chore: Bump sec-scanners-config.yaml bdba images to 0.0.1

.github/workflows/create-runtime-watcher-release.yaml

@@ -1,8 +1,7 @@
 name: "Create Runtime Watcher Release"
 
 permissions:
-  id-token: write
-  contents: write
+  contents: read
 
 on:
   workflow_dispatch:
@@ -15,6 +14,10 @@ on:
         description: "Changelog since"
         default: ""
         required: false
+      skip_sec_scanners_bump:
+        description: "Skip sec-scanners-config.yaml bump"
+        type: boolean
+        default: false
 
 env:
   IMAGE_REPO: europe-docker.pkg.dev/kyma-project/prod/runtime-watcher
@@ -34,54 +37,131 @@ jobs:
       - name: Check if release doesn't exist yet
         run: ./.github/scripts/release/get_release_by_tag.sh ${{ github.event.inputs.name }} ${{ secrets.GITHUB_TOKEN }}
 
-  draft-release:
-    name: Create draft release
+  bump-images:
+    name: Bump sec-scanners-config.yaml images
     runs-on: ubuntu-latest
     needs: validate-release
+    if: ${{ !inputs.skip_sec_scanners_bump }}
+    permissions:
+      pull-requests: write
+      contents: write
+    outputs:
+      pr_number: ${{ steps.open-pr.outputs.pr_number }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
-      - name: Generate changelog
-        id: generate_changelog
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: ./.github/scripts/release/create_changelog.sh ${{ github.event.inputs.name }} ${{ env.IMAGE_REPO }}:${{ github.event.inputs.name }} ${{ github.event.inputs.since }}
-      - name: Draft release
-        id: draft-release
+      - name: Checkout lifecycle-manager
+        uses: actions/checkout@v6
+        with:
+          repository: kyma-project/lifecycle-manager
+          path: lifecycle-manager
+      - name: Bump sec-scanners-config.yaml images
+        run: |
+          ./lifecycle-manager/.github/scripts/release/bump_sec_scanners_versions.sh \
+            ${{ github.event.inputs.name }} \
+            europe-docker.pkg.dev/kyma-project/prod/runtime-watcher \
+            sec-scanners-config.yaml
+      - name: Push version bump branch and open PR
+        id: open-pr
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          RELEASE_ID=$(./.github/scripts/release/draft_release.sh ${{ github.event.inputs.name }})
-          echo "release_id=$RELEASE_ID" >> $GITHUB_OUTPUT
-      - name: Create tag
-        run: |
-          git tag ${{ github.event.inputs.name }}
-          git push origin ${{ github.event.inputs.name }} --tags
-    outputs:
-      release_id: ${{ steps.draft-release.outputs.release_id }}
-  builds:
-    needs: draft-release
-    uses: ./.github/workflows/build-image.yml
-    with:
-      tag: "${{ github.event.inputs.name }}"
-  publish_release:
-    name: Publish release
-    needs: [validate-release, draft-release, builds]
+          # Configure git
+          git config --local user.email "jellyfish-bot@users.noreply.github.com"
+          git config --local user.name "jellyfish-bot"
+
+          if PR_NUMBER=$(./lifecycle-manager/.github/scripts/release/create_sec_scanners_config_bump_pr.sh ${{ github.event.inputs.name }}); then
+            echo "pr_number=${PR_NUMBER}" >> "$GITHUB_OUTPUT"
+          else
+            echo "❌ Failed to create PR for sec-scanners-config.yaml bump"
+            exit 1
+          fi
+
+  await-bump-images-pr-merge:
+    name: Wait for version bump PR to be merged
     runs-on: ubuntu-latest
+    needs: bump-images
+    if: ${{ !inputs.skip_sec_scanners_bump }}
+    permissions:
+      pull-requests: read
+      contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
-      - name: Wait for the Docker image
-        timeout-minutes: 20
+      - name: Checkout lifecycle-manager
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          repository: kyma-project/lifecycle-manager
+          path: lifecycle-manager
+      - name: Wait for PR to be merged
         env:
-          ITERATIONS: 40
-          SLEEP_SECONDS: 30
-        run: ./.github/scripts/release/wait_for_image.sh ${{ env.IMAGE_REPO }}:${{ github.event.inputs.name }} ${{ env.ITERATIONS }} ${{ env.SLEEP_SECONDS }}
-      - name: Publish release
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./lifecycle-manager/.github/scripts/release/wait_for_pr_merge.sh ${{ needs.bump-images.outputs.pr_number }}
+      - name: Delete merged branch
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: ./.github/scripts/release/publish_release.sh ${{ needs.draft-release.outputs.release_id }}
+        run: ./lifecycle-manager/.github/scripts/release/delete_sec_scanners_config_pr_branch.sh ${{ github.event.inputs.name }}
+
+  # draft-release:
+  #   name: Create draft release
+  #   runs-on: ubuntu-latest
+  #   needs: [validate-release, await-bump-images-pr-merge]
+  #   permissions:
+  #     contents: write
+  #   steps:
+  #     - name: Checkout code
+  #       uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+  #       with:
+  #         fetch-depth: 0
+  #         ref: main  # Checkout main after version bump PR is merged
+  #     - name: Generate changelog
+  #       id: generate_changelog
+  #       env:
+  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       run: ./.github/scripts/release/create_changelog.sh ${{ github.event.inputs.name }} ${{ env.IMAGE_REPO }}:${{ github.event.inputs.name }} ${{ github.event.inputs.since }}
+  #     - name: Draft release
+  #       id: draft-release
+  #       env:
+  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       run: |
+  #         RELEASE_ID=$(./.github/scripts/release/draft_release.sh ${{ github.event.inputs.name }})
+  #         echo "release_id=$RELEASE_ID" >> $GITHUB_OUTPUT
+  #     - name: Create tag
+  #       run: |
+  #         git tag ${{ github.event.inputs.name }}
+  #         git push origin ${{ github.event.inputs.name }} --tags
+  #   outputs:
+  #     release_id: ${{ steps.draft-release.outputs.release_id }}
+  # builds:
+  #   needs: draft-release
+  #   uses: ./.github/workflows/build-image.yml
+  #   with:
+  #     tag: "${{ github.event.inputs.name }}"
+  #   permissions:
+  #     contents: read
+  #     id-token: write
+  # publish_release:
+  #   name: Publish release
+  #   needs: [validate-release, draft-release, builds]
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: write
+  #   steps:
+  #     - name: Checkout code
+  #       uses: actions/checkout@v6
+  #       with:
+  #         fetch-depth: 0
+  #     - name: Wait for the Docker image
+  #       timeout-minutes: 20
+  #       env:
+  #         ITERATIONS: 40
+  #         SLEEP_SECONDS: 30
+  #       run: ./.github/scripts/release/wait_for_image.sh ${{ env.IMAGE_REPO }}:${{ github.event.inputs.name }} ${{ env.ITERATIONS }} ${{ env.SLEEP_SECONDS }}
+  #     - name: Publish release
+  #       env:
+  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       run: ./.github/scripts/release/publish_release.sh ${{ needs.draft-release.outputs.release_id }}

sec-scanners-config.yaml

@@ -5,6 +5,7 @@ checkmarx-one:
   exclude:
     - "**/*_test.go"
 bdba:
+  - europe-docker.pkg.dev/kyma-project/prod/runtime-watcher:0.0.1
   - europe-docker.pkg.dev/kyma-project/prod/runtime-watcher:2.1.4
   - europe-docker.pkg.dev/kyma-project/prod/runtime-watcher:latest
 mend: