ci: refactor release

[chrisgacsal]

Description

Refactor the way how VMClarity in order to have more flexibility regarding the content of the Release Notes and how artifacts are assembled and published.

Notable Changes

How release artifacts are bundled

The Makefile is extended with targets group under Release section.

$ make help
...
Release
  dist-vmclarity-cli              Create vmclarity-cli release artifacts
  dist-cloudformation             Create AWS CloudFormation release artifacts
  dist-bicep                      Create Azure Bicep release artifacts
  dist-docker-compose             Create Docker Compose release artifacts
  dist-gcp-deployment             Create Google Cloud Deployment bundle
  dist-helm-chart                 Create Helm Chart bundle
  publish-helm-chart              Publish Helm Chart bundle to OCI registry
  generate-release-notes          Generate Release Notes

• dist-* targets are for packaging installation manifests targeting platforms which are supported by VMClarity for deployment
• publish-helm-chart target is meant to be used only from CI for publishing Helm Chart to OCI registry (currently ghcr.io/openclarity/charts)
• generate-release-notes target invokes git-cliff to generate CHANGELOG.md

All artifacts generated are the under the dist directory.

How artifacts are generated

Each artifact bundle includes a tarball and a SHA256 digest files. Artifacts are updated with the latest release information before packaging.

There is a special <artifact-name>.bundle file created for each bundle which is used to conform make when it comes to detect changes.

How release notes are generated

Previously the Release Notes were generated by GitHub however we wanted to have a more sophisticated solution for this in order to have a more structured and detailed information shared for each release.

Release Notes are generated by using git-cliff which does provide the flexibility we need like:

• generating Release Notes/Changelog using custom Tera templates
• support for Conventional Commits we have recently adopted for VMClarity project
• grouping changes based on their type and scope

Artifacts published

aws-cloudformation-1.1.1.tar.gz
aws-cloudformation-1.1.1.tar.gz.sha256sum
azure-bicep-1.1.1.tar.gz
azure-bicep-1.1.1.tar.gz.sha256sum
docker-compose-1.1.1.tar.gz
docker-compose-1.1.1.tar.gz.sha256sum
gcp-deployment-1.1.1.tar.gz
gcp-deployment-1.1.1.tar.gz.sha256sum
vmclarity-cli-1.1.1-darwin-amd64.tar.gz
vmclarity-cli-1.1.1-darwin-amd64.tar.gz.sha256sum
vmclarity-cli-1.1.1-darwin-arm64.tar.gz
vmclarity-cli-1.1.1-darwin-arm64.tar.gz.sha256sum
vmclarity-cli-1.1.1-linux-amd64.tar.gz
vmclarity-cli-1.1.1-linux-amd64.tar.gz.sha256sum
vmclarity-cli-1.1.1-linux-arm64.tar.gz
vmclarity-cli-1.1.1-linux-arm64.tar.gz.sha256sum

How release is created

New release can be triggered the same way as before by creating and pushing a new annotated git tag.
In future releases we might want to use the body of the git tag for populating the header of the Release Notes
by including important changes/milestones included in the release. git-cliff makes it easy to do.

The CI pipeline is adjusted to allow pushing git tags for RC releases. Please note that the tags must conform the semver specification with the exception for having v prefix added to the version string used in tags.

Enforcing valid semver git tags for releases is not in place and will be added at a later point.

What happened to goreleaser

goreleaser is an awesome project and served us well, however some of its features we would like to use is only available in paid version.
So we had to replace the functionality provided by goreleaser with other tools.

Type of Change

[ ] Bug Fix
[ ] New Feature
[ ] Breaking Change
[x] Refactor
[ ] Documentation
[ ] Other (please describe)

Checklist

• I have read the contributing guidelines
• Existing issues have been referenced (where applicable)
• I have verified this change is not present in other open pull requests
• Functionality is documented
• All code style checks pass
• New code contribution is covered by automated tests
• All new and existing tests pass

[chrisgacsal]

Example for CHANGELOG generated.

---

1.1.1 - 2023-11-06

Bug Fixes

• (helm) Use valid semver in version field
• (ui) Show container names and location on asset scans and findings pages (#900)
• Address for services in Orchestrator config (#896)
• (ui) Improved formatting for exploits and vulnerabilities in asset scan details (#891)
• (ui) Rename "Asset Query" to "Scope" (#893)
• Use internal service address in Docker (#892)
• Chkrootkit binary detection (#883) (#879)
• Missing Yara Rule Server address (#888)
• Lynis testDB path (#886)
• Chkrootkit binary detection (#883)
• (ui) Add empty value indications (#868)
• (ui) Use replace navigation when needed (#870)
• (ui) Fix value in VULNERABILITY_SEVERITY_ITEMS (#867)
• (ui) Add empty list indication to dashboard widgets (#866)
• (ui) Separate asset drilldown types (#860)
• Add yara rule server to helm chart (#840)
• Trivy scan timeout config (#844)
• (uibackend) Add greater than 0 findings condition to risk assets (#848)
• Yara server address in azure deployment (#839)
• (postgres) Ensure that we use the correct JSON sql for delete by ID (#816)
• (ui) Ensure that UI nginx routes to index.html as fallback (#824)
• Azure deploy template have wrong values as defaults (#805)
• (install) Fix the postgres host name (#798)
• (ui) Name, location, platform, image, launch time of assets (#791)
• (scan) Change exploit db address to the apiserver public ip (#779)
• (provider) Wrong container image name (#772)
• (e2e) Images env vars not applied by docker (#782)
• (docker) Run docker from within the container (#762)
• (odatasql) Ensure that $filter works for complex types (#742)
• Missing DirInfo and PodInfo OData schemas (#740)
• (scan estimation) Reconcile timeout state to failed instead of aborted (#727)
• OpenAPI generator version (#706)
• (make) Remove deprecated clean-backend and run go mod tidy in all modules (#705)
• (provider) Skip mark terminated if asset found but patch failed (#614)
• (lint) Failing linter for go modules (#620)
• (apiserver) Change odata filter in check uniqueness for containers and images (#618)
• (ui-backend) Reduce recalculation interval (#606)
• Golangci-lint to test multiple modules (#596)
• (link) Contributing guide link (#567)
• Scan timeout not working (#542)
• Benchmark cache map by input instead of input type (#530)
• (cli) Subcommands (#513)
• (cfn) Update explot db server version (#507)
• Resolve aws volume attachment check (#450)
• ScanResults stuck in aborted state (#427)

Documentation

• (readme) Updated roadmap link (#885) (#887)
• Add RFC template (#843)
• Add workflow status and go report card to readme file (#663)
• Add slack invite to README (#568)
• Update api url and scan config example (#543)
• Update scope in configuration examples (#474)

Features

• Installing tools to Makefile (#838)
• Bump docker-compose version (#828)
• Bump go version to 1.21 (#792)
• (api) Add annotations to all high level API objects (#765)
• (yara) Error threshold (#732)
• Add effective scan config to assetScan annotations (#739)
• (api) Add provider to asset and to asset scan (#726)
• (api) Add new provider api object (#714)
• Raw yara rule sources (#725)
• (yara) Run command and parse output line by line (#716)
• (api) Add allof metadata to assetscan (#724)
• (scanresult) Resource cleanup status refactor (#689)
• (api) Add annotations (#719)
• (scan estimation) Add ttl to scanEstimation and assetScanEstimation (#688)
• (scanners) Add support to all existing scanners for containers (#696)
• (test) Report api output and service logs on failure (#697)
• Yara support (#638)
• Estimation time divided by parallel scans (#672)
• Bump versions for k8s dependencies (#661)
• (test) Build all services when running e2e tests (#660)
• Bump golangci-lint version to 1.54.2 (#646)
• Introduce helm chart for kubernetes installation (#633)
• (test) Add end to end tests skeleton and some basic tests (#539)
• (grype-server) Bump grype server version to v0.5.0 (#594)
• Add healthz check to orchestrator and to ui backend (#593)
• Add interactive API explorer to VMClarity (#496)
• Collect scanner statistics during AssetScan (#473)
• (cli) Commands for creating asset and asset scan (#500)
• (docker) Create docker provider (#462)
• Add GCP installer using GCP Deployment Manager (#449)
• Add provider for Google Cloud Platform (#433)
• Separate asset discovery from scanning (#438)
• (cfn) Add arm64 support for controlplane (#441)
• Update ubuntu server in cloudformation to 22.04 LTS (#411)
• Switching backend to spf13/cobra (#431)

Miscellaneous Tasks

• Publish release
• Add changelog generation
• Generate sha256sum for artifacts
• Bundle and publish Helm Chart
• Bundle GCP Deployment manifest(s)
• Bundle Docker Compose manifest
• Bundle Azure Bicep manifest(s)
• Bundle Cloudformation artifact(s)
• Build vmclarity-cli distribution
• (ci) Run PR linter once (#901)
• (ci) Use actions/cache for go caching (#796)
• (ci) Lint PR title (#899)
• Make e2e tests gating (#861)
• (ci) Add license check (#842)
• (e2e) Bump e2e deps (#790)
• (ci) Cache cleanup script (#783)
• (ci) Cleanup published dev container images (#743)
• (ci) Cleanup cache for PRs (#746)
• (ci) Re-enable end-to-end testing (#744)
• (ci) Verification workflow (#745)
• (ci) Push dev images to dedicated repo (#735)
• (ci) Image tag in CFN template on release (#736)
• (ci) Image push on merge to main (#733)
• (ci) Improve CI pipeline (#729)
• (ci) Add actionlint (#728)
• (test) Add e2e tests to ci pipeline (#602)
• Increase lint timeout (#569)
• (exploitdb) Update exploit db image tag in azure and gcp (#508)

Refactor

• Go binary build
• (helm) Provider in Orchestrator config (#897)
• Rm bin path from Orchestrator config (#865)
• Image vars names in compose files (#863)
• Mv Helm charts to installation dir (#862)
• (orchestrator) Remove bind mount in docker provider (#855)
• Orchestrator config (#432)
• Makefile (#841)
• (orchestrator) Rename client to provider (#846)
• Cli tools (#814)
• Dockerfiles (#827)
• Fix spelling and improve consistency (#766)
• Improve e2e documentation and small clean up (#683)

Testing

• Replace default families scan with full families scan (#884)
• (e2e) Make testenv pluginable (#773)

[github-actions]

Hey!

Your images are ready:

• ghcr.io/openclarity/vmclarity-apiserver-dev:pr906-e397469cfe19850ac5e99faa8eac4a30fc072b38
• ghcr.io/openclarity/vmclarity-orchestrator-dev:pr906-e397469cfe19850ac5e99faa8eac4a30fc072b38
• ghcr.io/openclarity/vmclarity-ui-backend-dev:pr906-e397469cfe19850ac5e99faa8eac4a30fc072b38
• ghcr.io/openclarity/vmclarity-ui-dev:pr906-e397469cfe19850ac5e99faa8eac4a30fc072b38
• ghcr.io/openclarity/vmclarity-cli-dev:pr906-e397469cfe19850ac5e99faa8eac4a30fc072b38

[pbalogh-sa]

LGTM