feat(release): automate version synchronization and release process

.github/workflows/ci-pull-request.yml

@@ -45,13 +45,4 @@ jobs:
       run: |
         make build
 
-    - name: Increment version
-      id: bump
-      run: |
-        chmod +x ./bump_version.sh
-        NEW_VERSION="$(./bump_version.sh)"
-        if [[ -z "$NEW_VERSION" ]]; then
-          echo "Version bump script returned empty version" >&2
-          exit 1
-        fi
-        echo "new_version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
+

.github/workflows/main.yml

@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - main
+    paths:
+      - 'sysdig-cli-scan-task/package.json'
 
 permissions:
   contents: write
@@ -14,58 +16,73 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build:
+  build-and-release:
     runs-on: ubuntu-latest
-
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        fetch-depth: 0 # Need history to compare versions
+
+    - name: Check for version change
+      id: check_version
+      run: |
+        # The workflow is triggered on changes to this file, but we only want to proceed if the version field itself has changed.
+        # This handles cases where other fields (like dependencies) are updated without a version bump.
+        OLD_VERSION=$(git show HEAD~1:sysdig-cli-scan-task/package.json | jq -r .version)
+        NEW_VERSION=$(jq -r .version sysdig-cli-scan-task/package.json)
+        echo "Old version: $OLD_VERSION, New version: $NEW_VERSION"
+        if [ "$OLD_VERSION" != "$NEW_VERSION" ]; then
+          echo "Version has changed. Proceeding with release."
+          echo "changed=true" >> $GITHUB_OUTPUT
+          echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
+        else
+          echo "Version has not changed. Skipping release."
+          echo "changed=false" >> $GITHUB_OUTPUT
+        fi
 
     - name: Setup Node.js
+      if: steps.check_version.outputs.changed == 'true'
       uses: actions/setup-node@v2
       with:
         node-version: '20.x'
 
     - name: Install tfx-cli and typescript
+      if: steps.check_version.outputs.changed == 'true'
       run: |
         npm install -g tfx-cli
         npm install -g typescript
 
     - name: Login to Azure DevOps
+      if: steps.check_version.outputs.changed == 'true'
       uses: azure/login@v1
       with:
         client-id: ${{ secrets.AZURE_APPLICATION_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: Get Azure DevOps access token
+      if: steps.check_version.outputs.changed == 'true'
       id: get_token
       run: |
         echo "AZURE_DEVOPS_ACCESS_TOKEN=$(az account get-access-token --resource ${{ secrets.AZURE_MARKETPLACE_ACCESS_SCOPE }} --query accessToken -o tsv)" >> $GITHUB_ENV
 
     - name: Build release
+      if: steps.check_version.outputs.changed == 'true'
       run: |
         make build
 
-    - name: Increment version
-      run: |
-        chmod +x ./bump_version.sh
-        NEW_VERSION=$(./bump_version.sh)
-        echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
-
     - name: Publish release
+      if: steps.check_version.outputs.changed == 'true'
       env:
         AZURE_DEVOPS_ACCESS_TOKEN: ${{ env.AZURE_DEVOPS_ACCESS_TOKEN }}
       run: |
         make publish-release
 
-    - name: Commit version increment
+    - name: Create Git Tag
+      if: steps.check_version.outputs.changed == 'true'
       run: |
         git config --local user.email "action@github.com"
         git config --local user.name "GitHub Action"
-        git add ./sysdig-cli-scan-task/task.json
-        git add ./VERSION
-        git add ./vss-extension.json
-        git commit -m "Increment version to ${{ env.NEW_VERSION }}"
         git tag ${{ env.NEW_VERSION }}
-        git push origin HEAD --tags
+        git push origin ${{ env.NEW_VERSION }}

.github/workflows/sync-versions.yml

@@ -0,0 +1,47 @@
+name: Sync Versions on PR
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  sync-versions:
+    runs-on: ubuntu-latest
+    if: contains(github.event.pull_request.labels.*.name, 'skip-version-sync') == false
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Check for version change
+        id: version_changed
+        run: |
+          git fetch origin main
+          if git diff --name-only origin/main...HEAD | grep -q "sysdig-cli-scan-task/package.json"; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "changed=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run sync script
+        if: steps.version_changed.outputs.changed == 'true'
+        run: |
+          chmod +x ./sync_versions.sh
+          ./sync_versions.sh
+
+      - name: Commit and push changes
+        if: steps.version_changed.outputs.changed == 'true'
+        run: |
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+          git add .
+          if ! git diff --staged --quiet; then
+            git commit -m "ci: synchronize versions"
+            git push
+          else
+            echo "No changes to commit."
+          fi

README.md

@@ -147,3 +147,13 @@ steps:
 
 ## More Information
 For documentation on Sysdig Secure, including policy and capabilities see the [Sysdig Secure Documentation](https://docs.sysdig.com/en/docs/sysdig-secure/)
+
+## Release Process
+
+The release process is automated using GitHub Actions. To create a new release, follow these steps:
+
+1.  **Create a Pull Request:** Make your changes in a new branch and open a pull request against `main`.
+2.  **Bump the Version:** The version number is managed in `sysdig-cli-scan-task/package.json`. To create a release, increment the `version` field in this file.
+3.  **Automatic Sync:** When the change to `package.json` is pushed, a GitHub Action will automatically run the `./sync_versions.sh` script. This updates the version across all necessary files (like `task.json` and `vss-extension.json`) and pushes the changes to your branch.
+4.  **Merge:** After the pull request is reviewed and merged into `main`, the release workflow is triggered.
+5.  **Publish:** The workflow builds the extension, publishes it to the marketplace, and creates a corresponding Git tag.

sync_versions.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+set -e
+
+# Set the script's directory as the working directory
+cd "$(dirname "$0")"
+
+# Check if jq and npm are installed
+if ! command -v jq &> /dev/null
+then
+    echo "jq could not be found, please install it"
+    exit 1
+fi
+
+if ! command -v npm &> /dev/null
+then
+    echo "npm could not be found, please install it"
+    exit 1
+fi
+
+# Get version from sysdig-cli-scan-task/package.json
+VERSION=$(jq -r .version "sysdig-cli-scan-task/package.json")
+
+if [ -z "$VERSION" ]; then
+    echo "Version could not be read from sysdig-cli-scan-task/package.json"
+    exit 1
+fi
+
+echo "Syncing to version $VERSION"
+
+# Update vss-extension.json
+jq --arg VERSION "$VERSION" '.version = $VERSION' vss-extension.json > vss-extension.json.tmp && mv vss-extension.json.tmp vss-extension.json
+
+# Update sysdig-cli-scan-task/task.json
+MAJOR=$(echo "$VERSION" | cut -d. -f1)
+MINOR=$(echo "$VERSION" | cut -d. -f2)
+PATCH=$(echo "$VERSION" | cut -d. -f3)
+
+jq ".version.Major = $MAJOR | .version.Minor = $MINOR | .version.Patch = $PATCH" sysdig-cli-scan-task/task.json > sysdig-cli-scan-task/task.json.tmp && mv sysdig-cli-scan-task/task.json.tmp sysdig-cli-scan-task/task.json
+
+# Run npm install to update package-lock.json files
+(cd sysdig-cli-scan-task && npm install)
+
+echo "Versions synchronized successfully"

sysdig-cli-scan-task/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sysdig-cli-scan-task",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Sysdig Secure Scan Task",
   "main": "index.js",
   "scripts": {

sysdig-cli-scan-task/task.json

@@ -10,7 +10,7 @@
   "version": {
     "Major": 1,
     "Minor": 0,
-    "Patch": 0
+    "Patch": 1
   },
   "minimumAgentVersion": "3.232.1",
   "groups": [

vss-extension.json

@@ -2,7 +2,7 @@
   "manifestVersion": 1,
   "id": "sysdig-cli-scan-task",
   "name": "Sysdig CLI scanner",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "publisher": "SysdigDevOps",
   "description": "Scan images with Sysdig Secure as part of your development pipeline.",
   "public": true,