ci: periodic security identifier allocation workflow

westonsteimel · westonsteimel · commit f2e063720cce · 2025-11-17T15:55:17.000Z
Also migrates to runs-on for runners

Signed-off-by: Weston Steimel &lt;author@code.w.steimel.me.uk&gt;
diff --git a/.github/runs-on.yml b/.github/runs-on.yml
@@ -0,0 +1,4 @@
+# runs-on.com runner configuration
+
+# defer to the https://github.com/anchore/workflows repository for private runner configs
+_extends: workflows
diff --git a/.github/workflows/allocate.yaml b/.github/workflows/allocate.yaml
@@ -0,0 +1,43 @@
+name: "Allocate Security Identifiers"
+on: 
+  workflow_dispatch:
+  schedule:
+    - cron: '12 * * * MON-FRI'
+
+concurrency:
+  group: allocate-security-identifiers
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  allocate-security-identifiers:
+    name: "Allocate Security Identfiers"
+    runs-on: runs-on: runs-on=${{ github.run_id }}/runner=medium-arm
+    container:
+      image: python:3.13-alpine
+    permissions:
+      contents: write
+    steps:
+      - name: Install OS dependencies
+        run: apk add --no-cache git taplo sqlite tar zstd curl oras-cli bash date grype
+      - name: Configure git
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Install python dependencies
+        run: pip install check-jsonschema cpe git+https://github.com/anchore/security-cli
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+      - name: Allocate security identifiers
+        run: anchore-security-cli id allocate --data-path data
+      - name: Run TOML formatting
+        run: taplo format
+      - name: Run TOML schema validation
+        run: taplo validate --schema file:${PWD}/schema/0.1.0.schema.json
+      - name: Run TOML formatting validation
+        run: taplo format --check
+      - name: Commit changes
+        run: |
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git config user.name "github-actions[bot]"
+            ./scripts/commit.sh
+            git push
diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml
@@ -14,7 +14,7 @@ permissions:
 jobs:
   validate-schema:
     name: "Validate Schema"
-    runs-on: ubuntu-latest
+    runs-on: runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     container:
       image: python:3.13-alpine
     permissions:
diff --git a/scripts/commit.sh b/scripts/commit.sh
@@ -0,0 +1,5 @@
+#!/bin/bash -l
+
+git add .
+date=$(date -I)
+git diff-index --quiet HEAD || git commit --message "allocate security identifiers: ${date}"
