{ end -}}
+{{ end -}}

.github/git-chglog/config.yml

@@ -0,0 +1,32 @@
+style: github
+template: CHANGELOG.tpl.md
+info:
+  title: CHANGELOG
+  repository_url: https://github.com/sysdiglabs/scan-action
+options:
+  commits:
+    # filters:
+    #   Type:
+    #     - feat
+    #     - fix
+    #     - perf
+    #     - refactor
+  commit_groups:
+    title_maps:
+      feat: Features
+      fix: Bug Fixes
+      perf: Performance Improvements
+      refactor: Code Refactoring
+      ci: Continuous Integration
+      docs: Documentation
+      chore: Small Modifications
+      build: Compilation & Dependencies
+  header:
+    pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s]*)\\))?\\:\\s(.*)$"
+    pattern_maps:
+      - Type
+      - Scope
+      - Subject
+  notes:
+    keywords:
+      - BREAKING CHANGE

.github/workflows/release.yml

@@ -0,0 +1,77 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - package.json
+
+jobs:
+  check-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      changes: ${{ steps.check_changes.outputs.changes }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Check if the package.version has changed
+        id: check_changes
+        run: |
+          set -euo pipefail
+          curr=$(jq -r '.version' package.json)
+          prev=$(git show HEAD^:package.json 2>/dev/null | jq -r '.version' || echo "")
+          if [ -n "$prev" ] && [ "$curr" != "$prev" ]; then
+            echo "changes=detected" >> "$GITHUB_OUTPUT"
+          else
+            echo "changes=none" >> "$GITHUB_OUTPUT"
+          fi
+
+  release:
+    runs-on: ubuntu-latest
+    needs: check-changes
+    if: needs.check-changes.outputs.changes == 'detected'
+    permissions:
+      contents: write
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Get current version
+        id: version
+        run: echo "version=v$(jq -r '.version' package.json)" >> "$GITHUB_OUTPUT"
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Install git-chglog
+        run: nix profile install nixpkgs#git-chglog
+
+      - name: Tag with version ${{ steps.version.outputs.version }}
+        run: git tag "${{ steps.version.outputs.version }}"
+
+      - name: Generate changelog
+        run: git-chglog -c .github/git-chglog/config.yml -o RELEASE_CHANGELOG.md "${{ steps.version.outputs.version }}"
+
+      - name: Create release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: ${{ steps.version.outputs.version }}
+          tag_name: ${{ steps.version.outputs.version }}
+          prerelease: false
+          body_path: RELEASE_CHANGELOG.md
+
+      - name: Create major tag
+        run: |
+          MAJOR_VERSION=$(echo ${{ steps.version.outputs.version }} | cut -d. -f1)
+          git tag -f "$MAJOR_VERSION"
+          git push -f origin "$MAJOR_VERSION"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-inline-scan-action",
-  "version": "6.1.1",
+  "version": "6.1.2",
   "description": "This actions performs image analysis on locally built container image and posts the result of the analysis to Sysdig Secure.",
   "main": "index.js",
   "scripts": {

tests/fixtures/sarif-test.json

@@ -8,9 +8,9 @@
           "name": "sysdig-cli-scanner",
           "fullName": "Sysdig Vulnerability CLI Scanner",
           "informationUri": "https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner",
-          "version": "6.1.1",
-          "semanticVersion": "6.1.1",
-          "dottedQuadFileVersion": "6.1.1.0",
+          "version": "6.1.2",
+          "semanticVersion": "6.1.2",
+          "dottedQuadFileVersion": "6.1.2.0",
           "rules": [
             {
               "id": "CVE-2023-48795",

tests/sarif.test.ts

@@ -30,9 +30,9 @@ describe("input parsing", () => {
               name: "sysdig-cli-scanner",
               fullName: "Sysdig Vulnerability CLI Scanner",
               informationUri: "https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner",
-              version: "6.1.1",
-              semanticVersion: "6.1.1",
-              dottedQuadFileVersion: "6.1.1.0",
+              version: "6.1.2",
+              semanticVersion: "6.1.2",
+              dottedQuadFileVersion: "6.1.2.0",
               rules: []
             }
           },