fix(release): fixed mono-repo workflow

.cliff-monorepo.toml

@@ -1,18 +1,3 @@
-{%- if version %}
-## [{{ version | trim_start_matches(pat="v") }}]({{ self::remote_url() }}/tree/{{ version }}) - {{ timestamp | date(format="%Y-%m-%d") }}
-{%- else %}
-## [unreleased]
-{%- endif %}
-{%- if message %}
-  {%- raw %}
-  {% endraw %}
-{{ message }}
-  {%- raw %}
-  {% endraw %}
-{%- endif %}
-
----
-
 {%- for group, commits in commits | group_by(attribute="group") %}
   {%- raw %}
   {% endraw %}

.cliff.toml

@@ -78,7 +78,7 @@ body = """
 ### People who contributed to this release
   {% endif %}
   {%- for contributor in github.contributors | filter(attribute="username") | sort(attribute="username") %}
-    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %}
+    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" and contributor.username != "bot-go-openapi[bot]" %}
 * [@{{ contributor.username }}](https://github.com/{{ contributor.username }})
     {%- endif %}
   {%- endfor %}
@@ -91,7 +91,7 @@ body = """
   {%- endif %}
 
   {%- for contributor in github.contributors | filter(attribute="is_first_time", value=true) %}
-    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %}
+    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" and contributor.username != "bot-go-openapi[bot]" %}
 * @{{ contributor.username }} made their first contribution
       {%- if contributor.pr_number %}
   in [#{{ contributor.pr_number }}]({{ self::remote_url() }}/pull/{{ contributor.pr_number }}) \
@@ -144,22 +144,22 @@ protect_breaking_commits = false
 # Optionally sets the commit's scope and can decide to exclude commits from further processing.
 commit_parsers = [
     { message = "^[Cc]hore\\([Rr]elease\\): prepare for", skip = true },
-    { message = "(^[Mm]erge)|([Mm]erge conflict)", skip = true },
+    { message = "(^[Mm]erge)|([Mm]erge conflict)", group = "<!-- 0B -->Other (technical)" },
     { field = "author.name", pattern = "dependabot*", group = "<!-- 0A -->Updates" },
     { message = "([Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
     { body = "(.*[Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
     { message = "([Cc]hore\\(lint\\))|(style)|(lint)|(codeql)|(golangci)", group = "<!-- 05 -->Code quality" },
-    { message = "(^[Dd]oc)|((?i)readme)|(badge)|(typo)|(documentation)", group = "<!-- 03 -->Documentation" },
+    { message = "(^[Dd]oc)|(README)|(readme)|(badge)|(typo)", group = "<!-- 03 -->Documentation" },
     { message = "(^[Ff]eat)|(^[Ee]nhancement)", group = "<!-- 00 -->Implemented enhancements" },
-    { message = "(^ci)|(\\(ci\\))|(fixup\\s+ci)|(fix\\s+ci)|(license)|(example)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "(^ci)|(\\(ci\\))|(fixup\\s+ci)|(fix\\s+ci)|(\\bCI\\b)|(license)|(example)", group = "<!-- 07 -->Miscellaneous tasks" },
     { message = "^test", group = "<!-- 06 -->Testing" },
     { message = "(^fix)|(panic)", group = "<!-- 01 -->Fixed bugs" },
-    { message = "(^refact)|(rework)", group = "<!-- 02 -->Refactor" },
+    { message = "(refact)|(rework)", group = "<!-- 02 -->Refactor" },
     { message = "(^[Pp]erf)|(performance)", group = "<!-- 04 -->Performance" },
     { message = "(^[Cc]hore)", group = "<!-- 07 -->Miscellaneous tasks" },
     { message = "^[Rr]evert", group = "<!-- 09 -->Reverted changes" },
     { message = "(upgrade.*?go)|(go\\s+version)", group = "<!-- 0A -->Updates" },
-    { message = ".*", group = "<!-- 0B -->Other" },
+    { message = ".*", group = "<!-- 0B -->Other (technical)" },
 ]
 # Exclude commits that are not matched by any commit parser.
 filter_commits = false

.github/workflows/TODO.md

@@ -0,0 +1 @@
+* collect-test-reports should only execute if lint is successful

.github/workflows/auto-merge.yml

@@ -133,7 +133,7 @@ jobs:
         run: gh pr review --approve "$PR_URL"
       -
         name: Wait for all workflow runs to complete
-        uses: go-openapi/gh-actions/ci-jobs/wait-pending-jobs@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/ci-jobs/wait-pending-jobs@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
         with:
           pr-url: ${{ env.PR_URL }}
           github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/bump-release-monorepo.yml

@@ -41,6 +41,14 @@ on:
         required: false
         type: string
         default: 'true'
+      enable-commit-signing:
+        description: |
+          Enable PGP commit-signing by a bot user (for mono-repo releases).
+
+          When enabled, you must pass the GPG secrets to this workflow.
+        required: false
+        type: string
+        default: 'true'
       cliff-config:
         type: string
         required: false
@@ -86,6 +94,22 @@ on:
 
           Required when enable-tag-signing is true.
         required: false
+      github-app-id:
+        description: |
+          GitHub App ID for bot user authentication.
+
+          Default for go-openapi: CI_BOT_APP_ID
+
+          Required to create pull requests as the bot user.
+        required: false
+      github-app-private-key:
+        description: |
+          GitHub App private key in PEM format.
+
+          Default for go-openapi: CI_BOT_APP_PRIVATE_KEY
+
+          Required to create pull requests as the bot user.
+        required: false
 
 jobs:
   detect-modules:
@@ -112,7 +136,7 @@ jobs:
       -
         name: Detect go mono-repo
         id: detect-monorepo
-        uses: go-openapi/gh-actions/ci-jobs/detect-go-monorepo@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/ci-jobs/detect-go-monorepo@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
 
   bump-release-single:
     name: Bump release (single module)
@@ -128,7 +152,10 @@ jobs:
       enable-tag-signing: ${{ inputs.enable-tag-signing }}
       cliff-config: ${{ inputs.cliff-config }}
       cliff-config-url: ${{ inputs.cliff-config-url }}
-    secrets: inherit
+    secrets:
+      gpg-private-key: ${{ secrets.gpg-private-key }}
+      gpg-passphrase: ${{ secrets.gpg-passphrase }}
+      gpg-fingerprint: ${{ secrets.gpg-fingerprint }}
 
   determine-next-tag:
     name: Determine next tag [monorepo]
@@ -168,7 +195,7 @@ jobs:
       -
         name: Determine next tag
         id: bump-release
-        uses: go-openapi/gh-actions/ci-jobs/next-tag@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/ci-jobs/next-tag@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
         with:
           bump-patch: ${{ steps.bump-check.outputs.bump-patch }}
           bump-minor: ${{ steps.bump-check.outputs.bump-minor }}
@@ -184,8 +211,13 @@ jobs:
     uses: ./.github/workflows/prepare-release-monorepo.yml
     with:
       target-tag: ${{ needs.determine-next-tag.outputs.next-tag }}
-      enable-commit-signing: 'true'
-    secrets: inherit
+      enable-commit-signing: ${{ inputs.enable-commit-signing }}
+    secrets:
+      github-app-id: ${{ secrets.github-app-id }}
+      github-app-private-key: ${{ secrets.github-app-private-key }}
+      gpg-private-key: ${{ secrets.gpg-private-key }}
+      gpg-passphrase: ${{ secrets.gpg-passphrase }}
+      gpg-fingerprint: ${{ secrets.gpg-fingerprint }}
 
   wait-for-merge:
     name: Wait for PR merge [monorepo]
@@ -198,11 +230,11 @@ jobs:
     steps:
       -
         name: Checkout repository
-        if: ${{ needs.prepare-modules.outputs.pull-request-operation != 'none' }}  # skip if no pull request to be waited
+        if: ${{ needs.prepare-modules.outputs.pull-request-operation  != 'none' && needs.prepare-modules.outputs.pull-request-operation != 'closed' }}
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Wait for PR to be merged
-        if: ${{ needs.prepare-modules.outputs.pull-request-operation != 'none' }}  # skip if no pull request to be waited
+        if: ${{ needs.prepare-modules.outputs.pull-request-operation  != 'none' && needs.prepare-modules.outputs.pull-request-operation != 'closed' }}
         run: |
           echo "::notice title=waiting-for-merge::Waiting for PR ${PR_URL} to be merged"
 
@@ -232,9 +264,16 @@ jobs:
       -
         name: Report status
         run: |
-          echo "::notice title=waiting-for-merge::Waiting for PR ${PR_URL} to be merged"
+          if [ -z "${PR_URL}" ] ; then
+            echo "::notice title=waiting-for-merge::No PR to be waited for. Proceed."
+          else
+            echo "::notice title=waiting-for-merge::Waiting for PR ${PR_URL} to be merged"
+          fi
+
           if [[ "${{ needs.prepare-modules.outputs.pull-request-operation }}" == "none" ]] ; then
             echo "::notice title=wait-for-pr::no pull request expected. Skipped waiting."
+          elif [[ "${{ needs.prepare-modules.outputs.pull-request-operation }}" == "closed" ]] ; then
+            echo "::notice title=wait-for-pr::pull request closed, assumed merged. Skipped waiting."
           else
             echo "::notice title=wait-for-pr::pull request merged. Can proceed with the tagging and release"
           fi
@@ -268,7 +307,7 @@ jobs:
       -
         name: Configure bot credentials
         if: ${{ inputs.enable-tag-signing == 'true' }}
-        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
         # This is using the GPG signature of bot-go-openapi.
         #
         # For go-openapi repos (using secrets: inherit):
@@ -302,18 +341,26 @@ jobs:
 
           cd "${root}"
 
-          # Construct the tag message
+          # Construct the tag message.
+          # A blank line between title and body is required for git to
+          # distinguish %(contents:subject) from %(contents:body).
+          # Body lines use "|" as paragraph separator (workflow inputs
+          # do not support multiline strings).
           MESSAGE="${MESSAGE_TITLE}"
           if [[ -n "${MESSAGE_BODY}" ]] ; then
-            BODY=$(echo "${MESSAGE_BODY}"|tr '|' '\n')
-            MESSAGE=$(printf "%s\n%s\n" "${MESSAGE}" "${BODY}")
+            BODY=$(printf '%s' "${MESSAGE_BODY}" | sed 's/|/\n\n/g')
+            MESSAGE=$(printf "%s\n\n%s\n" "${MESSAGE}" "${BODY}")
           fi
 
           echo "::notice title=tag-message::Tagging all modules for ${NEXT_TAG}"
 
           SIGNED=""
           if [[ '${{ inputs.enable-tag-signing }}' == 'true' ]] ; then
              SIGNED="-s"
+          else
+             # whenever not signed, we need a DCO
+             git config --global user.name "bot-go-openapi"
+             git config --global user.email "gogatekeeper-openapi@yahoo.com"
           fi
 
           # Tag all modules

.github/workflows/bump-release.yml

@@ -114,15 +114,15 @@ jobs:
       -
         name: Determine next tag
         id: bump-release
-        uses: go-openapi/gh-actions/ci-jobs/next-tag@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/ci-jobs/next-tag@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
         with:
           bump-patch: ${{ steps.bump-check.outputs.bump-patch }}
           bump-minor: ${{ steps.bump-check.outputs.bump-minor }}
           bump-major: ${{ steps.bump-check.outputs.bump-major }}
       -
         name: Configure bot credentials
         if: ${{ inputs.enable-tag-signing == 'true' }}
-        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
         # This is using the GPG signature of bot-go-openapi.
         #
         # For go-openapi repos (using secrets: inherit):
@@ -144,18 +144,26 @@ jobs:
           MESSAGE_TITLE: ${{ inputs.tag-message-title }}
           MESSAGE_BODY: ${{ inputs.tag-message-body }}
         run: |
-          # construct the tag message
+          # Construct the tag message.
+          # A blank line between title and body is required for git to
+          # distinguish %(contents:subject) from %(contents:body).
+          # Body lines use "|" as paragraph separator (workflow inputs
+          # do not support multiline strings).
           set -x
           MESSAGE="${MESSAGE_TITLE}"
           if [[ -n "${MESSAGE_BODY}" ]] ; then
-            BODY=$(echo "${MESSAGE_BODY}"|tr '|' '\n')
-            MESSAGE=$(printf "%s\n%s\n" "${MESSAGE}" "${BODY}")
+            BODY=$(printf '%s' "${MESSAGE_BODY}" | sed 's/|/\n\n/g')
+            MESSAGE=$(printf "%s\n\n%s\n" "${MESSAGE}" "${BODY}")
           fi
           echo "::notice title=tag-message::${MESSAGE}"
 
           SIGNED=""
           if [[ '${{ inputs.enable-tag-signing }}' == 'true' ]] ; then
              SIGNED="-s"
+          else
+             # whenever not signed, we need a DCO
+             git config --global user.name "bot-go-openapi"
+             git config --global user.email "gogatekeeper-openapi@yahoo.com"
           fi
 
           git tag "${SIGNED}" -m "${MESSAGE}" "${NEXT_TAG}"

.github/workflows/collect-reports.yml

@@ -32,7 +32,7 @@ jobs:
           path: reports/
       -
         name: Install go-junit-report
-        uses: go-openapi/gh-actions/install/go-junit-report@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/install/go-junit-report@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
       -
         name: Convert test reports to a merged JUnit XML
         # NOTE: codecov test reports only support JUnit format at this moment. See https://docs.codecov.com/docs/test-analytics.
@@ -57,7 +57,7 @@ jobs:
           verbose: true
       -
         name: Install go-ctrf-json-reporter
-        uses: go-openapi/gh-actions/install/go-ctrf-json-reporter@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/install/go-ctrf-json-reporter@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
       -
         name: Convert test reports to CTRF JSON
         # description: |

.github/workflows/contributors.yml

@@ -80,7 +80,7 @@ jobs:
           rm -rf contributors.json
           mv contributors.md CONTRIBUTORS.md
       - name: Configure bot credentials
-        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
         id: bot-credentials
         # For go-openapi repos (using secrets: inherit):
         #   Falls back to: CI_BOT_APP_ID, CI_BOT_APP_PRIVATE_KEY, CI_BOT_GPG_PRIVATE_KEY, etc.
@@ -145,7 +145,7 @@ jobs:
       - name: Auto-approve PR
         run: gh pr review --approve "$PR_URL"
       - name: Wait for all workflow runs to complete
-        uses: go-openapi/gh-actions/ci-jobs/wait-pending-jobs@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/ci-jobs/wait-pending-jobs@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
         with:
           pr-url: ${{ env.PR_URL }}
           github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/go-test-monorepo.yml

@@ -42,7 +42,7 @@ jobs:
       -
         name: Detect go mono-repo
         id: detect-monorepo
-        uses: go-openapi/gh-actions/ci-jobs/detect-go-monorepo@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/ci-jobs/detect-go-monorepo@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
       -
         name: golangci-lint [monorepo]
         # golangci-action v9.1+ has an experimental built-in mono repo detection setup.
@@ -111,10 +111,10 @@ jobs:
       -
         name: Detect go version capabilities
         id: detect-go-version
-        uses: go-openapi/gh-actions/ci-jobs/detect-go-version@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/ci-jobs/detect-go-version@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
       -
         name: Install gotestsum
-        uses: go-openapi/gh-actions/install/gotestsum@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/install/gotestsum@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
       -
         name: Ensure TMP is created on windows runners
         # On windows, some tests require testing.TempDir to reside on the same drive as the code.

.github/workflows/go-test.yml

@@ -58,7 +58,7 @@ jobs:
           cache: true
       -
         name: Install gotestsum
-        uses: go-openapi/gh-actions/install/gotestsum@f7ed44020a2682556ac42fa9c210142495270354 # v1.4.5
+        uses: go-openapi/gh-actions/install/gotestsum@f94d1f200adab8d24b37584e5f61795a6062421d # v1.4.6
       -
         name: Ensure TMP is created on windows runners
         # On windows, some tests require testing.TempDir to reside on the same drive as the code.