add release instructions (#21)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

RELEASE.md

@@ -0,0 +1,30 @@
+# Release Instructions
+
+Follow the steps below to tag a new release for the
+`actions/attest-sbom` action.
+
+If changes were made to the internal `actions/attest-sbom/predicate`
+action (any updates to [`./predicate/action.yaml`](./predicate/action.yml) or
+any of the code in the [`./src`](./src) directory), start with step #1;
+otherwise, skip directly to step #5.
+
+1. Merge the latest changes to the `main` branch.
+1. Create and push a new predicate tag of the form `predicate@X.X.X` following
+   SemVer conventions:
+
+   ```shell
+   git tag -a "predicate@X.X.X" -m "predicate@X.X.X Release"
+   git push --tags
+   ```
+
+1. Update the reference to the `actions/attest-sbom/predicate`
+   action in [`action.yml`](./action.yml) to point to the SHA of the newly
+   created tag.
+1. Push the `action.yml` change and open a PR. Once it has been reviewed, merge
+   the PR and proceed with the release instructions.
+1. Create a new release for the top-level action using a tag of the form
+   `vX.X.X` following SemVer conventions:
+
+   ```shell
+   gh release create vX.X.X
+   ```

action.yml

@@ -48,6 +48,7 @@ inputs:
       The GitHub token used to make authenticated API requests.
     default: ${{ github.token }}
     required: false
+
 outputs:
   bundle-path:
     description: 'The path to the file containing the attestation bundle(s).'
@@ -82,7 +83,7 @@ runs:
         path: ${{ inputs.scan-path }}
         output-file: ${{ steps.sbom-output.outputs.path }}
         format: ${{ steps.check-sbom-format.outputs.format }}
-    - uses: actions/attest-sbom/predicate@main
+    - uses: actions/attest-sbom/predicate@847c6befa7ce187c962fa6c3e6cd3c96e4da9565 # predicate@0.1.0
       id: generate-sbom-predicate
       with:
         sbom-path: ${{ inputs.sbom-path || steps.sbom-output.outputs.path }}
@@ -92,9 +93,9 @@ runs:
         subject-path: ${{ inputs.subject-path }}
         subject-digest: ${{ inputs.subject-digest }}
         subject-name: ${{ inputs.subject-name }}
-        push-to-registry: ${{ inputs.push-to-registry }}
         predicate-type:
           ${{ steps.generate-sbom-predicate.outputs.predicate-type }}
         predicate-path:
           ${{ steps.generate-sbom-predicate.outputs.predicate-path }}
+        push-to-registry: ${{ inputs.push-to-registry }}
         github-token: ${{ inputs.github-token }}

script/release

@@ -1,59 +0,0 @@
-#!/bin/bash
-
-# About:
-#
-# This is a helper script to tag and push a new release. GitHub Actions use
-# release tags to allow users to select a specific version of the action to use.
-#
-# See: https://github.com/actions/typescript-action#publishing-a-new-release
-#
-# This script will do the following:
-#
-# 1. Get the latest release tag
-# 2. Prompt the user for a new release tag
-# 3. Tag the new release
-# 4. Push the new tag to the remote
-#
-# Usage:
-#
-# script/release
-
-# Terminal colors
-OFF='\033[0m'
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BLUE='\033[0;34m'
-
-# Get the latest release tag
-latest_tag=$(git describe --tags "$(git rev-list --tags --max-count=1)")
-
-if [[ -z "$latest_tag" ]]; then
-	# There are no existing release tags
-	echo -e "No tags found (yet) - Continue to create and push your first tag"
-	latest_tag="[unknown]"
-fi
-
-# Display the latest release tag
-echo -e "The latest release tag is: ${BLUE}${latest_tag}${OFF}"
-
-# Prompt the user for the new release tag
-read -r -p 'Enter a new release tag (vX.X.X format): ' new_tag
-
-# Validate the new release tag
-tag_regex='v[0-9]+\.[0-9]+\.[0-9]+$'
-if echo "$new_tag" | grep -q -E "$tag_regex"; then
-	echo -e "Tag: ${BLUE}$new_tag${OFF} is valid"
-else
-	# Release tag is not `vX.X.X` format
-	echo -e "Tag: ${BLUE}$new_tag${OFF} is ${RED}not valid${OFF} (must be in vX.X.X format)"
-	exit 1
-fi
-
-# Tag the new release
-git tag -a "$new_tag" -m "$new_tag Release"
-echo -e "${GREEN}Tagged: $new_tag${OFF}"
-
-# Push the new tag to the remote
-git push --tags
-echo -e "${GREEN}Release tag pushed to remote${OFF}"
-echo -e "${GREEN}Done!${OFF}"