diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 017e725..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -# Front-Matter for GitHub Workflow -title: "Semantic Release Automation" -name: "release.yml" -description: "Automate releases via semantic-release" -category: automation -usage: "Triggered automatically on push to main branch" -behavior: "Runs semantic-release to create new releases based on commit messages" -inputs: "GitHub token and PyPI token secrets" -outputs: "New GitHub release and PyPI package if applicable" -dependencies: "semantic-release, poetry" -author: "LedgerBase Team" -last_modified: "2023-11-15" -changelog: "Updated to match annotation spec format" -tags: [release, automation, semantic-release] ---- - -name: Release - -on: - push: - branches: - - main - -permissions: - contents: read - id-token: write # if you need OIDC later - -jobs: - prepare: - name: Prepare Poetry & Assured OSS - uses: ./.github/workflows/templates/prepare-poetry.yml - with: - GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }} - secrets: - GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }} - - release: - name: Semantic Release - needs: prepare - runs-on: ubuntu-22.04 - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Verify no public PyPI fallbacks - run: poetry run nox -s verify_assured - - - name: Run Semantic-Release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} - run: poetry run semantic-release publish diff --git a/.github/workflows/repo-health.yml b/.github/workflows/repo-health.yml deleted file mode 100644 index 8165cb2..0000000 --- a/.github/workflows/repo-health.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Repo Health -on: - push: - branches: [main, master] - pull_request: - branches: [main, master] - workflow_dispatch: - -jobs: - repo-health: - name: repo-health - runs-on: ubuntu-latest - steps: - - name: Health check - run: echo "Repository health check passed" diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml deleted file mode 100644 index bbce918..0000000 --- a/.github/workflows/sbom.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -# Front-Matter for GitHub Workflow - -title: "Security – SBOM" -name: "sbom.yml" -description: "Generates and validates Software Bill of Materials (SBOM) for the project" -category: security -usage: "Triggered on push, pull request, or manual workflow dispatch" -behavior: "Generates SBOM in CycloneDX format and validates it" -inputs: "Project source code and dependencies" -outputs: "CycloneDX SBOM artifact (docs/generated/sbom/sbom.cdx.json)" -dependencies: "Poetry, Nox, Trivy, Docker Buildx" -author: "Byron Williams" -last_modified: "2023-11-15" -changelog: "Updated header to match annotation specification" -tags: [security, sbom, workflow] ---- - -name: Security – SBOM - -on: - push: - pull_request: - workflow_dispatch: {} - -permissions: - contents: read - security-events: write - -jobs: - # 1. Prepare Poetry & Assured OSS environment (with caching) - prepare: - uses: ./.github/workflows/templates/prepare-poetry.yml - with: - GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }} - secrets: - GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }} - - sbom: - name: Generate & Validate SBOM - needs: prepare - runs-on: ubuntu-22.04 - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Verify no public PyPI fallbacks - run: poetry run nox -s verify_assured - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Install Trivy & wget - run: | - sudo apt-get update && sudo apt-get install -y wget - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \ - | sh -s -- -b /usr/local/bin - - - name: Run SBOM Validate via Poetry - run: poetry run nox -s sbom_validate - - - name: Upload SBOM artifact - uses: actions/upload-artifact@v4 - with: - name: sbom-cyclonedx - path: docs/generated/sbom/sbom.cdx.json - retention-days: 7