Add workflow to sync releases to Nexus

.github/workflows/alauda-auto-tag.yaml

@@ -0,0 +1,87 @@
+name: Auto Tag for Alauda
+
+on:
+  push:
+    branches:
+      - 'alauda-v*'
+
+permissions:
+  contents: write  # create tags and releases
+  packages: write  # upload packages
+
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # fetch all tags
+
+      - name: Set up Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Extract version and tag prefix
+        id: extract
+        run: |
+          BRANCH_NAME="${GITHUB_REF#refs/heads/}"
+          echo "Branch: $BRANCH_NAME"
+
+          PREFIX="${BRANCH_NAME%%-*}"  # alauda
+          BASE_VERSION="${BRANCH_NAME#${PREFIX}-}"  # v0.62.1
+
+          VERSION_NO_V="${BASE_VERSION#v}"              # 0.62.1
+          MAJOR=$(echo "$VERSION_NO_V" | cut -d. -f1)
+          MINOR=$(echo "$VERSION_NO_V" | cut -d. -f2)
+          PATCH=$(echo "$VERSION_NO_V" | cut -d. -f3)
+
+          echo "MAJOR: $MAJOR, MINOR: $MINOR, PATCH: $PATCH"
+
+          # PATCH + 1
+          NEXT_PATCH=$((PATCH + 1))
+          echo "NEXT_PATCH=$NEXT_PATCH"
+
+          NEXT_VERSION="v${MAJOR}.${MINOR}.${NEXT_PATCH}"   # v0.62.2
+          echo "NEXT_VERSION=$NEXT_VERSION"
+
+          TAG_PREFIX="${NEXT_VERSION}-${PREFIX}"  # v0.62.2-alauda
+          echo "TAG_PREFIX=$TAG_PREFIX"
+
+          echo "prefix=$PREFIX" >> $GITHUB_OUTPUT
+          echo "base_version=$BASE_VERSION" >> $GITHUB_OUTPUT
+          echo "tag_prefix=$TAG_PREFIX" >> $GITHUB_OUTPUT
+
+      - name: Find latest tag with this prefix
+        id: latest
+        run: |
+          TAG_PREFIX="${{ steps.extract.outputs.tag_prefix }}"
+          echo "Looking for tags with prefix: $TAG_PREFIX"
+
+          EXISTING_TAGS=$(git tag --list "${TAG_PREFIX}-*" | sort -V)
+          echo "Existing tags: $EXISTING_TAGS"
+
+          MAX_INDEX=-1
+          for tag in $EXISTING_TAGS; do
+            NUM=${tag##*-}
+            if [[ "$NUM" =~ ^[0-9]+$ && "$NUM" -gt "$MAX_INDEX" ]]; then
+              MAX_INDEX=$NUM
+            fi
+          done
+
+          NEW_INDEX=$((MAX_INDEX + 1))
+          NEW_TAG="${TAG_PREFIX}-${NEW_INDEX}"
+
+          echo "new_tag=$NEW_TAG" >> $GITHUB_OUTPUT
+
+      - name: Create and push new tag
+        run: |
+          NEW_TAG="${{ steps.latest.outputs.new_tag }}"
+          git tag "$NEW_TAG"
+          git push origin "$NEW_TAG"
+
+  release-alauda:
+    name: Release Alauda
+    needs: [tag]
+    uses: ./.github/workflows/reusable-release-alauda.yaml

.github/workflows/go.yml

@@ -10,15 +10,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v4
+
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '^1.20'
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v4
-
     - name: Get dependencies
       run: |
         go get -v -t -d ./...

.github/workflows/release-alauda.yaml

@@ -0,0 +1,16 @@
+name: Release Alauda
+
+on:
+  push:
+    tags:
+      - "v*-alauda-*"
+  workflow_dispatch:
+
+permissions:
+  contents: write  # create releases
+  packages: write  # upload packages
+
+jobs:
+  release-alauda:
+    name: Release Alauda
+    uses: ./.github/workflows/reusable-release-alauda.yaml

.github/workflows/reusable-release-alauda.yaml

@@ -0,0 +1,33 @@
+name: Release Alauda
+
+on:
+  workflow_call:
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    name: alauda-release
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4.1.6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Set up GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: v2.1.0
+          args: release -f=.goreleaser-alauda.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scan-alauda.yaml

@@ -0,0 +1,34 @@
+name: Scan vulnerabilities for Alauda
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Scan Go vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: false
+
+      - name: Set up GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: v2.1.0
+          args: release --snapshot -f=.goreleaser-alauda.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: 'rootfs'
+          scan-ref: 'dist/yq_linux_amd64_v1/alauda-yq'
+          exit-code: 1

.github/workflows/sync-to-nexus.yml

@@ -0,0 +1,100 @@
+name: Sync Release To Nexus
+
+# Triggers a Tekton PipelineRun on the in-cluster ARC runner whenever an
+# alauda-suffixed tag is pushed. The pipeline waits for the corresponding
+# GitHub Release to be ready, then mirrors its assets to the internal
+# Nexus under both a versioned path and a `latest/` channel.
+
+on:
+  push:
+    tags:
+      - 'v*-alauda-*'
+
+jobs:
+  trigger-sync:
+    # Base ARC runner image already bundles tkn / kubectl / curl / jq / yq;
+    # no `container:` override needed.
+    runs-on: alauda-devops-runner
+    steps:
+      - name: create PipelineRun and follow logs
+        env:
+          TEKTON_NS: devops
+          # Pipeline source: catalog "extras" via Tekton Hub resolver.
+          # Bump PIPELINE_VERSION together with catalog releases.
+          PIPELINE_CATALOG: extras
+          PIPELINE_NAME: sync-github-release-to-nexus
+          PIPELINE_VERSION: "0.1"
+          # Component-aware PipelineRun name so the run is identifiable
+          # at a glance in `kubectl get pipelinerun` listings:
+          # `sync-<repo>-<run_id>-<run_attempt>`. `github.event.repository.name`
+          # is just the repo without the owner (e.g. `yq`, `yq-private`,
+          # `trivy`, `cosign`, `chains`). `run_id` is globally unique;
+          # `run_attempt` disambiguates retries of the same run.
+          PR_NAME: sync-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}
+          REPO: ${{ github.repository }}
+          # On `push: tags:` events, github.ref_name is the tag itself.
+          TAG: ${{ github.ref_name }}
+          RELEASE_URL: ${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+
+          # Source-repo label uses dots instead of slashes to satisfy
+          # Kubernetes label value charset (no '/').
+          SOURCE_REPO_LABEL="${REPO//\//.}"
+
+          # Create PipelineRun with metadata.name (not generateName) so the
+          # PR name is known up front for `tkn pr logs -f` below.
+          # github-token workspace intentionally omitted: forks are public,
+          # pipeline declares it `optional: true` and falls back to anonymous.
+          cat <<EOF | kubectl create -f -
+          apiVersion: tekton.dev/v1
+          kind: PipelineRun
+          metadata:
+            name: ${PR_NAME}
+            namespace: ${TEKTON_NS}
+            labels:
+              alauda.io/source-repo: ${SOURCE_REPO_LABEL}
+              alauda.io/source-tag: ${TAG}
+              alauda.io/triggered-by: github-actions
+          spec:
+            pipelineRef:
+              resolver: hub
+              params:
+                - { name: catalog, value: ${PIPELINE_CATALOG} }
+                - { name: type,    value: tekton }
+                - { name: kind,    value: pipeline }
+                - { name: name,    value: ${PIPELINE_NAME} }
+                - { name: version, value: "${PIPELINE_VERSION}" }
+            params:
+              - { name: repo,        value: ${REPO} }
+              - { name: tag,         value: ${TAG} }
+              - { name: release-url, value: ${RELEASE_URL} }
+            workspaces:
+              - name: nexus-auth
+                secret:
+                  secretName: build-nexus.kauto
+              # Shared scratch PVC across the 5 run-script tasks. emptyDir
+              # would be per-pod and cannot propagate downloaded assets +
+              # intermediate metadata across TaskRuns; volumeClaimTemplate
+              # makes Tekton create a PipelineRun-owned PVC reaped with
+              # the run. RWO is sufficient — the DAG is strictly linear.
+              - name: source
+                volumeClaimTemplate:
+                  spec:
+                    storageClassName: topolvm
+                    accessModes:
+                      - ReadWriteOnce
+                    resources:
+                      requests:
+                        storage: 1Gi
+          EOF
+
+          # Stream logs until the PipelineRun completes; then surface the
+          # PipelineRun's Succeeded condition as the step exit code so the
+          # GitHub Actions UI reflects the real pipeline outcome.
+          tkn -n "${TEKTON_NS}" pr logs -f "${PR_NAME}"
+
+          STATUS=$(kubectl -n "${TEKTON_NS}" get pipelinerun "${PR_NAME}" \
+            -o jsonpath='{.status.conditions[?(@.type=="Succeeded")].status}')
+          echo "PipelineRun ${PR_NAME} final Succeeded status: ${STATUS}"
+          [ "${STATUS}" = "True" ]

.goreleaser-alauda.yml

@@ -0,0 +1,58 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+
+builds:
+  - id: yq
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -w -s -extldflags '-static'
+    main: .
+    binary: alauda-yq
+
+archives:
+  - id: archive
+    format: tar.gz
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    format_overrides:
+      - goos: windows
+        format: zip
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+
+release:
+  footer: >-
+
+    ---
+
+    This release is intended for use only as part of the Alauda product suite.
+    It is not recommended for use by individuals or teams outside of Alauda.
+    Any consequences arising from its use are the sole responsibility of the user.