VSYS-13506: Release CycloneDX doc reference after parse

.github/workflows/ci-integration.yaml

@@ -32,6 +32,7 @@ permissions:
 
 jobs:
   test-integration:
+    if: github.repository != 'verkada/guac'
     runs-on: ubuntu-latest
     name: CI for integration tests
     steps:
@@ -65,6 +66,7 @@ jobs:
         run: make integration-test
 
   end-to-end:
+    if: github.repository != 'verkada/guac'
     name: E2E
     runs-on: ubuntu-latest
     services:
@@ -119,6 +121,7 @@ jobs:
         GUAC_DIR: /home/runner/work/guac/guac
 
   tilt-ci:
+    if: github.repository != 'verkada/guac'
     name: Run 'tilt ci'
     runs-on:
       labels: ubuntu-latest

.github/workflows/release.yaml

@@ -28,6 +28,7 @@ permissions:
 
 jobs:
   goreleaser:
+    if: github.repository != 'verkada/guac'
     runs-on: ubuntu-latest
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
@@ -105,7 +106,7 @@ jobs:
 
   build-atlas:
     runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/')
+    if: github.repository != 'verkada/guac' && startsWith(github.ref, 'refs/tags/')
     permissions:
       packages: write # To publish container images to GHCR
       id-token: write # To use our OIDC token
@@ -140,7 +141,7 @@ jobs:
     name: generate sbom for container
     runs-on: ubuntu-latest
     needs: [goreleaser]
-    if: startsWith(github.ref, 'refs/tags/')
+    if: github.repository != 'verkada/guac' && startsWith(github.ref, 'refs/tags/')
     permissions:
       id-token: write # needed for signing the images with GitHub OIDC Token
       packages: write # needed to upload signatures
@@ -177,7 +178,7 @@ jobs:
   provenance-bins:
     name: generate provenance for binaries
     needs: [goreleaser]
-    if: startsWith(github.ref, 'refs/tags/')
+    if: github.repository != 'verkada/guac' && startsWith(github.ref, 'refs/tags/')
     permissions:
       id-token: write # To sign the provenance
       contents: write # To upload assets to release
@@ -190,7 +191,7 @@ jobs:
   provenance-container:
     name: generate provenance for container
     needs: [goreleaser]
-    if: startsWith(github.ref, 'refs/tags/')
+    if: github.repository != 'verkada/guac' && startsWith(github.ref, 'refs/tags/')
     permissions:
       id-token: write # To sign the provenance
       contents: write # To upload assets to release
@@ -208,7 +209,7 @@ jobs:
     runs-on: ubuntu-latest
     name: generate compose tarball
     needs: [goreleaser]
-    if: startsWith(github.ref, 'refs/tags/')
+    if: github.repository != 'verkada/guac' && startsWith(github.ref, 'refs/tags/')
     permissions:
       contents: write # To upload assets to release.
       packages: write # To publish container images to GHCR

.github/workflows/security-pr-checks.yml

@@ -0,0 +1,13 @@
+name: security-pr-checks
+on:
+  # Allow for manual run of security workflows
+  workflow_dispatch:
+  # Scan changed files in PRs (diff-aware scanning):
+  pull_request: {}
+jobs:
+  running-pr-security-checks:
+    uses: verkada/securitybots/.github/workflows/pr-checks.yml@main
+    secrets: inherit
+  running-pr-semgrep-check:
+    uses: verkada/securitybots/.github/workflows/semgrep-pr-checks.yml@main
+    secrets: inherit

.github/workflows/verkada-release.yaml

@@ -0,0 +1,51 @@
+#
+# Copyright 2022 The GUAC Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: verkada-release
+
+on:
+  workflow_dispatch: # Manual trigger
+  push:
+    tags:
+      - "v*-verkada-*"
+
+permissions:
+  contents: write # To create releases and upload assets
+
+jobs:
+  build-binaries:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # To upload release assets
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: '1.24'
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean -f .goreleaser-verkada.yaml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/verkada-update-release.yaml

@@ -0,0 +1,233 @@
+name: Update Real Remote to Fork
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      test_branch:
+        description: 'Optional: Branch to test with (leave empty to use main)'
+        required: false
+        type: string
+  schedule:
+    # run every night @ 01:00 am UTC
+    - cron: '1 0 * * *'
+
+jobs:
+  fetch-updates:
+    runs-on: ubuntu-latest
+    environment: upstream-link
+    timeout-minutes: 5
+    permissions:
+      id-token: write
+      contents: write
+    outputs:
+      start_time: ${{ steps.set_start_time.outputs.time }}
+
+    steps:
+      - name: Set branch name
+        id: set-branch
+        env:
+          TEST_BRANCH: ${{ github.event.inputs.test_branch }}
+          EVENT_NAME: ${{ github.event_name }}
+          GITHUB_REF_ENV: ${{ github.ref }}
+        run: |
+          if [ -n "${TEST_BRANCH}" ]; then
+            echo "branch_name=${TEST_BRANCH}" >> ${GITHUB_OUTPUT}
+          elif [ "${EVENT_NAME}" == "push" ]; then
+            echo "branch_name=${GITHUB_REF_ENV#refs/heads/}" >> ${GITHUB_OUTPUT}
+          else
+            echo "branch_name=main" >> ${GITHUB_OUTPUT}
+          fi
+
+      - name: configure aws credentials
+        uses: aws-actions/[email protected]
+        with:
+          role-duration-seconds: 900
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_NUMBER }}:role/vlnx-mirror-ci-github-action-role
+          role-session-name: GithubActionTurnstile
+          aws-region: us-west-2
+
+      - name: Checkout branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.set-branch.outputs.branch_name }}
+          submodules: recursive
+          fetch-depth: 0
+
+      - name: Set job start time
+        id: set_start_time
+        run: |
+          echo "time=$(date -u +%s)" >> $GITHUB_OUTPUT
+          echo "Set start time: $(date -u +%s)"
+
+      - name: Configure git
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "Device Platform GitHub Bot"
+
+      - name: Update
+        env:
+          BRANCH_NAME: ${{ steps.set-branch.outputs.branch_name }}
+          UPSTREAM_URL: ${{ vars.UPSTREAM_URL }}
+          UPSTREAM_BRANCH: main
+        run: |
+          git fetch -p origin
+          git checkout "${BRANCH_NAME}"
+
+
+          # Note: upstream needs to point to the origin repo
+          git remote add upstream "${UPSTREAM_URL}"
+          git fetch -p upstream
+
+          if git diff --quiet origin/${BRANCH_NAME}..upstream/${BRANCH_NAME}; then
+            echo "No changes detected"
+            exit 0
+          fi
+
+          git rebase upstream/${BRANCH_NAME}
+
+      - name: Push Updates
+        id: push-branch
+        env:
+          BRANCH_NAME: ${{ steps.set-branch.outputs.branch_name }}
+        run: |
+          git push
+
+      - name: Post job failure status to slack
+        if: ${{ ! success() }}
+        uses: slackapi/[email protected]
+        with:
+          # device-platform-alerts
+          channel-id: 'C083RN0EPEE'
+          # For posting a simple plain text message
+          slack-message: |
+            ${{ github.repository }}: ${{ github.workflow }}: *${{ job.status }}*
+            ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+            <@U025XPBNJR5> <@U024C1144BE> <@U083E9XKYDN>
+          # nick, sam, natsumi
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+
+      - name: Post to turnstile
+        if: ${{ !cancelled() }}
+        env:
+          JOB_SUCCESS: ${{ job.status == 'success' }}
+          JOB_RESULT: ${{ job.status }}
+          WORKFLOW_NAME: ${{ github.workflow }}
+          RUN_ID: ${{ github.run_id }}
+          RUN_NUMBER: ${{ github.run_number }}
+          START_TIME: ${{ steps.set_start_time.outputs.time }}
+          GITHUB_EVENT_SCHEDULE: ${{ github.event.schedule }}
+          GITHUB_REPO_NAME: ${{ github.repository }}
+          GITHUB_SHA: ${{ github.sha }}
+          S3_BUCKET: verkada-device-platform-vlnx-ci
+        run: |
+          # Create temp directory
+          TEMP_DIR="$(mktemp -d)"
+
+          # Capture end time for runtime calculation
+          END_TIME="$(date -u +%s)"
+
+          # Calculate runtime in seconds if we have start time
+          if [[ "${START_TIME}" =~ ^[0-9]+$ ]]; then
+              # START_TIME is already a Unix timestamp
+              RUNTIME="$((${END_TIME} - ${START_TIME}))"
+          elif [[ "${START_TIME}" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$ ]]; then
+              # START_TIME is an ISO format string, convert to timestamp
+              START_EPOCH="$(date -u -d "${START_TIME}" +%s)"
+              RUNTIME="$((${END_TIME} - ${START_EPOCH}))"
+          else
+              RUNTIME=0
+          fi
+
+          # Determine success status from job result
+          SUCCESS=true
+          if [ "${JOB_SUCCESS}" != "true" ]; then
+              SUCCESS=false
+          fi
+
+          # Use the provided cron schedule input directly
+          CRON_SCHEDULE="${GITHUB_EVENT_SCHEDULE:-}"
+          echo "Cron schedule: ${CRON_SCHEDULE:-'not scheduled'}"
+
+          # Validate required fields before creating JSON
+          echo "Validating required fields..."
+
+          # Validate start_time is present and valid
+          if [ -z "${START_TIME}" ]; then
+            echo "❌ Error: start_time is required but missing"
+            exit 1
+          fi
+
+          # Validate start_time is a valid timestamp
+          if ! [[ "${START_TIME}" =~ ^[0-9]+$ ]] && ! [[ "${START_TIME}" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$ ]]; then
+            echo "❌ Error: start_time must be a Unix timestamp or ISO format"
+            exit 1
+          fi
+
+          # Validate cron_schedule is present and not empty (only for scheduled runs)
+          if [ -z "${CRON_SCHEDULE}" ]; then
+            echo "⚠️  Warning: cron_schedule is empty (workflow not triggered by schedule)"
+            CRON_SCHEDULE=""
+          fi
+
+          echo "✅ All required fields validated"
+
+          # Create workflow run URL
+          WORKFLOW_URL="https://github.com/${GITHUB_REPO_NAME}/actions/runs/${RUN_ID}"
+
+          # Create JSON result file using jq to handle special characters safely
+          jq -n \
+            --arg workflow "${WORKFLOW_NAME}" \
+            --arg run_id "${RUN_ID}" \
+            --arg run_number "${RUN_NUMBER}" \
+            --arg repository "${GITHUB_REPO_NAME}" \
+            --arg commit "${GITHUB_SHA}" \
+            --arg started_at "${START_TIME}" \
+            --arg completed_at "${END_TIME}" \
+            --arg runtime_seconds "${RUNTIME}" \
+            --arg success "${SUCCESS}" \
+            --arg cron_schedule "${CRON_SCHEDULE}" \
+            --arg workflow_url "${WORKFLOW_URL}" \
+            '{
+              workflow: $workflow,
+              run_id: $run_id,
+              run_number: $run_number,
+              repository: $repository,
+              commit: $commit,
+              started_at: $started_at,
+              completed_at: $completed_at,
+              runtime_seconds: $runtime_seconds,
+              success: $success,
+              cron_schedule: $cron_schedule,
+              workflow_url: $workflow_url
+            }' > "${TEMP_DIR}/result.json"
+
+          # Upload to S3
+          echo "Uploading result to S3..."
+
+          # Strip "verkada/" prefix from repository name for cleaner S3 paths
+          if [[ "${GITHUB_REPO_NAME}" == "verkada/"* ]]; then
+              CLEAN_REPO_NAME="${GITHUB_REPO_NAME#verkada/}"
+          else
+              CLEAN_REPO_NAME="${GITHUB_REPO_NAME}"
+          fi
+
+          # Sanitize workflow name to replace forward slashes with hyphens for clean S3 paths
+          CLEAN_WORKFLOW_NAME="${WORKFLOW_NAME//\//-}"
+
+          S3_PREFIX="s3://${S3_BUCKET}/workflow_results/${CLEAN_REPO_NAME}/${CLEAN_WORKFLOW_NAME}"
+          S3_PATH="${S3_PREFIX}/result-${START_TIME}.json"
+          S3_PATH_LATEST="${S3_PREFIX}/result-latest.json"
+
+          # Upload the JSON file
+          aws s3 cp "${TEMP_DIR}/result.json" "${S3_PATH}"
+          aws s3 cp "${TEMP_DIR}/result.json" "${S3_PATH_LATEST}"
+
+          echo "Result uploaded to S3: ${S3_PATH}"
+
+          # Clean up temp directory
+          rm -rf "${TEMP_DIR}"
+