Update workflows to publish from the release tag (#233)

vgrassia · web-flow · commit 7cd9101b4af8 · 2025-10-08T12:29:18.000-07:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,6 +5,8 @@ on:
   push:
     branches:
       - "main"
+    tags:
+      - "v*"
   pull_request:
 
 concurrency:
@@ -21,6 +23,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Set up .NET
         uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
@@ -52,6 +56,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
@@ -63,8 +69,11 @@ jobs:
       - name: Generate Docker image tag
         id: tag
         run: |
+          # Tags use the tag name as the image tag (strip leading 'v')
+          if [[ "$GITHUB_REF" == refs/tags/* ]]; then
+            IMAGE_TAG="${GITHUB_REF#refs/tags/v}"
           # Main branch always uses 'dev' tag
-          if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
+          elif [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
             IMAGE_TAG=dev
           # PRs use 'pr-<number>' format for consistency
           elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
@@ -131,7 +140,7 @@ jobs:
           output-format: sarif
 
       - name: Upload Grype results to GitHub
-        uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
+        uses: github/codeql-action/upload-sarif@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
         with:
           sarif_file: ${{ steps.container-scan.outputs.sarif }}
           sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -29,8 +29,10 @@ jobs:
     steps:
       - name: Version output
         id: version-output
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
         run: |
-          if [[ "${{ inputs.version }}" == "latest" || "${{ inputs.version }}" == "" ]]; then
+          if [[ "$INPUT_VERSION" == "latest" || "$INPUT_VERSION" == "" ]]; then
             VERSION=$(curl -sSfL "https://api.github.com/repos/bitwarden/key-connector/releases" | jq -c '.[] | select(.tag_name) | .tag_name' | head -1 | grep -ohE '20[0-9]{2}\.([1-9]|1[0-2])\.[0-9]+')
             if [[ -z "$VERSION" ]]; then
               echo "Failed to fetch latest version"
@@ -39,8 +41,8 @@ jobs:
             echo "Latest Released Version: $VERSION"
             echo "version=$VERSION" >> $GITHUB_OUTPUT
           else
-            echo "Release Version: ${{ inputs.version }}"
-            echo "version=${{ inputs.version }}" >> $GITHUB_OUTPUT
+            echo "Release Version: $INPUT_VERSION"
+            echo "version=$INPUT_VERSION" >> $GITHUB_OUTPUT
           fi
 
   publish-docker:
@@ -63,32 +65,19 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Pull image
-        run: docker pull ghcr.io/bitwarden/key-connector:dev
+      - name: Pull versioned image
+        run: docker pull ghcr.io/bitwarden/key-connector:$_RELEASE_VERSION
 
-      - name: Tag version and latest
-        run: |
-          if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
-            docker tag ghcr.io/bitwarden/key-connector:dev ghcr.io/bitwarden/key-connector:dryrun
-          else
-            docker tag ghcr.io/bitwarden/key-connector:dev ghcr.io/bitwarden/key-connector:$_RELEASE_VERSION
-            docker tag ghcr.io/bitwarden/key-connector:dev ghcr.io/bitwarden/key-connector:latest
-          fi
+      - name: Tag as latest
+        run: docker tag ghcr.io/bitwarden/key-connector:$_RELEASE_VERSION ghcr.io/bitwarden/key-connector:latest
 
-      - name: Push release version and latest image
+      - name: Push latest image
         if: ${{ inputs.publish_type != 'Dry Run' }}
-        run: |
-          docker push ghcr.io/bitwarden/key-connector:$_RELEASE_VERSION
-          docker push ghcr.io/bitwarden/key-connector:latest
+        run: docker push ghcr.io/bitwarden/key-connector:latest
 
       - name: Verify the signed image with Cosign
         if: ${{ inputs.publish_type != 'Dry Run' }}
         run: |
-          cosign verify \
-            --certificate-identity-regexp="https://github\.com/bitwarden/key-connector/.*" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            ghcr.io/bitwarden/key-connector:$_RELEASE_VERSION
-
           cosign verify \
             --certificate-identity-regexp="https://github\.com/bitwarden/key-connector/.*" \
             --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -34,6 +34,8 @@ jobs:
 
       - name: Check out repo
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
 
       - name: Check release version
         id: version
@@ -46,7 +48,7 @@ jobs:
       - name: Get branch name
         id: branch
         run: |
-          BRANCH_NAME=$(basename ${{ github.ref }})
+          BRANCH_NAME=$(basename $GITHUB_REF)
           echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
   release-github:
