fix: Fix tested platforms & Add publishing support (#519)

- Update tested platforms
- Remove testing for CentOS 7 & Fedora
- Add testing for CentOS Stream 9 & 10
- Add label workflow
- Prevent users from changing metadata.rb and any workflow
---------

Signed-off-by: Dan Webb <dan.webb@damacus.io>

Author: damacus

.github/workflows/changelog-check.yml

@@ -0,0 +1,60 @@
+---
+name: CHANGELOG Unreleased Section
+
+"on":
+  push: {branches: [main]}
+
+jobs:
+  check-changelog:
+    runs-on: ubuntu-latest
+    name: Verify CHANGELOG.md has unreleased entries
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Extract and validate Unreleased section
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+
+            // Read CHANGELOG.md
+            const changelog = fs.readFileSync('CHANGELOG.md', 'utf8');
+
+            // Split into lines
+            const lines = changelog.split('\n');
+
+            // Find the "## Unreleased" section
+            const unreleasedIndex = lines.findIndex(line => line.trim() === '## Unreleased');
+
+            if (unreleasedIndex === -1) {
+              core.setFailed('❌ ERROR: Could not find "## Unreleased" section in CHANGELOG.md');
+              return;
+            }
+
+            // Find the next "## " section (next version)
+            const nextSectionIndex = lines.findIndex((line, index) =>
+              index > unreleasedIndex && line.match(/^## \d+\.\d+\.\d+/)
+            );
+
+            // Extract content between sections
+            const endIndex = nextSectionIndex === -1 ? lines.length : nextSectionIndex;
+            const unreleasedLines = lines.slice(unreleasedIndex + 1, endIndex);
+
+            // Filter out empty lines and whitespace-only lines
+            const contentLines = unreleasedLines.filter(line =>
+              line.trim().length > 0
+            );
+
+            console.log('Extracted unreleased content:');
+            contentLines.forEach(line => console.log(line));
+            console.log('---');
+
+            // Check if there's any actual content
+            if (contentLines.length === 0) {
+              core.setFailed('❌ ERROR: CHANGELOG.md "## Unreleased" section is empty or contains only blank lines\nPlease add at least one entry describing the changes in this release.');
+            } else {
+              console.log(`✅ SUCCESS: CHANGELOG.md "## Unreleased" section contains entries`);
+              console.log(`Found ${contentLines.length} non-blank lines`);
+            }

.github/workflows/ci.yml

@@ -1,5 +1,5 @@
 ---
-name: ci
+name: Dokken Integration Tests
 
 "on":
   pull_request:
@@ -27,9 +27,9 @@ jobs:
           - "debian-12"
           - "ubuntu-2004"
           - "ubuntu-2204"
-          - "centos-stream-8"
           - "centos-stream-9"
-          - "fedora-latest"
+          # - "centos-stream-10" No candidate version available for pcre-devel
+          # - "fedora-latest"
         suite:
           - config-2
           - config-3
@@ -102,7 +102,7 @@ jobs:
     strategy:
       matrix:
         os:
-          - "centos-7"
+          - "centos-stream-9"
         suite:
           - "source-lua"
       fail-fast: false
@@ -127,8 +127,7 @@ jobs:
     strategy:
       matrix:
         os:
-          - "centos-7"
-          - "centos-stream-8"
+          - "centos-stream-9"
         suite:
           - "config-2"
           - "config-3"

.github/workflows/conventional-commits.yml

@@ -0,0 +1,19 @@
+name: 'Lint PR'
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - reopened
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    steps:
+      - uses: amannn/action-semantic-pull-request@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/labels.yml

@@ -0,0 +1,21 @@
+name: Pull Request Labels
+on:
+  pull_request:
+    types: [opened, labeled, unlabeled, synchronize]
+jobs:
+  label:
+    name: Require Release Label
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: mheap/github-action-required-labels@v5
+        with:
+          mode: exactly
+          count: 1
+          labels: |
+            Release: Major
+            Release: Minor
+            Release: Patch
+            Release: Skip

.github/workflows/prevent-file-change.yml

@@ -0,0 +1,33 @@
+---
+name: Prevent file change
+
+on:
+  pull_request_target:
+    branches: [main]
+
+jobs:
+  prevent-metadata-change:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    steps:
+      - name: Prevent metadata.rb file change
+        uses: xalvarez/prevent-file-change-action@v2
+        with:
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          pattern: metadata.rb
+          trustedAuthors: sous-chefs
+
+  prevent-workflow-change:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    steps:
+      - name: Prevent workflow file change
+        uses: xalvarez/prevent-file-change-action@v2
+        with:
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          pattern: .github/workflows
+          trustedAuthors: sous-chefs
+          closePR: true
+          allowNewFiles: false

.github/workflows/release.yml

@@ -0,0 +1,77 @@
+---
+name: release-please
+
+"on":
+  push:
+    tags: ["v*.*.*"]
+    branches: [main]
+
+permissions:
+  contents: write
+  packages: write
+  attestations: write
+  id-token: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+      upload_url: ${{ steps.release.outputs.upload_url }}
+    steps:
+      - uses: googleapis/release-please-action@v4
+        id: release
+        with:
+          token: ${{ secrets.PORTER_GITHUB_TOKEN }}
+
+      - name: Checkout
+        uses: actions/checkout@v5
+        if: ${{ steps.release.outputs.release_created }}
+
+      - name: Upload cookbook as artifact
+        if: ${{ steps.release.outputs.release_created }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: haproxy-cookbook-${{ steps.release.outputs.tag_name }}
+          path: |
+            .
+            !.git/
+            !.github/
+            !.kitchen/
+            !.vscode/
+            !documentation/
+            !.gitignore
+            !test/
+            !spec/
+          retention-days: 90
+          compression-level: 6
+
+      - name: Generate artifact attestation
+        if: ${{ steps.release.outputs.release_created }}
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: haproxy-cookbook-${{ steps.release.outputs.tag_name }}
+
+  publish-to-supermarket:
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created }}
+    runs-on: ubuntu-latest
+    container:
+      image: chef/chefworkstation:latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Configure Chef credentials
+        run: |
+          mkdir -p ~/.chef
+          echo "${{ secrets.CHEF_SUPERMARKET_KEY }}" > ~/.chef/supermarket.pem
+          chmod 600 ~/.chef/supermarket.pem
+
+      - name: Publish to Chef Supermarket
+        run: |
+          knife supermarket share haproxy \
+            --supermarket-site https://supermarket.chef.io \
+            --key ~/.chef/supermarket.pem \
+            --user-name ${{ secrets.CHEF_SUPERMARKET_USER }}

CHANGELOG.md

@@ -4,6 +4,9 @@ This file is used to list changes made in each version of the haproxy cookbook.
 
 ## Unreleased
 
+- Remove testing for CentOS 7 & Fedora
+- Add testing for CentOS Stream 9 & 10
+
 ## 12.4.1 - *2025-09-04*
 
 ## 12.4.0 - *2024-12-09*

release-please-config.json

@@ -0,0 +1,6 @@
+{
+  "releaseType": "ruby",
+  "changelogPath": "CHANGELOG.md",
+  "versionFile": "version.rb",
+  "includeComponentInTag": false
+}

release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "12.4.1"
+}

version.rb

@@ -0,0 +1 @@
+VERSION = '12.4.1'.freeze