From e9ffbaea36d3b69f829dd84bdc564770bc28f184 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Tue, 7 May 2024 15:02:18 +0200
Subject: [PATCH 01/10] test env passing

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/container.yml | 34 ++++++++++++++++++++++++++-------
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index e02bf53..c4efd24 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -5,7 +5,11 @@ name: Container Workflow template"
 on:
   workflow_call:
     inputs:
-
+      release:
+        description: 'also run release workflow'
+        required: false
+        type: boolean
+        default: false
       dockerfile:
         description: 'The path to the Dockerfile'
         required: true
@@ -34,6 +38,16 @@ on:
 
 jobs:
 
+  foo:
+    runs-on: ubuntu-latest
+    steps:
+    - name: bla
+      run: |
+        env
+        echo "settings ${QUAY_USER} ${QUAY_TOKEN} ${BOT_ACCESS_TOKEN}" > tmp
+        cat tmp
+
+
   pre-commit:
     uses: ./.github/workflows/pre-commit.yml
     secrets: inherit
@@ -74,14 +88,14 @@ jobs:
         GHCR_IMAGE="ghcr.io/${{ github.repository }}"
         TAGS="${GHCR_IMAGE}:${VERSION}"
 
-        if [[ -n "${{ env.QUAY_USER }}" ]]; then
+        if [[ -n "${{ secrets.QUAY_USER }}" ]]; then
           QUAY_IMAGE="quay.io/$IMAGE_REPO/$IMAGE_NAME"
           tags="${TAGS}:${QUAY_IMAGE}:${VERSION}"
         fi
 
         if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
           TAGS="$TAGS,${GHCR_IMAGE}:latest"
-          if [[ -n "${{ env.QUAY_USER }}" ]]; then
+          if [[ -n "${{ secrets.QUAY_USER }}" ]]; then
             TAGS="$TAGS,${QUAY_IMAGE}:latest"
           fi
         fi
@@ -122,8 +136,8 @@ jobs:
       uses: docker/login-action@v3
       with:
          registry: quay.io
-         username: ${{ env.QUAY_USER }}
-         password: ${{ env.QUAY_TOKEN }}
+         username: ${{ secrets.QUAY_USER }}
+         password: ${{ secrets.QUAY_TOKEN }}
 
     - name: Login to GitHub Container Registry
       if: needs.pre-commit.outputs.version != ''
@@ -131,7 +145,7 @@ jobs:
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
-        password: ${{ env.BOT_ACCESS_TOKEN }}
+        password: ${{ secrets.BOT_ACCESS_TOKEN }}
 
     - name: Publish container
       if: needs.pre-commit.outputs.version != ''
@@ -140,6 +154,12 @@ jobs:
           builder: ${{ steps.buildx.outputs.name }}
           context: ${{ steps.get_dir.outputs.docker_directory }}
           file: ${{ inputs.dockerfile }}
-          push: ${{ github.event_name != 'pull_request' && needs.prebuild.outputs.version != '' }}
+          push: ${{ github.event_name != 'pull_request' && needs.pre-commit.outputs.version != '' }}
           tags: ${{ steps.prep.outputs.tags }}
           platforms: ${{ inputs.platforms }}
+
+  release:
+    needs: [ pre-commit, build ]
+    if: inputs.release && github.event_name != 'pull_request'
+    uses: ./.github/workflows/release.yml
+    secrets: inherit

From 9ea1b799a86a42c403baa1c8513a4f569a8f0dd5 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 8 May 2024 07:27:00 +0200
Subject: [PATCH 02/10] test env passing

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/container.yml | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index c4efd24..a8ebd30 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -5,6 +5,11 @@ name: Container Workflow template"
 on:
   workflow_call:
     inputs:
+      env:
+        description: 'The environment variables to pass to the workflow'
+        required: false
+        type: string
+        default: ""
       release:
         description: 'also run release workflow'
         required: false
@@ -38,14 +43,19 @@ on:
 
 jobs:
 
-  foo:
+  prep:
     runs-on: ubuntu-latest
     steps:
-    - name: bla
+    - name: envs
       run: |
-        env
-        echo "settings ${QUAY_USER} ${QUAY_TOKEN} ${BOT_ACCESS_TOKEN}" > tmp
-        cat tmp
+        cat >> envs <<EOF
+        ${{ inputs.env }}
+        EOF
+        for i in $(cat envs | jq -r 'keys | .[]'); do
+          sel=".$i"
+          value=$(cat envs | jq "$sel")
+          echo "$i=$value" >> $GITHUB_ENV
+        done
 
 
   pre-commit:
@@ -69,6 +79,7 @@ jobs:
       id: get_dir
       run: |
         echo "docker_directory=$(dirname ${{ inputs.dockerfile }})" >> $GITHUB_OUTPUT
+        env
 
     - name: Prepare tagging
       id: prep

From 6c6bc0abe39d51098649176f4ca761568d002414 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 8 May 2024 07:29:44 +0200
Subject: [PATCH 03/10] test env passing

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/container.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index a8ebd30..31ebef1 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -5,7 +5,7 @@ name: Container Workflow template"
 on:
   workflow_call:
     inputs:
-      env:
+      envs:
         description: 'The environment variables to pass to the workflow'
         required: false
         type: string
@@ -49,7 +49,7 @@ jobs:
     - name: envs
       run: |
         cat >> envs <<EOF
-        ${{ inputs.env }}
+        ${{ inputs.envs }}
         EOF
         for i in $(cat envs | jq -r 'keys | .[]'); do
           sel=".$i"
@@ -59,6 +59,7 @@ jobs:
 
 
   pre-commit:
+    needs: [prep]
     uses: ./.github/workflows/pre-commit.yml
     secrets: inherit
 

From 9f8a4076b465b46187d6cdb88d590bc48a07ed11 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 8 May 2024 07:32:50 +0200
Subject: [PATCH 04/10] test env passing

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/container.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index 31ebef1..51178e3 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -48,9 +48,10 @@ jobs:
     steps:
     - name: envs
       run: |
-        cat >> envs <<EOF
+        cat >> env_tmp <<EOF
         ${{ inputs.envs }}
         EOF
+        cat env_tmp | base64 -d > envs
         for i in $(cat envs | jq -r 'keys | .[]'); do
           sel=".$i"
           value=$(cat envs | jq "$sel")

From fce71b2c6eaaea0334a195429d1af48ae16eb386 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 8 May 2024 07:42:05 +0200
Subject: [PATCH 05/10] test env passing

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/container.yml | 24 +-----------------------
 1 file changed, 1 insertion(+), 23 deletions(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index 51178e3..f3dd91a 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -5,11 +5,6 @@ name: Container Workflow template"
 on:
   workflow_call:
     inputs:
-      envs:
-        description: 'The environment variables to pass to the workflow'
-        required: false
-        type: string
-        default: ""
       release:
         description: 'also run release workflow'
         required: false
@@ -43,24 +38,7 @@ on:
 
 jobs:
 
-  prep:
-    runs-on: ubuntu-latest
-    steps:
-    - name: envs
-      run: |
-        cat >> env_tmp <<EOF
-        ${{ inputs.envs }}
-        EOF
-        cat env_tmp | base64 -d > envs
-        for i in $(cat envs | jq -r 'keys | .[]'); do
-          sel=".$i"
-          value=$(cat envs | jq "$sel")
-          echo "$i=$value" >> $GITHUB_ENV
-        done
-
-
   pre-commit:
-    needs: [prep]
     uses: ./.github/workflows/pre-commit.yml
     secrets: inherit
 
@@ -145,7 +123,7 @@ jobs:
           score-threshold: ${{ inputs.score }}
 
     - name: Login to Quay
-      if: needs.pre-commit.outputs.version != '' && env.QUAY_USER != ''
+      if: needs.pre-commit.outputs.version != '' && vars.QUAY_USER != ''
       uses: docker/login-action@v3
       with:
          registry: quay.io

From adbee2d0485ea978c6bba54811106cdb65dd38c3 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 8 May 2024 07:50:31 +0200
Subject: [PATCH 06/10] test env passing

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/container.yml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index f3dd91a..407bb45 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -94,20 +94,17 @@ jobs:
         echo "tags=${TAGS}" >> $GITHUB_OUTPUT
         echo "ghcr_tag=${GHCR_IMAGE}:${VERSION}" >> $GITHUB_OUTPUT
 
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
     - name: Set up Docker Buildx
-      id: buildx
       uses: docker/setup-buildx-action@v3
 
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
-      with:
-        platforms: ${{ inputs.platforms }}
 
     - name: Build Container Image
       id: docker_build
       uses: docker/build-push-action@v5
       with:
-          builder: ${{ steps.buildx.outputs.name }}
           context: ${{ steps.get_dir.outputs.docker_directory }}
           file: ${{ inputs.dockerfile }}
           load: true
@@ -142,7 +139,6 @@ jobs:
       if: needs.pre-commit.outputs.version != ''
       uses: docker/build-push-action@v5
       with:
-          builder: ${{ steps.buildx.outputs.name }}
           context: ${{ steps.get_dir.outputs.docker_directory }}
           file: ${{ inputs.dockerfile }}
           push: ${{ github.event_name != 'pull_request' && needs.pre-commit.outputs.version != '' }}

From 8b466f4d34f4a787c2e8492fe0d00ebfc9ed4762 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 8 May 2024 08:00:34 +0200
Subject: [PATCH 07/10] test env passing

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/container.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index 407bb45..a3b7cd9 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -107,7 +107,7 @@ jobs:
       with:
           context: ${{ steps.get_dir.outputs.docker_directory }}
           file: ${{ inputs.dockerfile }}
-          load: true
+          # load: true
           tags: ${{ steps.prep.outputs.tags }}
           platforms: ${{ inputs.platforms }}
 

From 5d2ce48fbfc8c2576cab266ba8204409e81ab892 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 8 May 2024 08:57:52 +0200
Subject: [PATCH 08/10] multi arch scan support

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/container.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index a3b7cd9..c720986 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -93,6 +93,7 @@ jobs:
         echo "settings tag ${TAGS}"
         echo "tags=${TAGS}" >> $GITHUB_OUTPUT
         echo "ghcr_tag=${GHCR_IMAGE}:${VERSION}" >> $GITHUB_OUTPUT
+        echo "quay_user=${{ secrets.QUAY_USER }}" >> $GITHUB_OUTPUT
 
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
@@ -105,11 +106,10 @@ jobs:
       id: docker_build
       uses: docker/build-push-action@v5
       with:
-          context: ${{ steps.get_dir.outputs.docker_directory }}
-          file: ${{ inputs.dockerfile }}
-          # load: true
-          tags: ${{ steps.prep.outputs.tags }}
-          platforms: ${{ inputs.platforms }}
+        load: true
+        context: ${{ steps.get_dir.outputs.docker_directory }}
+        file: ${{ inputs.dockerfile }}
+        tags: ${{ steps.prep.outputs.tags }}
 
     - name: Scan Docker Image
       uses: mondoohq/actions/docker-image@v11.0.0
@@ -120,7 +120,7 @@ jobs:
           score-threshold: ${{ inputs.score }}
 
     - name: Login to Quay
-      if: needs.pre-commit.outputs.version != '' && vars.QUAY_USER != ''
+      if: needs.pre-commit.outputs.version != '' && steps.prep.outputs.quay_user != ''
       uses: docker/login-action@v3
       with:
          registry: quay.io

From 5559560f0af27abd6248fa8c43cc3f6c012de152 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 8 May 2024 10:02:24 +0200
Subject: [PATCH 09/10] fix: using vault data

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/container.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index c720986..524b7d6 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -4,6 +4,19 @@ name: Container Workflow template"
 
 on:
   workflow_call:
+    secrets:
+      BOT_ACCESS_TOKEN:
+        description: 'The GitHub token for the bot account'
+        required: true
+      QUAY_USER:
+        description: 'The username for the Quay account'
+        required: false
+      QUAY_TOKEN:
+        description: 'The token for the Quay account'
+        required: false
+      MONDOO_SERVICE_ACCOUNT:
+        description: 'The service account for the Mondo service'
+        required: false
     inputs:
       release:
         description: 'also run release workflow'

From c58dd6951d96ad943773897d25f524d1ac4dd0f8 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Wed, 8 May 2024 11:06:16 +0200
Subject: [PATCH 10/10] fix: Define required secrets for workflow dispatches

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 .github/workflows/changelog-automation.yml | 9 ++++-----
 .github/workflows/changelog.yml            | 3 ++-
 .github/workflows/container.yml            | 6 ++++--
 .github/workflows/pr-valid.yml             | 3 ++-
 .github/workflows/pr-validation.yml        | 4 ++++
 .github/workflows/pre-commit.yml           | 7 ++++---
 .github/workflows/release.yml              | 9 ++++-----
 7 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/changelog-automation.yml b/.github/workflows/changelog-automation.yml
index b47fba5..d9c3476 100644
--- a/.github/workflows/changelog-automation.yml
+++ b/.github/workflows/changelog-automation.yml
@@ -2,12 +2,11 @@
 name: "Infralovers Changelog Automation template"
 
 on:
-  # push:
-  #   branches: [ "main" ]
-  # pull_request:
-  #   branches: [ "main" ]
-
   workflow_call:
+    secrets:
+      BOT_ACCESS_TOKEN:
+        description: 'The GitHub token for the bot account'
+        required: true
 
 
 jobs:
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index bc45905..0e9b0a4 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -10,4 +10,5 @@ on:
 jobs:
   changelog-automation:
     uses: ./.github/workflows/changelog-automation.yml
-    secrets: inherit
+    secrets:
+      BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }}
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index 524b7d6..27377b6 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -53,7 +53,8 @@ jobs:
 
   pre-commit:
     uses: ./.github/workflows/pre-commit.yml
-    secrets: inherit
+    secrets:
+      BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }}
 
   build:
     runs-on: ubuntu-latest
@@ -162,4 +163,5 @@ jobs:
     needs: [ pre-commit, build ]
     if: inputs.release && github.event_name != 'pull_request'
     uses: ./.github/workflows/release.yml
-    secrets: inherit
+    secrets:
+      BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }}
diff --git a/.github/workflows/pr-valid.yml b/.github/workflows/pr-valid.yml
index e608476..0feeccb 100644
--- a/.github/workflows/pr-valid.yml
+++ b/.github/workflows/pr-valid.yml
@@ -15,4 +15,5 @@ on:
 jobs:
   pr-validation:
     uses: ./.github/workflows/pr-validation.yml
-    secrets: inherit
+    secrets:
+      BOT_ACCESS_TOKEN: "${{ fromJSON(secrets.VAULT_KV_1D187965_OP_GITHUB_INFRALOVERS).PAT }}"
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
index b51d07a..0d44329 100644
--- a/.github/workflows/pr-validation.yml
+++ b/.github/workflows/pr-validation.yml
@@ -9,6 +9,10 @@ on:
   #     - synchronize
 
   workflow_call:
+    secrets:
+      BOT_ACCESS_TOKEN:
+        description: 'The GitHub token for the bot account'
+        required: true
 
 permissions:
   pull-requests: write
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 97b6980..7cc9402 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -3,10 +3,11 @@
 name: Pre-Commit validation
 
 on:
-  # pull_request:
-  #   branches:
-  #     - main
   workflow_call:
+    secrets:
+      BOT_ACCESS_TOKEN:
+        description: 'The GitHub token for the bot account'
+        required: true
     outputs:
       version:
         description: 'The version of the release'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6273038..0796eb8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,11 +4,10 @@ name: Release Automation template"
 
 on:
   workflow_call:
-
-  # workflow_dispatch:
-  # push:
-  #   branches:
-  #     - main
+    secrets:
+      BOT_ACCESS_TOKEN:
+        description: 'The GitHub token for the bot account'
+        required: true
 
 jobs:
   release: