Add GHA actions for download and verify checks

.github/workflows/debug.yml

@@ -0,0 +1,58 @@
+name: Manual SCC Product Version Verification
+
+on:
+  workflow_dispatch:
+    inputs:
+      product-name:
+        description: 'Product name to verify'
+        required: true
+        type: string
+      version:
+        description: 'Version to verify (e.g., v1.2.3 or 1.2.3-rc1)'
+        required: true
+        type: string
+      staging-code:
+        description: 'SCC staging registration code (optional - if not provided, staging verification is skipped)'
+        required: false
+        default: ''
+      production-code:
+        description: 'SCC production registration code (optional - if not provided, production verification is skipped)'
+        required: false
+        default: ''
+      fail-on-error:
+        description: 'Fail the workflow if verification fails'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Mask sensitive registration codes
+        shell: bash
+        run: |
+          if [ -n "${{ inputs.staging-code }}" ]; then
+          echo "::add-mask::${{ inputs.staging-code }}"
+          fi
+          if [ -n "${{ inputs.production-code }}" ]; then
+          echo "::add-mask::${{ inputs.production-code }}"
+          fi
+
+      - name: Download SCC Product Version Verifier
+        uses: ./actions/download
+
+      - name: Verify Product Version
+        uses: ./actions/verify
+        with:
+          product-name: ${{ inputs.product-name }}
+          version: ${{ inputs.version }}
+          staging-code: ${{ inputs.use-staging && secrets.SCC_STAGING_CODE || '' }}
+          production-code: ${{ inputs.use-production && secrets.SCC_PRODUCTION_CODE || '' }}
+          fail-on-error: ${{ inputs.fail-on-error }}
+
+      - name: Verification Complete
+        shell: bash
+        run: |
+          echo "✅ Verification workflow completed"
+          echo "Check the step summary for detailed results"

README.md

@@ -59,6 +59,75 @@ scc-product-version-verifier curl-verify rancher 2.12.3
 > The SCC api is case-sensitive for product lookup meaning `SLES` != `sles`.
 > For SLES look up it must be upper case, for `rancher` lookup it must be lower case.
 
-## Contributing
+## GitHub Actions
 
-Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
+This repository provides reusable GitHub Actions to download and use the verifier in your CI/CD workflows.
+
+### Download Action
+
+Downloads and installs the latest version of `scc-product-version-verifier`.
+
+**Location:** `rancherlabs/scc-product-version-verifier/actions/download`
+
+**Requirements:**
+- Works on Linux runners
+- No sudo required (uses GitHub Actions provided gh cli)
+
+**Outputs:**
+- `version`: The installed version of the verifier
+- `bin-path`: Installation path of the verifier
+- `asset-name`: Name of the downloaded tool
+
+**Example:**
+
+```yaml
+- name: Setup SCC Product Version Verifier
+  uses: rancherlabs/scc-product-version-verifier/actions/download@main
+```
+
+### Verify Action
+
+Verifies a product version against SCC staging and/or production environments.
+
+**Location:** `rancherlabs/scc-product-version-verifier/actions/verify`
+
+**Requirements:**
+- `scc-product-version-verifier` must be installed (use the download action first)
+- Valid SCC registration code(s)
+
+**Inputs:**
+- `version` (required): Version to verify (will be sanitized to remove `v` prefix and prerelease suffixes)
+- `staging-code` (required): SCC staging registration code
+- `production-code` (required): SCC production registration code
+- `product-name` (required): Product name to verify (case-sensitive)
+- `skip-staging` (optional, default: `false`): Skip staging verification
+- `skip-production` (optional, default: `false`): Skip production verification
+- `fail-on-error` (optional, default: `false`): Fail the workflow if verification fails
+
+**Outputs:**
+- `staging-result`: Staging verification result (`passed`/`failed`/`skipped`)
+- `production-result`: Production verification result (`passed`/`failed`/`skipped`)
+
+**Example:**
+
+```yaml
+- name: Setup Verifier
+  uses: rancherlabs/scc-product-version-verifier/actions/download@main
+
+- run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
+
+- name: Verify Product Version
+  uses: rancherlabs/scc-product-version-verifier/actions/verify@main
+  with:
+    version: v2.12.3
+    staging-code: ${{ secrets.SCC_STAGING_CODE }}
+    production-code: ${{ secrets.SCC_PRODUCTION_CODE }}
+    product-name: rancher
+    fail-on-error: false
+```
+
+**Notes:**
+- By default, verification failures do NOT fail the workflow (`fail-on-error: false`). Set to `true` to enforce strict verification.
+- Version strings are automatically sanitized (e.g., `v2.12.3-rc1` becomes `2.12.3`)
+- Product names are case-sensitive (e.g., `SLES` vs `sles`, `rancher` vs `Rancher`)
+- Results are written to the GitHub Actions step summary for easy viewing

actions/download/action.yaml

@@ -0,0 +1,92 @@
+name: 'Setup SCC Product Version Verifier'
+description: 'Downloads and prepares the SCC product version verifier CLI tool (Linux only)'
+branding:
+  icon: 'check-circle'
+  color: 'green'
+
+inputs:
+  version:
+    description: 'Release version to download (e.g., v1.2.3 or "latest")'
+    required: false
+    default: 'latest'
+  token:
+    description: 'GitHub token for API access'
+    required: false
+    default: ${{ github.token }}
+  output-dir:
+    description: 'Directory to extract downloaded files to'
+    required: false
+    default: './bin'
+
+outputs:
+  version:
+    description: 'The release tag that was downloaded'
+    value: ${{ steps.release.outputs.tag }}
+  bin-path:
+    description: 'Path where binaries were extracted'
+    value: ${{ inputs.output-dir }}
+  asset-name:
+    description: 'Name of the downloaded asset'
+    value: ${{ steps.download.outputs.asset-name }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Verify Linux
+      shell: bash
+      run: |
+        if [ "${{ runner.os }}" != "Linux" ]; then
+          echo "::error::This action only supports Linux runners"
+          exit 1
+        fi
+
+    - name: Get release information
+      id: release
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+        REPO: "rancherlabs/scc-product-version-verifier"
+      run: |
+        TAG="${{ inputs.version }}"
+        if [ "$TAG" == "latest" ] || [ -z "$TAG" ]; then
+          TAG=$(gh release view --repo "$REPO" --json tagName -q .tagName)
+        fi
+        echo "tag=$TAG" >> $GITHUB_OUTPUT
+
+    - name: Download and Extract
+      id: download
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+        REPO: "rancherlabs/scc-product-version-verifier"
+        BINARY_NAME: "scc-product-version-verifier"
+      run: |
+        ARCH="${{ runner.arch == 'X64' && 'x86_64' || 'arm64' }}"
+        TAG="${{ steps.release.outputs.tag }}"
+        OUT="${{ inputs.output-dir }}"
+
+        mkdir -p "$OUT"
+
+        # 1. Download the archive
+        gh release download "$TAG" \
+          --repo "$REPO" \
+          --pattern "*Linux*${ARCH}*.tar.gz" \
+          --dir "$OUT" \
+          --clobber
+
+        # 2. Extract and identify the archive name for cleanup
+        ARCHIVE=$(ls "$OUT" | grep ".tar.gz")
+        tar -xzf "$OUT/$ARCHIVE" -C "$OUT"
+        rm "$OUT/$ARCHIVE"
+
+        # 3. Ensure permissions
+        chmod +x "$OUT/$BINARY_NAME"
+
+        # 4. Set Outputs
+        echo "asset-name=$BINARY_NAME" >> $GITHUB_OUTPUT
+        echo "bin-path=$OUT/$BINARY_NAME" >> $GITHUB_OUTPUT
+
+        # 5. Add to PATH for immediate use
+        echo "$(realpath "$OUT")" >> $GITHUB_PATH
+
+        echo "✓ $BINARY_NAME is ready at $OUT/$BINARY_NAME"

actions/verify/action.yaml

@@ -0,0 +1,137 @@
+name: 'SCC Product Version Verify'
+description: 'Verifies a product version against SCC staging and production environments'
+branding:
+  icon: 'check-circle'
+  color: 'green'
+
+inputs:
+  version:
+    description: 'Version to verify (will be sanitized to remove v prefix and prerelease suffixes)'
+    required: true
+  staging-code:
+    description: 'SCC staging registration code (optional - if not provided, staging verification is skipped)'
+    required: false
+    default: ''
+  production-code:
+    description: 'SCC production registration code (optional - if not provided, production verification is skipped)'
+    required: false
+    default: ''
+  product-name:
+    description: 'Product name to verify'
+    required: true
+  fail-on-error:
+    description: 'Fail the workflow if verification fails'
+    required: false
+    default: 'false'
+
+outputs:
+  staging-result:
+    description: 'Staging verification result (passed/failed/skipped)'
+    value: ${{ steps.verify-staging.outputs.result }}
+  production-result:
+    description: 'Production verification result (passed/failed/skipped)'
+    value: ${{ steps.verify-production.outputs.result }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Mask sensitive registration codes
+      shell: bash
+      run: |
+        if [ -n "${{ inputs.staging-code }}" ]; then
+          echo "::add-mask::${{ inputs.staging-code }}"
+        fi
+        if [ -n "${{ inputs.production-code }}" ]; then
+          echo "::add-mask::${{ inputs.production-code }}"
+        fi
+
+    - name: Check if verifier is installed
+      shell: bash
+      run: |
+        if ! command -v scc-product-version-verifier &> /dev/null; then
+          echo "Error: scc-product-version-verifier is not installed"
+          echo "Please use the rancher-sandbox/scc-product-version-verifier/actions/download action first"
+          exit 1
+        fi
+        echo "Verifier found at: $(which scc-product-version-verifier)"
+
+    - name: Sanitize version
+      id: sanitize
+      shell: bash
+      run: |
+        VERSION="${{ inputs.version }}"
+        # Remove 'v' prefix if present
+        VERSION="${VERSION#v}"
+        # Remove any prerelease suffixes (everything after and including -)
+        SANITIZED_VERSION="${VERSION%%-*}"
+        echo "sanitized_version=$SANITIZED_VERSION" >> $GITHUB_OUTPUT
+        echo "Original version: ${{ inputs.version }}"
+        echo "Sanitized version: $SANITIZED_VERSION"
+
+    - name: Verify with staging code
+      id: verify-staging
+      if: inputs.staging-code != ''
+      shell: bash
+      continue-on-error: ${{ inputs.fail-on-error == 'false' }}
+      env:
+        SCC_REGCODE: ${{ inputs.staging-code }}
+      run: |
+        echo "## 🔍 SCC Staging Verification - ${{ inputs.product-name }}" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Product:** ${{ inputs.product-name }}" >> $GITHUB_STEP_SUMMARY
+        echo "**Version:** ${{ steps.sanitize.outputs.sanitized_version }}" >> $GITHUB_STEP_SUMMARY
+        echo "**Environment:** Staging (-S flag)" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+
+        echo "Running staging verification for ${{ inputs.product-name }}..."
+        if scc-product-version-verifier curl-verify ${{ inputs.product-name }} ${{ steps.sanitize.outputs.sanitized_version }} -S; then
+          echo "✅ **Result:** Verification PASSED" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "result=passed" >> $GITHUB_OUTPUT
+        else
+          echo "⚠️ **Result:** Verification FAILED or returned warning" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "result=failed" >> $GITHUB_OUTPUT
+          exit 1
+        fi
+
+    - name: Set staging skipped result
+      if: inputs.staging-code == ''
+      shell: bash
+      run: |
+        echo "result=skipped" >> $GITHUB_OUTPUT
+
+    - name: Verify with production code
+      id: verify-production
+      if: inputs.production-code != ''
+      shell: bash
+      continue-on-error: ${{ inputs.fail-on-error == 'false' }}
+      env:
+        SCC_REGCODE: ${{ inputs.production-code }}
+      run: |
+        echo "---" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "## 🔍 SCC Production Verification - ${{ inputs.product-name }}" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Product:** ${{ inputs.product-name }}" >> $GITHUB_STEP_SUMMARY
+        echo "**Version:** ${{ steps.sanitize.outputs.sanitized_version }}" >> $GITHUB_STEP_SUMMARY
+        echo "**Environment:** Production" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+
+        echo "Running production verification for ${{ inputs.product-name }}..."
+        if scc-product-version-verifier curl-verify ${{ inputs.product-name }} ${{ steps.sanitize.outputs.sanitized_version }}; then
+          echo "✅ **Result:** Verification PASSED" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "result=passed" >> $GITHUB_OUTPUT
+        else
+          echo "⚠️ **Result:** Verification FAILED or returned warning" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "result=failed" >> $GITHUB_OUTPUT
+          exit 1
+        fi
+
+    - name: Set production skipped result
+      if: inputs.production-code == ''
+      shell: bash
+      run: |
+        echo "result=skipped" >> $GITHUB_OUTPUT