cisagov · jsf9k · Feb 24, 2025 · Feb 24, 2025 · Feb 24, 2025 · Feb 24, 2025
@@ -22,6 +22,8 @@ updates:
     #   - dependency-name: hashicorp/setup-terraform
     #   - dependency-name: mxschmitt/action-tmate
     #   - dependency-name: step-security/harden-runner
+    #   # Managed by cisagov/skeleton-action-composite
+    #   - dependency-name: zyactions/semver
     package-ecosystem: github-actions
     schedule:
       interval: weekly

@@ -140,7 +140,7 @@ jobs:
           PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
           PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
-      # TODO: https://github.com/cisagov/skeleton-action-composite/issues/165
+      # TODO: https://github.com/cisagov/skeleton-generic/issues/165
       # We are temporarily using @mcdonnnj's forked branch of terraform-docs
       # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745
       # is approved. This temporary fix will allow for ATX header support when

@@ -0,0 +1,89 @@
+---
+name: release
+
+on:
+  release:
+    types:
+      - released
+
+# Set a default shell for any run steps. The `-Eueo pipefail` sets
+# errtrace, nounset, errexit, and pipefail. The `-x` will print all
+# commands as they are run. Please see the GitHub Actions
+# documentation for more information:
+# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs
+defaults:
+  run:
+    shell: bash -Eueo pipefail -x {0}
+
+jobs:
+  diagnostics:
+    name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
+    runs-on: ubuntu-latest
+    steps:
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - id: github-status
+        name: Check GitHub status
+        uses: crazy-max/ghaction-github-status@v4
+      - id: dump-context
+        name: Dump context
+        uses: crazy-max/ghaction-dump-context@v2
+  release:
+    needs:
+      - diagnostics
+    permissions:
+      # We need write permission to move tags
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - id: extract-semver-parts
+        name: Extract semver parts
+        uses: zyactions/semver@v1
+        with:
+          # This input consists of a newline-separated list of version
+          # prefixes, so in the interest of future expansion we go
+          # ahead and use the YAML multiline literal style indicator.
+          prefixes: |
+            v
+      - id: checkout-code
+        name: Checkout the code
+        uses: actions/checkout@v4
-      - id: checkout-code
-        name: Checkout the code
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
-      - id: checkout-code
-        name: Checkout the code
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+      - id: move-tags
+        # Just in case...
+        if: ${{ steps.extract-semver-parts.outputs.valid == 'true' }}
+        name: Move tags
+        run: |
+          major_tag=v${{ steps.extract-semver-parts.outputs.major }}
+          major_minor_tag=${major_tag}.${{ steps.extract-semver-parts.outputs.minor }}
+          # Delete old tags remotely, if they exist
+          git ls-remote --exit-code --tags origin ${major_tag} \
+          && git push origin --delete ${major_tag}
+          git ls-remote --exit-code --tags origin ${major_minor_tag} \
+          && git push origin --delete ${major_minor_tag}
+          # Create new tags locally
+          git tag ${major_tag}
+          git tag ${major_minor_tag}
+          # Push up new tags
+          git push origin ${major_tag} ${major_minor_tag}
@@ -2,15 +2,57 @@
 
 [![GitHub Build Status](https://github.com/cisagov/skeleton-action-composite/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-action-composite/actions)
 
-This is a generic skeleton project that can be used to quickly get a
-new [cisagov](https://github.com/cisagov) GitHub project started.
-This skeleton project contains [licensing information](LICENSE), as
-well as [pre-commit hooks](https://pre-commit.com) and
-[GitHub Actions](https://github.com/features/actions) configurations
+This is a skeleton project that can be used to quickly get a new
+[cisagov](https://github.com/cisagov) [GitHub composite
+action](https://docs.github.com/en/actions/sharing-automations/creating-actions/about-custom-actions#composite-actions)
+project started.  This skeleton project contains [licensing
+information](LICENSE), as well as [pre-commit
+hooks](https://pre-commit.com) and [GitHub
+Actions](https://github.com/features/actions) configurations
 appropriate for the major languages that we use.
 
-In many cases you will instead want to use one of the more specific
-skeleton projects derived from this one.
+## Usage ##
+
+### Inputs ###
+
+None.
+<!--
+| Name | Description | Interpreted Type | Default | Required |
+|------|-------------|------------------|---------|:--------:|
+| input_name | The input's description. | `string` | n/a | yes |
+-->
+
+### Outputs ###
+
+None.
+<!--
+| Name | Description | Output Type |
+|------|-------------|-------------|
+| output_name | The output's description. | `output_type` |
+-->
+
+### Sample GitHub Actions workflow ###
+
+This GitHub Action only prints a notify annotation on the runner and
+therefore requires no permissions.
+
+```yml
+---
+name: The workflow
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  my_job:
+    # This job does not need any permissions
+    permissions: {}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Say hello
+        uses: cisagov/skeleton-action-composite@v1
+```
 
 ## New Repositories from a Skeleton ##
 

@@ -0,0 +1,15 @@
+---
+author: Cybersecurity and Infrastructure Security Agency
+branding:
+  color: blue
+  icon: help-circle
+description: Skeleton GitHub composite action.
+name: Skeleton
+
+runs:
+  using: composite
+  steps:
+    - id: my-id
+      name: Say hello
+      run: "echo ::notice:: Hello, world!"
+      shell: bash
@@ -0,0 +1,172 @@
+#!/usr/bin/env bash
+
+# bump-version [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show)
+# bump-version --list-files
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+# Stores the canonical version for the project.
+VERSION_FILE=version.txt
+# Files that should be updated with the new version.
+VERSION_FILES=("$VERSION_FILE")
+
+USAGE=$(
+  cat << END_OF_LINE
+Update the version of the project.
+
+Usage:
+  ${0##*/} [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show)
+  ${0##*/} --list-files
+  ${0##*/} (-h | --help)
+
+Options:
+  -h | --help    Show this message.
+  --push         Perform a \`git push\` after updating the version.
+  --label LABEL  Specify the label to use when updating the build or prerelease version.
+  --list-files   List the files that will be updated when the version is bumped.
+END_OF_LINE
+)
+
+old_version=$(< "$VERSION_FILE")
+# Comment out periods so they are interpreted as periods and don't
+# just match any character
+old_version_regex=${old_version//\./\\\.}
+new_version="$old_version"
+
+bump_part=""
+label=""
+commit_prefix="Bump"
+with_push=false
+commands_with_label=("build" "prerelease")
+commands_with_prerelease=("major" "minor" "patch")
+with_prerelease=false
+
+#######################################
+# Display an error message, the help information, and exit with a non-zero status.
+# Arguments:
+#   Error message.
+#######################################
+function invalid_option() {
+  echo "$1"
+  echo "$USAGE"
+  exit 1
+}
+
+#######################################
+# Bump the version using the provided command.
+# Arguments:
+#   The version to bump.
+#   The command to bump the version.
+# Returns:
+#   The new version.
+#######################################
+function bump_version() {
+  local temp_version
+  temp_version=$(python -c "import semver; print(semver.parse_version_info('$1').${2})")
+  echo "$temp_version"
+}
+
+if [ $# -eq 0 ]; then
+  echo "$USAGE"
+  exit 1
+else
+  while [ $# -gt 0 ]; do
+    case $1 in
+      --push)
+        if [ "$with_push" = true ]; then
+          invalid_option "Push has already been set."
+        fi
+
+        with_push=true
+        shift
+        ;;
+      --label)
+        if [ -n "$label" ]; then
+          invalid_option "Label has already been set."
+        fi
+
+        label="$2"
+        shift 2
+        ;;
+      build | finalize | major | minor | patch)
+        if [ -n "$bump_part" ]; then
+          invalid_option "Only one version part should be bumped at a time."
+        fi
+
+        bump_part="$1"
+        shift
+        ;;
+      prerelease)
+        with_prerelease=true
+        shift
+        ;;
+      show)
+        echo "$old_version"
+        exit 0
+        ;;
+      -h | --help)
+        echo "$USAGE"
+        exit 0
+        ;;
+      --list-files)
+        printf '%s\n' "${VERSION_FILES[@]}"
+        exit 0
+        ;;
+      *)
+        invalid_option "Invalid option: $1"
+        ;;
+    esac
+  done
+fi
+
+if [ -n "$label" ] && [ "$with_prerelease" = false ] && [[ ! " ${commands_with_label[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then
+  invalid_option "Setting the label is only allowed for the following commands: ${commands_with_label[*]}"
+fi
+
+if [ "$with_prerelease" = true ] && [ -n "$bump_part" ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then
+  invalid_option "Changing the prerelease is only allowed in conjunction with the following commands: ${commands_with_prerelease[*]}"
+fi
+
+label_option=""
+if [ -n "$label" ]; then
+  label_option="token='$label'"
+fi
+
+if [ -n "$bump_part" ]; then
+  if [ "$bump_part" = "finalize" ]; then
+    commit_prefix="Finalize"
+    bump_command="finalize_version()"
+  elif [ "$bump_part" = "build" ]; then
+    bump_command="bump_${bump_part}($label_option)"
+  else
+    bump_command="bump_${bump_part}()"
+  fi
+  new_version=$(bump_version "$old_version" "$bump_command")
+  echo Changing version from "$old_version" to "$new_version"
+fi
+
+if [ "$with_prerelease" = true ]; then
+  bump_command="bump_prerelease($label_option)"
+  temp_version=$(bump_version "$new_version" "$bump_command")
+  echo Changing version from "$new_version" to "$temp_version"
+  new_version="$temp_version"
+fi
+
+tmp_file=/tmp/version.$$
+for version_file in "${VERSION_FILES[@]}"; do
+  if [ ! -f "$version_file" ]; then
+    echo Missing expected file: "$version_file"
+    exit 1
+  fi
+  sed "s/$old_version_regex/$new_version/" "$version_file" > $tmp_file
+  mv $tmp_file "$version_file"
+done
+
+git add "${VERSION_FILES[@]}"
+git commit --message "$commit_prefix version from $old_version to $new_version"
+
+if [ "$with_push" = true ]; then
+  git push
+fi
@@ -1,2 +1,4 @@
+# The bump-version script requires at least version 3 of semver.
+semver>=3
 setuptools
 wheel
@@ -0,0 +1 @@
+1.0.0-rc.8