fix

Author: el-virt

.github/release-please/release-please-config.main.json

@@ -0,0 +1,51 @@
+{
+    "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+    "bump-minor-pre-major": true,
+    "versioning": "always-bump-minor",
+    "group-pull-request-title-pattern": "chore(${branch}): release ${version}",
+    "packages": {
+        ".": {
+            "release-type": "simple",
+            "extra-files": [
+                {
+                    "type": "generic",
+                    "path": "Makefile"
+                },
+                {
+                    "type": "json",
+                    "path": "cli/package.json",
+                    "jsonpath": "$.dependencies['@opentdf/sdk']"
+                },
+                {
+                    "type": "json",
+                    "path": "cli/package.json",
+                    "jsonpath": "$.version"
+                },
+                {
+                    "type": "json",
+                    "path": "web-app/package.json",
+                    "jsonpath": "$.dependencies['@opentdf/sdk']"
+                },
+                {
+                    "type": "json",
+                    "path": "web-app/package.json",
+                    "jsonpath": "$.version"
+                },
+                {
+                    "type": "json",
+                    "path": "web-app/package.json",
+                    "jsonpath": "$.scripts.rebuild"
+                },
+                {
+                    "type": "generic",
+                    "path": "lib/src/version.ts"
+                },
+                {
+                    "type": "json",
+                    "path": "lib/package.json",
+                    "jsonpath": "$.version"
+                }
+            ]
+        }
+    }
+}

.github/release-please/release-please-config.release_branches.json

@@ -0,0 +1,51 @@
+{
+    "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+    "bump-minor-pre-major": true,
+    "versioning": "always-bump-patch",
+    "group-pull-request-title-pattern": "chore(${branch}): release ${version}",
+    "packages": {
+        ".": {
+            "release-type": "simple",
+            "extra-files": [
+                {
+                    "type": "generic",
+                    "path": "Makefile"
+                },
+                {
+                    "type": "json",
+                    "path": "cli/package.json",
+                    "jsonpath": "$.dependencies['@opentdf/sdk']"
+                },
+                {
+                    "type": "json",
+                    "path": "cli/package.json",
+                    "jsonpath": "$.version"
+                },
+                {
+                    "type": "json",
+                    "path": "web-app/package.json",
+                    "jsonpath": "$.dependencies['@opentdf/sdk']"
+                },
+                {
+                    "type": "json",
+                    "path": "web-app/package.json",
+                    "jsonpath": "$.version"
+                },
+                {
+                    "type": "json",
+                    "path": "web-app/package.json",
+                    "jsonpath": "$.scripts.rebuild"
+                },
+                {
+                    "type": "generic",
+                    "path": "lib/src/version.ts"
+                },
+                {
+                    "type": "json",
+                    "path": "lib/package.json",
+                    "jsonpath": "$.version"
+                }
+            ]
+        }
+    }
+}

.github/release-please/release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.3.2"
+}

.github/workflows/backport.yaml

@@ -0,0 +1,29 @@
+name: "Backport merged pull request"
+on:
+  pull_request:
+    types: [closed]
+  issue_comment:
+    types: [created]
+
+# Default empty permissions for all jobs
+permissions: {}
+
+jobs:
+  backport:
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+    if: |
+      (
+        github.event_name == 'pull_request' &&
+        github.event.pull_request.merged
+      ) || (
+        github.event_name == 'issue_comment' &&
+        github.event.issue.pull_request &&
+        startsWith(github.event.comment.body, '/backport')
+      )
+    uses: opentdf/platform/.github/workflows/reusable_backport.yaml@main
+    secrets:
+      APP_ID: ${{ secrets.APP_ID }}
+      AUTOMATION_KEY: ${{ secrets.AUTOMATION_KEY }}

.github/workflows/build.yaml renamed to .github/workflows/build-and-test.yaml

@@ -1,14 +1,17 @@
 name: "Build and Test Client"
 
+env:
+  do_sonarscan: >-
+    ${{ (github.event_name == 'push' ||
+      github.event.pull_request.head.repo.full_name == github.repository) &&
+      github.actor != 'dependabot[bot]' }}
+
 on:
   pull_request:
   push:
     branches:
       - main
-      - release/[0-9]+.[0-9]+.[0-9]+
-  release:
-    types:
-      - created
+      - "release/**"
 jobs:
   ccc:
     runs-on: ubuntu-latest
@@ -235,5 +238,14 @@ jobs:
     runs-on: ubuntu-22.04
     if: ${{ !cancelled() }}
     steps:
-      - if: contains(needs.*.result, 'failure')
-        run: echo "Failed due to ${{ contains(needs.*.result, 'failure') }}" && exit 1
+
+      - name: "All jobs succeeded"
+        id: success
+        if: ${{ contains(needs.*.result, 'success') }}
+        run: |
+          :
+
+      - name: "One or more jobs failed"
+        if: ${{ contains(needs.*.result, 'failure') }}
+        run: |
+          exit 1

.github/workflows/create-release-branch.yaml

@@ -0,0 +1,18 @@
+name: "Create Release Branch"
+
+on:
+  release:
+    types: [released]
+
+# Default empty permissions for all jobs
+permissions: {}
+
+jobs:
+  create-release-branch:
+    if: ${{ endsWith(github.event.release.tag_name, '.0') }}
+    permissions:
+      id-token: write
+    uses: opentdf/platform/.github/workflows/reusable_create-release-branch.yaml@main
+    secrets:
+      APP_ID: ${{ secrets.APP_ID }}
+      AUTOMATION_KEY: ${{ secrets.AUTOMATION_KEY }}

.github/workflows/deliver.yaml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-      - release/[0-9]+.[0-9]+.[0-9]+
+      - "release/**"
   release:
     types:
       - created
@@ -14,15 +14,17 @@ permissions: {}
 
 jobs:
   deliver-ghp:
+    permissions:
+      contents: read
+      packages: write
+      pages: write
     runs-on: ubuntu-latest
-    outputs:
-      FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
-      DIST_TAG: ${{ steps.guess-build-metadata.outputs.DIST_TAG }}
-      TARGET_VERSION: ${{ steps.check-version.outputs.TARGET_VERSION }}
 
     steps:
       - name: "Checkout repo"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: "Setup node"
         uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
@@ -49,7 +51,7 @@ jobs:
           FULL_VERSION=$(.github/workflows/gh-semver.sh)
           DIST_TAG=$(.github/workflows/guess-dist-tag.sh)
 
-          echo "FULL_VERSION=FULL_VERSION" >> "$GITHUB_OUTPUT"
+          echo "FULL_VERSION=$FULL_VERSION" >> "$GITHUB_OUTPUT"
           echo "DIST_TAG=$DIST_TAG" >> "$GITHUB_OUTPUT"
 
       - name: "Run: make doc"
@@ -66,7 +68,7 @@ jobs:
           as $DIST_TAG \
           with version=[$FULL_VERSION]"
 
-      - name: "Publish to GitHub Packages"
+      - name: "Deliver to GitHub Packages"
         env:
           DIST_TAG: ${{ steps.guess-build-metadata.outputs.DIST_TAG }}
           FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
@@ -88,15 +90,17 @@ jobs:
           folder: lib/dist/docs
 
   deliver-npmjs:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
-    needs: deliver-ghp
     steps:
       - name: "Checkout repo"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: "Setup node"
         uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
-
         with:
           node-version: "22"
           registry-url: "https://registry.npmjs.org"
@@ -105,20 +109,29 @@ jobs:
         run: |
           make all
 
-      - name: "Publish to npmjs"
+      - name: "Output build metadata"
+        id: guess-build-metadata
+        run: |
+          FULL_VERSION=$(.github/workflows/gh-semver.sh)
+          DIST_TAG=$(.github/workflows/guess-dist-tag.sh)
+
+          echo "FULL_VERSION=$FULL_VERSION" >> "$GITHUB_OUTPUT"
+          echo "DIST_TAG=$DIST_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: "Deliver to npmjs"
         env:
+          DIST_TAG: ${{ steps.guess-build-metadata.outputs.DIST_TAG }}
+          FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-          FULL_VERSION: ${{ needs.deliver-ghp.outputs.FULL_VERSION }}
-          DIST_TAG: ${{ needs.deliver-ghp.outputs.DIST_TAG }}
         run: |
           bash scripts/deliver-to-npm-registry.sh "$FULL_VERSION" "$DIST_TAG"
 
       - name: "Echo info to Run Summary"
         env:
-          FULL_VERSION: ${{ needs.deliver-ghp.outputs.FULL_VERSION }}
+          FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
         run: |
           {
           echo "- [Client Library](https://www.npmjs.com/package/@opentdf/sdk/v/$FULL_VERSION)"
-          echo "- [Command Line Tool](https://www.npmjs.com/package/@opentdf/ctl/v/FULL_VERSION)"
+          echo "- [Command Line Tool](https://www.npmjs.com/package/@opentdf/ctl/v/$FULL_VERSION)"
           echo "- [unpkg](https://unpkg.com/browse/@opentdf/sdk@$FULL_VERSION)"
           } >>"$GITHUB_STEP_SUMMARY"

.github/workflows/release.yaml

@@ -1,13 +1,11 @@
-name: "Release"
+name: Release
 
 on:
-  workflow_call: {}
   push:
     branches:
       - main
-      - "release/*"
+      - "release/**"
 
-# Default empty permissions for all jobs
 permissions: {}
 
 jobs:
@@ -16,3 +14,36 @@ jobs:
       contents: write
       pull-requests: write
     uses: opentdf/platform/.github/workflows/reusable_release-please.yaml@main
+    secrets:
+      APP_ID: ${{ secrets.APP_ID }}
+      AUTOMATION_KEY: ${{ secrets.AUTOMATION_KEY }}
+
+  update-dependencies:
+    if: ${{ needs.release-please.outputs.prs_created == 'true' }}
+    needs: release-please
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: "Generate a token"
+        id: generate-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_KEY }}
+
+      - name: "Checkout repo"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: true
+          ref: ${{ fromJSON(needs.release-please.outputs.prs)[0].headBranchName }}
+
+      - name: "Update dependencies"
+        run: |
+          git config --global user.name "opentdf-automation[bot]"
+          git config --global user.email "149537512+opentdf-automation[bot]@users.noreply.github.com"
+          make all
+          git add .
+          git commit -m "Update dependencies"
+          git push

Makefile

@@ -1,5 +1,7 @@
 
+# x-release-please-start-version
 version=0.3.2
+# x-release-please-end
 extras=cli web-app
 pkgs=lib $(extras)