Skip to content

Commit c40b0ae

Browse files
ci: reduce LTS automated release and add zizmor (#296)
* ci: monthly automated release of LTS * ci: add zizmore scanning of actions * ci: add Dependabot cooldown * fix: include updated format-yaml-files.sh script Signed-off-by: Patrick Stephens <pat@telemetryforge.io>
1 parent a7b7962 commit c40b0ae

6 files changed

Lines changed: 66 additions & 19 deletions

File tree

.github/dependabot.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,15 @@
11
version: 2
22
updates:
3-
- package-ecosystem: github-actions
4-
directory: /
3+
- package-ecosystem: "github-actions"
4+
directory: "/"
55
groups:
66
github-actions:
77
patterns:
88
- "*"
99
schedule:
1010
interval: daily
11+
cooldown:
12+
default-days: 7
1113

1214
- package-ecosystem: "docker"
1315
directory: "/"
@@ -17,3 +19,5 @@ updates:
1719
- "*"
1820
schedule:
1921
interval: daily
22+
cooldown:
23+
default-days: 7

.github/workflows/cron-auto-release.yaml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,11 @@ name: Tag a new release
22
on:
33
schedule:
44
# 25.10 releases
5-
- cron: "0 10 * * 1"
5+
- cron: "0 14 1 * *"
66
# 26.4 releases
7-
- cron: "0 14 * * 1"
7+
- cron: "0 14 15 * *"
88
# Latest releases
9-
- cron: "0 10 * * 2"
9+
- cron: "0 10 * * 1"
1010
workflow_dispatch:
1111
inputs:
1212
branch:
@@ -50,21 +50,21 @@ jobs:
5050
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
5151

5252
- name: 25.10 run
53-
if: github.event_name == 'schedule' && github.event.schedule=='0 10 * * 1'
53+
if: github.event_name == 'schedule' && github.event.schedule=='0 14 1 * *'
5454
run: |
5555
echo "BRANCH=release/25.10-lts" >> $GITHUB_ENV
5656
echo "TAG_PREFIX=v25.10*" >> $GITHUB_ENV
5757
shell: bash
5858

5959
- name: 26.4 run
60-
if: github.event_name == 'schedule' && github.event.schedule=='0 14 * * 1'
60+
if: github.event_name == 'schedule' && github.event.schedule=='0 14 15 * *'
6161
run: |
6262
echo "BRANCH=release/26.4-lts" >> $GITHUB_ENV
6363
echo "TAG_PREFIX=v26.4*" >> $GITHUB_ENV
6464
shell: bash
6565

6666
- name: main run
67-
if: github.event_name == 'schedule' && github.event.schedule=='0 10 * * 2'
67+
if: github.event_name == 'schedule' && github.event.schedule=='0 10 * * 1'
6868
run: |
6969
echo "BRANCH=main" >> $GITHUB_ENV
7070
echo "TAG_PREFIX=v*" >> $GITHUB_ENV

.github/workflows/lint.yaml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,8 @@ jobs:
2828
with:
2929
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
3030
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
31+
with:
32+
persist-credentials: false
3133
# Ignores do not work: https://github.com/reviewdog/action-hadolint/issues/35 is resolved
3234
- uses: reviewdog/action-hadolint@921946a7ebaaf08ac72607bad67209f4e52b5407 # v1.50.5
3335

@@ -44,6 +46,8 @@ jobs:
4446
with:
4547
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
4648
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
49+
with:
50+
persist-credentials: false
4751
- uses: reviewdog/action-shellcheck@4c07458293ac342d477251099501a718ae5ef86e # v1.32.0
4852
with:
4953
reporter: github-pr-review
@@ -65,6 +69,8 @@ jobs:
6569
with:
6670
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
6771
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
72+
with:
73+
persist-credentials: false
6874
- run: |
6975
echo "::add-matcher::.github/actionlint-matcher.json"
7076
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
@@ -80,6 +86,8 @@ jobs:
8086
with:
8187
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
8288
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
89+
with:
90+
persist-credentials: false
8391
- run: ./scripts/format-yaml-files.sh
8492
shell: bash
8593

@@ -141,7 +149,37 @@ jobs:
141149
with:
142150
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
143151
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
152+
with:
153+
persist-credentials: false
144154
- uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
145155
with:
146156
skip_push: "true"
147157
review: "true"
158+
159+
zizmor-lint:
160+
runs-on: ubuntu-latest
161+
name: PR - Zizmor
162+
# https://docs.zizmor.sh/
163+
permissions:
164+
security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
165+
# contents: read # Only needed for private repos. Needed to clone the repo.
166+
# actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info.
167+
steps:
168+
- name: Harden the runner
169+
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
170+
with:
171+
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
172+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
173+
with:
174+
persist-credentials: false
175+
176+
- name: Run zizmor
177+
uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
178+
with:
179+
# We only want to scan our workflows, no other included source
180+
input: |
181+
".github/"
182+
# Upload to security tab in GitHub, requires permissions: security-events: write
183+
# Note this does not fail the workflow, just uploads the results to the security tab in GitHub
184+
advanced-security: true
185+
min-severity: "medium"

README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,8 @@ It also has built-in functionality for:
2727

2828
| Version | Release Date | Type | End of Support | Status | Branch |
2929
| ------- | ------------ | ---- | -------------- | ------ | ------ |
30-
| **[26.10](https://github.com/orgs/telemetryforge/projects/5)** | Oct 2026 | LTS | Oct 2028 | 🟡 Planned | `main` |
30+
| **[27.4](https://github.com/orgs/telemetryforge/projects/6)** | Apr 2027 | LTS | Apr 2029 | 🟡 Planned | `main` |
31+
| **[26.10](https://github.com/orgs/telemetryforge/projects/5)** | Oct 2026 | LTS | Oct 2028 | 🟢 Active | `main` |
3132
| **[26.4](https://github.com/orgs/telemetryforge/projects/4)** | Apr 2026 | LTS | Apr 2028 | 🟢 Active | `release/26.4-lts` |
3233
| **[25.10](https://github.com/orgs/telemetryforge/projects/3)** | Oct 2025 | LTS | Oct 2027 | 🟢 Active | `release/25.10-lts` |
3334
| 25.07 | Jul 2025 | Regular | Jan 2026 | 🔴 EOL | |
@@ -41,7 +42,7 @@ Once it transitions to an LTS release then we maintain the major and minor versi
4142
| ------------ | --------- | ----------- |
4243
| **LTS Release** | Twice yearly (April, October) | Long-term support for 24 months |
4344
| **Regular Release** | Quarterly | 6-month support cycle |
44-
| **Security Updates** | Weekly | CVE patches and critical fixes |
45+
| **Security Updates** | Monthly or as needed | CVE patches and critical fixes |
4546
| **Patch Release** | As needed | Bug fixes and minor updates |
4647
| **Main Builds** | Weekly | Latest development builds from main branch |
4748

scripts/format-yaml-files.sh

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -19,23 +19,26 @@ REPO_ROOT=${REPO_ROOT:-${SCRIPT_DIR}/..}
1919

2020
YAML_DIR=${YAML_DIR:-$REPO_ROOT/.github/workflows}
2121

22-
# Check if prettier is installed, if not install it globally
23-
if ! command -v prettier &> /dev/null
24-
then
25-
echo "prettier could not be found, installing it globally..."
26-
sudo npm install -g prettier
22+
if command -v prettier &> /dev/null; then
23+
PRETTIER_CMD=(prettier)
24+
elif command -v npx &> /dev/null; then
25+
PRETTIER_CMD=(npx --yes prettier)
26+
else
27+
echo "prettier is not available and npx is not installed."
28+
echo "Please install prettier or npm/npx."
29+
exit 1
2730
fi
2831

2932
# Format all yaml files in the directory
30-
find "$YAML_DIR" -name "*.yaml" -o -name "*.yml" | while read -r file; do
33+
find "$YAML_DIR" -type f \( -name "*.yaml" -o -name "*.yml" \) | while read -r file; do
3134
echo "Formatting $file"
32-
prettier --write "$file"
35+
"${PRETTIER_CMD[@]}" --write "$file"
3336
done
3437

3538
# Check if there are any changes after formatting
36-
if [[ -n $(git status --porcelain) ]]; then
39+
if [[ -n $(git -C "$REPO_ROOT" status --porcelain -- "$YAML_DIR") ]]; then
3740
echo "The following files were modified after formatting:"
38-
git status --porcelain
41+
git -C "$REPO_ROOT" status --porcelain -- "$YAML_DIR"
3942
echo "Please review the changes and commit them."
4043
exit 1
4144
else

zizmor.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
rules:

0 commit comments

Comments
 (0)