ci: overhaul and release automation

.github/default-release-notes.md

@@ -0,0 +1,4 @@
+### Dependency Track Frontend
+
+For official releases, refer to [Dependency Track Docs >> Changelogs](https://docs.dependencytrack.org/changelog/) for information about improvements and upgrade notes.
+If additional details are required, consult the closed issues for this release milestone.

.github/workflows/_meta-build.yaml

@@ -0,0 +1,126 @@
+on:
+  workflow_call:
+    inputs:
+      node-versions:
+        type: string
+        required: false
+        default: '["16"]'
+        description: 'Stringified JSON Array of node versions to build against'
+      node-version-package:
+        type: string
+        required: false
+        default: '16'
+        description: 'Set which version of node the container packaged dist should be based on. (MUST be part of the node-versions)'
+      app-version:
+        type: string
+        required: false
+        default: "snapshot"
+        description: "Set the version that should be set/used as tag for the container image"
+    secrets:
+      registry-0-usr:
+        required: true
+      registry-0-psw:
+        required: true
+
+jobs:
+  build-node:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: true
+      matrix:
+        node-version: ${{ fromJson(inputs.node-versions) }}
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3.0.0
+
+      - name: Set up NodeJs
+        uses: actions/setup-node@v3.1.1
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Run Npm Build
+        env:
+          CI: true
+        run: |-
+          npm ci
+          npm run build --if-present
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v3.0.0
+        with:
+          name: assembled-frontend-node${{ matrix.node-version }}
+          path: |-
+            dist/
+            bom.*
+
+  build-container:
+    runs-on: ubuntu-latest
+    needs:
+      - build-node
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3.0.0
+
+      - name: Download Artifacts
+        uses: actions/download-artifact@v3.0.0
+        with:
+          name: assembled-frontend-node${{ inputs.node-version-package }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1.2.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1.6.0
+        id: buildx
+        with:
+          install: true
+
+      - name: Login to Docker.io
+        uses: docker/login-action@v1.13.0
+        if: ${{ github.ref == 'refs/heads/master' }}
+        with:
+          registry: docker.io
+          username: ${{ secrets.registry-0-usr }}
+          password: ${{ secrets.registry-0-psw }}
+
+      - name: Set Container Tags
+        id: tags
+        run: |-
+          TAGS="${TAGS},docker.io/dependencytrack/frontend:${{ inputs.app-version }}"
+
+          if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
+            TAGS="${TAGS},docker.io/dependencytrack/frontend:latest"
+          fi
+          echo "::set-output name=tags::${TAGS}"
+
+      - name: Build multi-arch Container Image
+        uses: docker/build-push-action@v2.9.0
+        with:
+          tags: ${{ steps.tags.outputs.tags }}
+          build-args: |-
+            APP_VERSION=${{ inputs.app-version }}
+            COMMIT_SHA=${{ github.sha }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.ref == 'refs/heads/master' }}
+          context: .
+          file: docker/Dockerfile.alpine
+
+      - name: Run Trivy Vulnerability Scanner
+        if: ${{ github.ref == 'refs/heads/master' }}
+        uses: aquasecurity/trivy-action@0.2.5
+        with:
+          image-ref: docker.io/dependencytrack/frontend:${{ inputs.app-version }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          vuln-type: 'os'
+
+      - name: Upload Trivy Scan Results to GitHub Security Tab
+        if: ${{ github.ref == 'refs/heads/master' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/ci-build.yaml

@@ -0,0 +1,21 @@
+name: Build CI
+
+on:
+  push:
+    branches:
+      - 'master' # Default branch
+  pull_request:
+    branches:
+      - 'master' # Default branch
+  workflow_dispatch:
+
+jobs:
+  call-build:
+    uses: ./.github/workflows/_meta-build.yaml
+    with:
+      node-versions: '["14", "16"]'
+      node-version-package: '16'
+      app-version: 'snapshot'
+    secrets:
+      registry-0-usr: ${{ secrets.HUB_USERNAME }}
+      registry-0-psw: ${{ secrets.HUB_ACCESS_TOKEN }}

.github/workflows/ci-release.yaml

@@ -0,0 +1,112 @@
+name: Release CI
+
+on:
+  workflow_dispatch:
+    inputs:
+      version-to-bump:
+        type: choice
+        required: true
+        description: "Select which part of the version to bump and release"
+        options:
+          - patch
+          - minor
+          - major
+          - prepatch
+          - preminor
+          - premajor
+          - prerelease
+
+jobs:
+  prepare-release:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.variables.outputs.version }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3.0.0
+
+      - name: Set up NodeJs
+        uses: actions/setup-node@v3.1.1
+        with:
+          node-version: '16'
+          cache: 'npm'
+
+      - name: Setup Environment
+        id: variables
+        run: |-
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          npm version ${{ github.event.inputs.version-to-bump }} -m "prepare-release: set version to %s"
+
+          git push --tags origin "HEAD:refs/heads/master"
+          APP_VERSION=`jq -r '.version' package.json`
+          echo "::set-output name=version::${APP_VERSION}"
+
+  call-build:
+    needs:
+      - prepare-release
+    uses: ./.github/workflows/_meta-build.yaml
+    with:
+      app-version: ${{ needs.prepare-release.outputs.version }}
+    secrets:
+      registry-0-usr: ${{ secrets.HUB_USERNAME }}
+      registry-0-psw: ${{ secrets.HUB_ACCESS_TOKEN }}
+
+  create-release:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare-release
+      - call-build
+
+    env:
+      VERSION: ${{ needs.prepare-release.outputs.version }}
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3.0.0
+
+      - name: Set up NodeJs
+        uses: actions/setup-node@v3.1.1
+        with:
+          node-version: '16'
+          cache: 'npm'
+
+      - name: Download Artifacts
+        uses: actions/download-artifact@v3.0.0
+        with:
+          name: assembled-frontend-node16
+
+      - name: Create Checksums
+        run: |-
+          zip -qr frontend-dist.zip dist/*
+
+          echo "# SHA1" >> checksums.txt
+          sha1sum frontend-dist.zip >> checksums.txt
+          echo "# SHA256" >> checksums.txt
+          sha256sum frontend-dist.zip >> checksums.txt
+          echo "# SHA512" >> checksums.txt
+          sha512sum frontend-dist.zip >> checksums.txt
+
+      - name: Create GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_OPTS: ""
+        run: |-
+          cat << EOF >> .github/default-release-notes.md
+          \`\`\`text
+          $(cat checksums.txt)
+          \`\`\`
+          EOF
+
+          if [[ "${{ contains(github.event.inputs.version-to-bump, 'pre') }}" == "true" ]]; then
+            GH_OPTS="--prerelease "
+          fi
+
+          gh release create "${{ needs.prepare-release.outputs.version }}" \
+            --title "${{ needs.prepare-release.outputs.version }}" \
+            --notes-file ".github/default-release-notes.md" \
+            --generate-notes ${GH_OPTS}\
+            frontend-dist.zip \
+            checksums.txt \
+            bom.xml bom.json

.github/workflows/codeql-analysis.yml → .github/workflows/codeql-analysis.yaml

@@ -13,6 +13,7 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    if: ${{ github.repository == 'DependencyTrack/frontend' }}
 
     strategy:
       fail-fast: false
@@ -25,7 +26,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -42,7 +43,7 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
+        # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 

.github/workflows/dependency-review.yaml

@@ -0,0 +1,16 @@
+name: Dependency Review
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3.0.0
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v1