fix: Docs pipeline (#167)

* chore: Fix docs pipeline

* fix: Permissions for binary attestations

* fix: Temp remove hardcoded version links for docs

* fix: Cargo lock file

* feat: Add scorecard workflows

* fix: Ignore changelog from typos pre-commit

* fix: Cargo lock file

Author: tirumerla

.github/release-please/.config.json

@@ -24,7 +24,7 @@
     {
       "type": "docs",
       "section": "📚 Documentation",
-      "hidden": false
+      "hidden": true
     },
     {
       "type": "refactor",
@@ -61,5 +61,17 @@
       "section": "🥏 Continuous Integration",
       "hidden": true
     }
+  ],
+  "extra-files": [
+		{
+      "type": "toml",
+			"path": "Cargo.toml",
+			"jsonpath": "package.version"
+    },
+    {
+      "type": "generic",
+			"path": "docs/antora.yml"
+    }
   ]
+
 }

.github/workflows/release-bins.yml

@@ -71,6 +71,8 @@ jobs:
       contents: write
       pull-requests: write
       attestations: write
+      packages: write
+      id-token: write
     needs: build
     runs-on: ubuntu-latest
     steps:

.github/workflows/release-docker.yml

@@ -54,8 +54,10 @@ jobs:
             type=raw,value=latest
           labels: |
             org.opencontainers.image.created={{commit_date 'YYYY-MM-DDTHH:mm:ss.SSS[Z]'}}
-            org.opencontainers.image.title=openzeppelin-monitor
-            org.opencontainers.image.vendor=openzeppelin
+            org.opencontainers.image.title="openzeppelin-monitor"
+            org.opencontainers.image.vendor="openzeppelin"
+            org.opencontainers.image.description="Blockchain monitoring service that watches for specific onchain activities and triggers notifications based on configurable conditions."
+            org.opencontainers.image.documentation="https://docs.openzeppelin.com/monitor"
         env:
           DOCKER_METADATA_SHORT_SHA_LENGTH: 10
 

.github/workflows/release-docs.yml

@@ -0,0 +1,95 @@
+---
+name: Publish Docs
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        type: string
+        description: The tag to use for creating docs branch or merging to docs branch.
+        required: true
+
+jobs:
+  docs:
+    name: publish docs
+    runs-on: ubuntu-latest
+    env:
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      SLACK_CHANNEL: '#oss-releases'
+    steps:
+      - name: Get github app token
+        uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09  # v1.11.7
+        id: gh-app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      - name: Checkout tag
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          ref: ${{ inputs.tag }}
+          token: ${{ steps.gh-app-token.outputs.token }}
+
+      - name: Slack notification
+        uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d  # v2.1.0
+        with:
+          status: starting
+          steps: ${{ toJson(steps) }}
+          channel: ${{ env.SLACK_CHANNEL }}
+          message: Starting creating docs for ${{ github.repository }} with tag ${{
+            inputs.tag }}......
+        if: always()
+
+      - name: Validate Tag
+        id: validate_tag
+        run: |-
+          TAG="${{ inputs.tag }}"
+          echo "Validating tag: $TAG"
+
+          # Check if the tag matches the semantic versioning pattern
+          if ! echo "$TAG" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' > /dev/null; then
+            echo "Error: Tag '$TAG' is not a valid semantic version."
+            exit 1
+          fi
+
+          IFS='.' read -r MAJOR MINOR PATCH <<< "${TAG#v}"
+
+          echo "Major: $MAJOR, Minor: $MINOR, Patch: $PATCH"
+          RELEASE_BRANCH="release-v${MAJOR}.${MINOR}.0"
+          DOCS_BRANCH="docs-v${MAJOR}.${MINOR}.0"
+
+          echo "DOCS_BRANCH=${DOCS_BRANCH}" >> $GITHUB_OUTPUT
+          echo "RELEASE_BRANCH=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT
+
+          if [ "$PATCH" -ne 0 ]; then
+            # If it's a patch version, create a PR to merge release branch into docs branch
+            echo "Creating PR to merge ${RELEASE_BRANCH} into ${DOCS_BRANCH}"
+            echo "PR_TITLE=chore: Merge ${RELEASE_BRANCH} into ${DOCS_BRANCH}"
+          else
+            # If the patch version is zero, create a new docs branch
+            echo "Creating new docs branch ${DOCS_BRANCH}"
+          fi
+          echo "PR_TITLE=${PR_TITLE:-}" >> $GITHUB_OUTPUT
+
+      - name: Create Pull Request for Docs
+        if: ${{ steps.validate_tag.outputs.PR_TITLE != '' }}
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e  # v7.0.8
+        with:
+          token: ${{ steps.gh-app-token.outputs.token }}
+          title: ${{ steps.validate_tag.outputs.PR_TITLE }}
+          body: Automatically generated PR to merge release branch into docs branch
+            for patch version update.
+          base: ${{ steps.validate_tag.outputs.DOCS_BRANCH }}
+          sign-commits: true
+          branch: ${{ steps.validate_tag.outputs.RELEASE_BRANCH }}
+          commit-message: ${{ steps.validate_tag.outputs.PR_TITLE }}
+
+      - name: Create Docs Branch
+        if: ${{ steps.validate_tag.outputs.PR_TITLE == '' }}
+        run: |
+          echo "Creating docs branch ${DOCS_BRANCH}"
+
+          git checkout -b "${DOCS_BRANCH}"
+          git push origin "${DOCS_BRANCH}"
+        env:
+          DOCS_BRANCH: ${{ steps.validate_tag.outputs.DOCS_BRANCH }}

.github/workflows/release-please.yml

@@ -50,28 +50,6 @@ jobs:
           fetch-depth: 0
           token: ${{ steps.gh-app-token.outputs.token }}
 
-      - name: Check release branch
-        id: check_branch
-        run: |
-          RELEASE_BRANCH=${{ github.ref_name }}
-          CURRENT_VERSION=$(echo "$RELEASE_BRANCH" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -n 1)
-          echo "CURRENT_VERSION=$CURRENT_VERSION" >> $GITHUB_OUTPUT
-
-          # Sort release branches
-          HIGHER_BRANCHES=$(git branch -r | grep release-v | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n +2)
-          if [[ -n "$HIGHER_BRANCHES" ]]; then
-            # Extract the highest version
-            HIGHEST_VERSION=$(echo "$HIGHER_BRANCHES" | tail -n 1)
-            if [[ "$CURRENT_VERSION" == "$HIGHEST_VERSION" ]]; then
-              echo "run_release_please=true" >> $GITHUB_OUTPUT
-            else
-              echo "run_release_please=false" >> $GITHUB_OUTPUT
-              echo "Release-please skipped for branch: $RELEASE_BRANCH. Higher versioned release branches exist."
-            fi
-          else
-            echo "run_release_please=true" >> $GITHUB_OUTPUT  # if no higher version branch exists run release-please.
-          fi
-
       - name: Get merged PR number from commit
         id: get_pr
         run: |
@@ -123,15 +101,15 @@ jobs:
       - name: Start release please action
         id: release
         uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445  # v4.2.0
-        if: ${{ steps.check_branch.outputs.run_release_please == 'true' }}
         with:
           token: ${{ steps.gh-app-token.outputs.token }}
           target-branch: ${{ github.ref_name }}
           config-file: .github/release-please/.config.json
           manifest-file: .github/release-please/manifest.json
 
       - name: Get release branch name on release please prs
-        if: ${{ steps.release.outputs.releases_created == 'false' }}
+        if: ${{ steps.release.outputs.releases_created == 'false' && steps.release.outputs.pr
+          != '' }}
         id: get_release_branch
         run: |
           echo "release_branch=${{ fromJSON(steps.release.outputs.pr).headBranchName }}" >> $GITHUB_OUTPUT
@@ -229,3 +207,12 @@ jobs:
     with:
       tag: ${{ needs.release-please.outputs.tag }}
     secrets: inherit
+
+  # Trigger workflow to publish docs
+  release-docs:
+    if: ${{ needs.release-please.outputs.release_created == 'true' }}
+    needs: [release-please, release-binaries, release-docker]
+    uses: ./.github/workflows/release-docs.yml
+    with:
+      tag: ${{ needs.release-please.outputs.tag }}
+    secrets: inherit

.github/workflows/scorecard.yml

@@ -0,0 +1,79 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: 35 1 * * 6
+  push:
+    branches: [main]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7  # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09  # v1.11.7
+        id: gh-app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+          token: ${{ steps.gh-app-token.outputs.token }}
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186  # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          repo_token: ${{ steps.gh-app-token.outputs.token }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: Upload artifact
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1  # v4.6.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47  # v3.28.15
+        with:
+          sarif_file: results.sarif

.typos.toml

@@ -0,0 +1,2 @@
+[files]
+extend-exclude = ["CHANGELOG.md"]