From 37517d112f51541e88fabdc87abc0f1f7a5cfee5 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Sun, 10 May 2026 20:02:23 -0400 Subject: [PATCH 1/3] chore: bump ospo-reusable-workflows release.yaml to v1.0.0 ## What Pin the reusable release workflow to v1.0.0 (SHA 592067a69a43d2285f933753d89a7c9d51b96530). Add a Breaking Changes category to release-drafter. ## Why v1.0.0 of ospo-reusable-workflows broadens the release trigger to include breaking, feature, vuln, and release labels and folds GoReleaser, container image build, attestation, and discussion creation into the reusable workflow itself. Surfacing breaking changes prominently in release notes aligns the changelog with the new label-based release triggers. ## Notes - The outer label-filter `if:` block on the release job is removed because the v1.0 reusable workflow now handles label filtering internally. - Trigger updated to pull_request_target so the workflow can push tags via GITHUB_TOKEN. Signed-off-by: jmeridth --- .github/release-drafter.yml | 3 ++ .github/workflows/release.yml | 66 +---------------------------------- 2 files changed, 4 insertions(+), 65 deletions(-) diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml index 685041e..563c29b 100644 --- a/.github/release-drafter.yml +++ b/.github/release-drafter.yml @@ -8,6 +8,9 @@ template: | See details of [all code changes](https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION) since previous release categories: + - title: "💥 Breaking Changes" + labels: + - "breaking" - title: "🚀 Features" labels: - "feature" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d4d0cb7..cd6be12 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,73 +10,9 @@ jobs: permissions: contents: write pull-requests: read - uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@a0cf79bd8756e0a9c1555bf4975eae7ce7a8e8dc # v0.6.0 + uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@592067a69a43d2285f933753d89a7c9d51b96530 # v1.0.0 with: publish: true release-config-name: release-drafter.yml secrets: github-token: ${{ secrets.GITHUB_TOKEN }} - goreleaser: - needs: release - runs-on: ubuntu-latest - permissions: - attestations: write - contents: write - id-token: write - outputs: - attestation_matrix: ${{ steps.generate_matrix.outputs.matrix }} - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - persist-credentials: false - - name: Set up Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - - name: Install Syft - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 - with: - syft-version: v1.33.0 - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0 - with: - distribution: goreleaser - version: "~> v2" - args: release --clean - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Attest Build Provenance - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 - with: - subject-checksums: dist/checksums.txt - - name: Generate attestation matrix - id: generate_matrix - run: | - matrix=$(ls dist/*.spdx.json | jq -R '{"sbom": ., "archive": sub("\\.spdx\\.json$"; "")}' | jq -s -c '{"include": .}') - echo "matrix=$matrix" >> $GITHUB_OUTPUT - - name: Upload artifacts - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 - with: - name: dist - path: dist - attest-sboms: - needs: goreleaser - runs-on: ubuntu-latest - permissions: - attestations: write - id-token: write - strategy: - matrix: ${{ fromJson(needs.goreleaser.outputs.attestation_matrix) }} - steps: - - name: Download artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - name: dist - path: dist - - name: Attest SBOM - uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0 - with: - subject-path: "${{ matrix.archive }}" - sbom-path: "${{ matrix.sbom }}" From bdcece5051d426376e88f4d98812ea3c4adf09b6 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Sun, 10 May 2026 20:25:20 -0400 Subject: [PATCH 2/3] fix: declare full v1.0 permission set on release job ## What Expand the release job's permissions block to include packages, id-token, attestations, and discussions. v1.0 of ospo-reusable-workflows/release.yaml declares those permissions on its internal release_image, release_goreleaser, and release_discussion jobs, and GitHub validates them at workflow startup regardless of whether the if: filter would skip the job. ## Why The initial v1.0 bump shipped a too-narrow permissions block. When pull_request_target.closed fires on merge, GitHub validates the called workflow's job permissions against the caller and rejects the run with startup_failure. Aligning the caller's release job permissions with the ospo/stale-repos reference fixes the validation. ## Notes - All extra permissions are required by GitHub's static validation even when the matching reusable-workflow job is gated by if: and would not actually run. ## Testing After merging, the next merged PR will trigger a successful Release workflow startup (no more startup_failure). Signed-off-by: jmeridth --- .github/workflows/release.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cd6be12..ee21902 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,8 +8,12 @@ on: jobs: release: permissions: - contents: write - pull-requests: read + contents: write # Create release and push tags + pull-requests: read # Read PR labels for release-drafter + packages: write # Push container image to ghcr.io + id-token: write # Federate for artifact attestation + attestations: write # Generate build provenance attestations + discussions: write # Create release announcement discussion uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@592067a69a43d2285f933753d89a7c9d51b96530 # v1.0.0 with: publish: true From 3b88143379cf64f192a24c1887137590aea3a1c3 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Sun, 10 May 2026 20:57:04 -0400 Subject: [PATCH 3/3] chore: bump ospo-reusable-workflows from v1.0.0 to v1.0.1 ## What Bump the pin on ospo-reusable-workflows/release.yaml from v1.0.0 to v1.0.1 (SHA e92cb6053ace495fe40a5f185988557afcdcecbc). ## Why v1.0.1 lands two fixes from upstream PR #138: 1. release_discussion runs only after publish_release succeeds. 2. release_goreleaser auto-installs syft when GoReleaser config declares an sboms: block. ## Notes - No caller-side configuration changes are required; v1.0.1 is backward-compatible with v1.0.0 inputs and secrets. - This commit folds into the existing PR; the cumulative PR now lands at v1.0.1. Signed-off-by: jmeridth --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ee21902..aeeaca7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ jobs: id-token: write # Federate for artifact attestation attestations: write # Generate build provenance attestations discussions: write # Create release announcement discussion - uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@592067a69a43d2285f933753d89a7c9d51b96530 # v1.0.0 + uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@e92cb6053ace495fe40a5f185988557afcdcecbc # v1.0.1 with: publish: true release-config-name: release-drafter.yml