Merge pull request #23 from scality/bump-versions

Bump versions and add update version workflow

Author: m4nch0t

.github/scripts/update_tools.py

@@ -9,6 +9,7 @@
 from pathlib import Path
 import yaml
 import requests
+import re
 
 # Add the root directory to the Python path
 ROOT_DIR = Path(__file__).resolve().parents[2]
@@ -35,6 +36,54 @@ def get_latest_release(package_name, package_info):
         print(f"⚠ Error fetching latest version for {package_name}: {str(error)}")
         return None
 
+def update_readme(packages):
+    """Update version references in README.md file."""
+    readme_file = ROOT_DIR / "README.md"
+    if not readme_file.exists():
+        print("⚠ README.md not found, skipping README updates")
+        return False
+    
+    readme_content = readme_file.read_text(encoding="utf-8")
+    updated_content = readme_content
+    readme_updates_made = False
+    
+    # Update version references in the README
+    version_mappings = {
+        "grype": packages.get("grype", {}).get("default_version", ""),
+        "syft": packages.get("syft", {}).get("default_version", "")
+    }
+    
+    for tool, version in version_mappings.items():
+        if not version:
+            continue
+            
+        # Update default version in parameter table
+        old_pattern = f"| `{tool}-version`      | {tool.title()} version to use                                                                        | `"
+        if old_pattern in updated_content:
+            # Find the current version in the table
+            import re
+            pattern = rf"(\| `{tool}-version`\s+\| {tool.title()} version to use\s+\| `)([^`]+)(`\s+\|)"
+            match = re.search(pattern, updated_content)
+            if match and match.group(2) != version:
+                updated_content = re.sub(pattern, rf"\g<1>{version}\g<3>", updated_content)
+                print(f"⬆ Updated {tool}-version in README table from {match.group(2)} to {version}")
+                readme_updates_made = True
+        
+        # Update version in CycloneDX metadata example (specifically for syft)
+        if tool == "syft":
+            syft_version_pattern = r'("name": "syft",\s+"version": ")([^"]+)(")'
+            match = re.search(syft_version_pattern, updated_content)
+            if match and match.group(2) != version:
+                updated_content = re.sub(syft_version_pattern, rf"\g<1>{version}\g<3>", updated_content)
+                print(f"⬆ Updated syft version in README example from {match.group(2)} to {version}")
+                readme_updates_made = True
+    
+    if readme_updates_made:
+        readme_file.write_text(updated_content, encoding="utf-8")
+        print("✓ README.md updates applied")
+    
+    return readme_updates_made
+
 def update_versions():
     """Update the tools versions in the versions file while preserving format."""
     updates_made = False
@@ -54,16 +103,20 @@ def update_versions():
         else:
             print(f"✓ {package_name} is already at latest version {latest_version}")
 
-    if not updates_made:
+    # Update README regardless of whether versions.yaml was updated
+    readme_updated = update_readme(packages)
+    
+    if not updates_made and not readme_updated:
         print("✓ All tools are already at their latest versions. No updates needed.")
         return
 
-    # Write the updated data back to the file using the constant VERSION_FILE
-    VERSION_FILE.write_text(
-        yaml.dump(data, default_flow_style=False, sort_keys=False),
-        encoding="utf8"
-    )
-    print("✓ Updates applied to", VERSION_FILE)
+    if updates_made:
+        # Write the updated data back to the file using the constant VERSION_FILE
+        VERSION_FILE.write_text(
+            yaml.dump(data, default_flow_style=False, sort_keys=False),
+            encoding="utf8"
+        )
+        print("✓ Updates applied to", VERSION_FILE)
 
 if __name__ == "__main__":
     update_versions()

.github/workflows/update.yaml

@@ -0,0 +1,48 @@
+name: Update Tool Versions
+on:
+  schedule:
+    - cron: "23 0 * * *"  # Runs daily at 23:00 UTC
+  workflow_dispatch:
+
+jobs:
+  update-versions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Git
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "GitHub Action"
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+
+      - name: Update tool versions
+        run: python .github/scripts/update_tools.py
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: ':arrow_up: update tool versions'
+          title: 'Update scanner tool versions'
+          body: |
+            Automated version bump of scanner versions.
+
+            **Changes:**
+            - Update version in README.md
+            - Update version in versions.yaml
+
+            **Next steps:**
+            1. Review and merge this PR
+            2. Create a release tag: `v${{ github.event.inputs.version }}-${{ github.event.inputs.collection }}`
+          branch: update-tool-versions

README.md

@@ -24,11 +24,11 @@ The main [SBOM action](action.yaml) is responsible for generating SBOMs.
 
 | Parameter            | Description                                                                                 | Default      |
 | -------------------- | ------------------------------------------------------------------------------------------- | ------------ |
-| `grype-version`      | Grype version to use                                                                        | `0.91.0`     |
-| `syft-version`       | Syft version to use                                                                         | `1.22.0`     |
-| `target`             | The target to scan (path or image)                                   | `./`         |
-| `target-type`        | Type of target to scan (file, directory, image, iso)                                  | `file`       |
-| `output-format`      | Format of the generated SBOM (cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template)                                                              | `cyclonedx-json` |
+| `grype-version`      | Grype version to use                                                                        | `0.96.1`     |
+| `syft-version`       | Syft version to use                                                                         | `1.29.0`     |
+| `target`             | The target to scan (path or image)                                                          | `./`         |
+| `target-type`        | Type of target to scan (file, directory, image, iso)                                        | `file`       |
+| `output-format`      | Format of the generated SBOM <br> (cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template) | `cyclonedx-json` |
 | `output-file`        | A specific file location to store the SBOM                                                  |              |
 | `output-dir`         | Directory to store generated SBOM files                                                     | `/tmp/sbom`  |
 | `exclude-mediatypes` | Media types to exclude for images (comma-separated)                                         |              |
@@ -38,7 +38,7 @@ The main [SBOM action](action.yaml) is responsible for generating SBOMs.
 | `merge`              | Merge multiple SBOMs into a single file                                                     | `false`      |
 | `merge_hierarchical` | Merge multiple SBOMs into a single hierarchical file                                        | `false`      |
 | `vuln`               | Enable vulnerability scanning                                                               | `false`      |
-| `vuln-output-format` | Format for the vulnerability report when `vuln` is enabled (supports `json`, `html`, `csv`, `table`, or comma-separated values like `html,json`) | `cyclonedx-json`       |
+| `vuln-output-format` | Format for the vulnerability report when `vuln` is enabled<br>(supports `json`, `html`, `csv`, `table`, or comma-separated values like `html,json`) | `cyclonedx-json`|
 | `vuln-output-file`   | A specific file location to store the vulnerability report                                  |              |
 
 ## Example Usage
@@ -185,7 +185,7 @@ In the generated SBOM files, you will find CycloneDX metadata. Examples include:
                     "type": "application",
                     "author": "anchore",
                     "name": "syft",
-                    "version": "1.21.0"
+                    "version": "1.29.0"
                 }
             ]
         },
@@ -216,7 +216,7 @@ In the generated SBOM files, you will find CycloneDX metadata. Examples include:
                     "type": "application",
                     "author": "anchore",
                     "name": "syft",
-                    "version": "1.21.0"
+                    "version": "1.29.0"
                 }
             ]
         },

versions.yaml

@@ -1,18 +1,18 @@
 packages:
   syft:
-    default_version: 1.22.0
+    default_version: 1.29.0
     editor: anchore
     artifact: '{package_name}_{version}_linux_amd64.tar.gz'
     binary: syft
     checksums: true
   grype:
-    default_version: 0.91.0
+    default_version: 0.96.1
     editor: anchore
     artifact: '{package_name}_{version}_linux_amd64.tar.gz'
     binary: grype
     checksums: true
   cyclonedx-cli:
-    default_version: 0.27.2
+    default_version: 0.29.0
     editor: CycloneDX
     artifact: cyclonedx-linux-x64
     binary: cyclonedx-linux-x64