From 92f327b7ddbc3b4de2676db6f402f1d357666acf Mon Sep 17 00:00:00 2001
From: mkolasinski-splunk <mkolasinski@splunk.com>
Date: Fri, 7 Apr 2023 14:40:54 +0200
Subject: [PATCH] fix: update permissions and wf

---
 .../workflows/{main.yml => build-release.yml} | 83 +++++++++++++------
 .releaserc                                    | 76 ++++++++++++-----
 action.yml                                    |  2 +-
 3 files changed, 114 insertions(+), 47 deletions(-)
 rename .github/workflows/{main.yml => build-release.yml} (60%)

diff --git a/.github/workflows/main.yml b/.github/workflows/build-release.yml
similarity index 60%
rename from .github/workflows/main.yml
rename to .github/workflows/build-release.yml
index 945ba20..495cb87 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/build-release.yml
@@ -13,6 +13,7 @@
 #    See the License for the specific language governing permissions and
 #    limitations under the License.
 #   ########################################################################
+name: build release workflow
 on:
   push:
     branches:
@@ -24,36 +25,38 @@ on:
     branches:
       - "main"
       - "develop"
-
+permissions:
+    contents: read
+    packages: read
 jobs:
-  build_action:
+  build:
+    name: Build
+    permissions:
+      actions: read
+      contents: read
+      checks: write
+      packages: write
+      statuses: write
     runs-on: ubuntu-latest
-    name: Build Action
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           submodules: recursive
           persist-credentials: false
-      - uses: actions/setup-node@v2
-        with:
-          node-version: '14'
-      - name: Install yq
-        run: sudo snap install yq
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2.1.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2.5.0
       - name: Login to GitHub Packages Docker Registry
-        uses: docker/login-action@v1.9.0
+        uses: docker/login-action@v2.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
+          password: ${{ github.token }}
       - name: Docker meta
         id: docker_action_meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
@@ -69,7 +72,7 @@ jobs:
             type=sha,format=long
       - name: Build and push action
         id: docker_action_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4.0.0
         with:
           context: .
           push: true
@@ -77,20 +80,46 @@ jobs:
           labels: ${{ steps.docker_action_meta.outputs.labels }}
           cache-to: type=inline
 
-      - name: Semantic Release
-        uses: cycjimmy/semantic-release-action@v2.5.4
+  release:
+    needs: build
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      contents: write
+      statuses: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
         with:
-          semantic_version: 17
-          extra_plugins: |
-            @semantic-release/exec
-            @semantic-release/git
+          submodules: false
+          persist-credentials: false
+      - name: Semantic release
+        id: semantic
+        uses: splunk/semantic-release-action@v1.3
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }}
+        with:
+          git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
+          git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
+          gpg_private_key: ${{ secrets.SA_GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.SA_GPG_PASSPHRASE }}
+          extra_plugins: |
+            @google/semantic-release-replace-plugin
+
   update-semver:
-    name: Move Respository semver tags
-    if: startsWith(github.ref, 'refs/tags/v')
-    needs: build_action
+    needs: release
+    name: Move Repository semver tags
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      contents: write
+      statuses: write
+    if: startsWith(github.ref, 'refs/tags/v')
     steps:
-      - uses: actions/checkout@v2
-      - uses: haya14busa/action-update-semver@v1
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Update semver
+        uses: haya14busa/action-update-semver@v1.2
diff --git a/.releaserc b/.releaserc
index a0850a5..9432590 100644
--- a/.releaserc
+++ b/.releaserc
@@ -1,24 +1,62 @@
+#
+# Copyright 2023 Splunk Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
 {
-    "branches": [
-        '+([0-9])?(.{+([0-9]),x}).x',
-        'main', 
-        'next', 
-        'next-major', 
+  branches:
+    [
+      "+([0-9])?(.{+([0-9]),x}).x",
+      "main",
+      { name: "develop", prerelease: "beta", channel: "beta" },
+    ],
+  plugins:
+  [
+    "@semantic-release/commit-analyzer",
+      [
+        "@google/semantic-release-replace-plugin",
         {
-        name: 'develop', 
-        prerelease: true
+          "replacements": [
+            {
+              "files": ["action.yml"],
+              "from": "addonfactory-packaging-toolkit-action:.*",
+              "to": "addonfactory-packaging-toolkit-action:v${nextRelease.version}",
+              "results": [
+                {
+                  "file": "action.yml",
+                  "hasChanged": true,
+                  "numMatches": 1,
+                  "numReplacements": 1
+                }
+              ],
+              "countMatches": true
+            }
+          ]
         }
+      ],
+    "@semantic-release/commit-analyzer",
+    [
+      "@semantic-release/exec",
+      {
+        "verifyReleaseCmd": "echo \"version=${nextRelease.version}\" >> $GITHUB_OUTPUT",
+        "successCmd": "echo \"new_release_published=${'true'}\" >> $GITHUB_OUTPUT",
+      }
     ],
-    plugins: [
-        "@semantic-release/commit-analyzer",
-        "@semantic-release/release-notes-generator",
-        ["@semantic-release/exec", {
-            "prepareCmd": 'yq -i eval ".runs.image = \"docker://ghcr.io/splunk/addonfactory-packaging-toolkit-action:v${nextRelease.version}\"" action.yml'
-        }],
-        ["@semantic-release/git", {
-            "assets": ["action.yml"],
-            "message": "chore(release): ${nextRelease.version}\n\n${nextRelease.notes}"
-        }],
-        "@semantic-release/github"
+    "@semantic-release/release-notes-generator",
+    ["@semantic-release/git", {
+          "assets": ["action.yml"],
+          "message": "chore(release): ${nextRelease.version}\n\n${nextRelease.notes}"
+      }],
+    "@semantic-release/github"
   ]
-}
\ No newline at end of file
+}
diff --git a/action.yml b/action.yml
index c0a89e0..572e424 100644
--- a/action.yml
+++ b/action.yml
@@ -18,7 +18,7 @@ name: "Addon Factory slim action"
 description: "Produce splunk package"
 runs:
   using: "docker"
-  image: "docker://ghcr.io/splunk/addonfactory-packaging-toolkit-action:v1.1.1"
+  image: "docker://ghcr.io/splunk/addonfactory-packaging-toolkit-action:v1.1.0"
 inputs:
   source:
     description: location of uncompressed source