ci(release): branch protection improvements (#58)

* ci(release-manifest): sync prerelease and release manifest

* ci(release): remove initial checks
- the checks will run once the PR is created as a required check

* ci(release): add RELEASE_WORKFLOW_TOKEN
- in order for the PR to run the required checks

* ci(release): move prelease-manifest update to release-config

- the steps would require permission to push in to main but this is not possible because of branch protection
- to avoid it all together we add it in the release PR instead

* ci(workflows): update and document triggers

Author: Aaron-Ritter

.github/release-config.json

@@ -2,7 +2,14 @@
   "release-type": "simple",
   "packages": {
     ".": {
-      "type": "generic"
+      "type": "generic",
+      "extra-files": [
+        {
+          "type": "json",
+          "path": ".github/prerelease-manifest.json",
+          "jsonpath": "$[\".\"]"
+        }
+      ]
     }
   }
 }

.github/release-manifest.json

@@ -1 +1,3 @@
-{".":"0.3.0"}
+{
+  ".": "0.3.0"
+}

.github/workflows/codeql-package.yml

@@ -1,10 +1,10 @@
 name: "Security and Code-Quality scan with CodeQL - Package"
 
 on:
-  push:
-    branches: [ "main" ]
+  # Triggers the workflow on pull request events but only for default and protected branches
   pull_request:
     branches: [ "main" ]
+  # Triggers the workflow on a schedule every Monday at 6:39 AM
   schedule:
     - cron: '39 6 * * 1'
   # Allows you to run this workflow manually from the Actions tab

.github/workflows/codeql-samples-quickstart.yml

@@ -1,12 +1,12 @@
 name: "Security and Code-Quality scan with CodeQL - Quickstart Sample"
 
 on:
-  push:
-    branches: [ "main" ]
+  # Triggers the workflow on pull request events but only for default and protected branches
   pull_request:
     branches: [ "main" ]
+  # Triggers the workflow on a schedule every Monday at 6:36 AM
   schedule:
-    - cron: '28 6 * * 1'
+    - cron: '36 6 * * 1'
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
   # Triggers the workflow when it is called from another workflow

.github/workflows/e2e-test-fusionauth-latest-ios-latest.yml

@@ -1,7 +1,7 @@
 # This workflow performs a full End 2 End test of the App
 # It runs the test on the last 5 iOS releases.
 
-name: E2E Test with latest FusionAuth
+name: E2E Test with latest FusionAuth and latest iOS
 
 on:
   # Triggers the workflow on pull request events but only for default and protected branches

.github/workflows/mobsf.yml

@@ -1,10 +1,10 @@
 name: "Vulnerability Scan with MobSF"
 
 on:
-  push:
-    branches: [ "main" ]
+  # Triggers the workflow on pull request events but only for default and protected branches
   pull_request:
     branches: [ "main" ]
+  # Triggers the workflow on a schedule every Monday at 6:30 AM
   schedule:
     - cron: '30 6 * * 1'
   # Allows you to run this workflow manually from the Actions tab

.github/workflows/release.yaml

@@ -53,32 +53,12 @@ jobs:
     name: Run Prerelease E2E Tests
     uses: ./.github/workflows/e2e-test-fusionauth-latest-ios-latest.yml
 
-  # This job runs a MobSF scan as a prerequisite for the prerelease-prep
-  mobsf:
-    name: Run Prerelease MobSF Scan
-    uses: ./.github/workflows/mobsf.yml
-
-  # This job runs a SwiftLint scan as a prerequisite for the prerelease-prep
-  swiftlint:
-    name: Run Prerelease Swiftlint
-    uses: ./.github/workflows/swiftlint.yml
-
-  # This job runs a CodeQL package scan as a prerequisite for the prerelease-prep
-  codeql-package:
-    name: Run Prerelease CodeQL Package Scan
-    uses: ./.github/workflows/codeql-package.yml
-
-  # This job runs a CodeQL samples quickstart scan as a prerequisite for the prerelease-prep
-  codeql-samples-quickstart:
-    name: Run Prerelease CodeQL Samples Quickstart Scan
-    uses: ./.github/workflows/codeql-samples-quickstart.yml
-
   # This job creates or finalizes a prerelease pull request or finalizes a release pull request
   # and provides the necessary outputs for the subsequent jobs
   prerelease-prep:
     name: Create Prerelease Pull Request
     runs-on: ubuntu-latest
-    needs: [ label-check, initial-e2e-test, mobsf, swiftlint, codeql-package, codeql-samples-quickstart ]
+    needs: [ label-check, initial-e2e-test ]
     outputs:
       # This output is used to determine if a release was created
       releases_created: ${{ steps.release.outputs.releases_created }}
@@ -91,6 +71,7 @@ jobs:
         with:
           config-file: ".github/prerelease-config.json"
           manifest-file: ".github/prerelease-manifest.json"
+          token: ${{ secrets.RELEASE_WORKFLOW_TOKEN }}
 
   # This job runs tests before the creation of the prerelease
   prerelease-test:
@@ -137,6 +118,7 @@ jobs:
         with:
           config-file: ".github/release-config.json"
           manifest-file: ".github/release-manifest.json"
+          token: ${{ secrets.RELEASE_WORKFLOW_TOKEN }}
 
   # This job runs post-prerelease steps
   post-prerelease:
@@ -162,25 +144,6 @@ jobs:
         run: |
           echo "Running release step!"
 
-      - name: Checkout
-        uses: actions/checkout@v4.2.2
-
-      - name: Sync prerelease manifest
-        env:
-          MANIFEST_PATH: .github/prerelease-manifest.json
-          RELEASE_TAG: ${{ needs.prerelease-prep.outputs.tag_name }}
-        run: |
-          jq --arg tag "${RELEASE_TAG//v/}" '.["."] = $tag' $MANIFEST_PATH > temp.json \
-            && mv temp.json $MANIFEST_PATH
-
-      - name: Commit change
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add . $MANIFEST_PATH
-          git commit -m "chore: sync release manifests"
-          git push
-
   # This job runs post-release steps
   post-release:
     name: Post Release Steps

.github/workflows/swiftlint.yml

@@ -1,10 +1,10 @@
 name: "Code-Quality scan with SwiftLint"
 
 on:
-  push:
-    branches: [ "main" ]
+  # Triggers the workflow on pull request events but only for default and protected branches
   pull_request:
     branches: [ "main" ]
+  # Triggers the workflow on a schedule every Monday at 6:33 AM
   schedule:
     - cron: '33 6 * * 1'
   # Allows you to run this workflow manually from the Actions tab