feat: added release action

Author: huaweic-nv

.github/actions/resource-push-ngc/README.md

@@ -11,7 +11,7 @@ on:
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     steps:
       - uses: actions/checkout@v4
       - name: Upload resource

.github/actions/trivy-scan/README.md

@@ -56,7 +56,7 @@ This allows the scan to run and complete without errors. Results won't appear in
 jobs:
   trivy-scan:
     name: Vulnerability Scan
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       actions: read
       contents: read
@@ -78,7 +78,7 @@ jobs:
 jobs:
   scan-container:
     name: Container Vulnerability Scan
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       actions: read
       contents: read
@@ -101,7 +101,7 @@ jobs:
 jobs:
   comprehensive-scan:
     name: Comprehensive Security Scan
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       actions: read
       contents: read
@@ -301,7 +301,7 @@ on:
 
 jobs:
   daily-scan:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       actions: read
       contents: read
@@ -323,7 +323,7 @@ on:
 
 jobs:
   pr-scan:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       actions: read
       contents: read
@@ -342,7 +342,7 @@ jobs:
 ```yaml
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     outputs:
       image-tag: ${{ steps.meta.outputs.tags }}
     steps:
@@ -353,7 +353,7 @@ jobs:
 
   scan:
     needs: build
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       actions: read
       contents: read
@@ -371,7 +371,7 @@ jobs:
 ```yaml
 jobs:
   rust-security:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       actions: read
       contents: read
@@ -391,7 +391,7 @@ jobs:
 ```yaml
 jobs:
   secret-scan:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       actions: read
       contents: read

.github/actions/trufflehog-scan/README.md

@@ -31,7 +31,7 @@ TruffleHog scans **git commit history** for:
 ```yaml
 jobs:
   secret-scan:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     steps:
       - uses: actions/checkout@v4
         with:
@@ -51,7 +51,7 @@ on:
 
 jobs:
   trufflehog:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       actions: read # For direct job URL links
       contents: read
@@ -77,7 +77,7 @@ on:
 
 jobs:
   trufflehog:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     steps:
       - uses: actions/checkout@v4
         with:
@@ -301,7 +301,7 @@ on: [push, pull_request]
 
 jobs:
   secrets:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     steps:
       - uses: actions/checkout@v4
         with:
@@ -320,7 +320,7 @@ on:
 
 jobs:
   secrets:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       actions: read # For direct job URL links
       contents: read
@@ -369,7 +369,7 @@ permissions:
 
 jobs:
   security:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/README.md

@@ -0,0 +1,160 @@
+# Workflows
+
+This directory contains automated workflows for the dsx-github-actions repository.
+
+## Release Workflow (`release.yml`)
+
+Automatically creates semantic version tags and releases when commits are pushed to the `main` branch using [semantic-release](https://github.com/semantic-release/semantic-release).
+
+### How It Works
+
+1. **Triggers**: On every push to `main` branch
+2. **Uses Semantic Release**: Leverages industry-standard semantic-release tool
+3. **Analyzes Commits**: Uses [Conventional Commits](https://www.conventionalcommits.org/) to determine version bump
+4. **Creates Tags**: Generates semantic version tags (e.g., `v1.2.3`)
+5. **Updates Major Tags**: Maintains major version tags (e.g., `v1`) for easy pinning
+6. **Creates Release**: Generates GitHub release with auto-generated release notes
+
+This workflow uses the `semantic-release` action from this repository (`./.github/actions/semantic-release`).
+
+### Conventional Commits
+
+The workflow follows conventional commit format to determine version bumps:
+
+#### Major Version (Breaking Changes)
+
+```
+feat!: remove deprecated parameter
+BREAKING CHANGE: old parameter no longer works
+```
+
+**Result**: `v1.0.0` → `v2.0.0`
+
+#### Minor Version (New Features)
+
+```
+feat: add new post-pr-comment parameter
+feature(codeql): support multiple languages
+```
+
+**Result**: `v1.0.0` → `v1.1.0`
+
+#### Patch Version (Bug Fixes, etc.)
+
+```
+fix: resolve SARIF file not found issue
+docs: update README
+refactor: improve error handling
+chore: update dependencies
+```
+
+**Result**: `v1.0.0` → `v1.0.1`
+
+### Version Tags
+
+The workflow creates two types of tags:
+
+1. **Full Version Tags** (e.g., `v1.2.3`)
+
+   - Immutable, never changes
+   - Use for production stability
+
+2. **Major Version Tags** (e.g., `v1`)
+   - Points to latest minor/patch within major version
+   - Automatically updated with new releases
+   - Use for automatic updates within major version
+
+### Usage Examples
+
+**Pin to specific version** (recommended for production):
+
+```yaml
+uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@v1.2.3
+```
+
+**Pin to major version** (get latest patches/features):
+
+```yaml
+uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@v1
+```
+
+**Use latest** (for development/testing):
+
+```yaml
+uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@main
+```
+
+### Manual Release
+
+If you need to create a release manually:
+
+1. **Tag locally**:
+
+   ```bash
+   git tag -a v1.0.0 -m "Release v1.0.0"
+   git push origin v1.0.0
+   ```
+
+2. **The workflow will skip** if the tag already exists
+
+### Changelog Generation
+
+The workflow automatically generates changelogs organized by:
+
+- ✨ **Features**: New capabilities
+- 🐛 **Bug Fixes**: Fixes and corrections
+- 🔧 **Other Changes**: Docs, refactoring, etc.
+
+### Troubleshooting
+
+#### No tag created
+
+**Cause**: No commits since last tag
+**Solution**: This is expected behavior
+
+#### Wrong version bump
+
+**Cause**: Commit messages don't follow conventional commits
+**Solution**: Use proper commit format:
+
+- `feat:` for features
+- `fix:` for bug fixes
+- Add `!` or `BREAKING CHANGE:` for major bumps
+
+#### Tag already exists
+
+**Cause**: Tag was manually created
+**Solution**: Delete tag and re-push, or let workflow handle versioning
+
+## Best Practices
+
+1. **Use Conventional Commits**: Always follow the format for automatic versioning
+2. **Review Before Merge**: Check commit messages before merging to main
+3. **Breaking Changes**: Clearly mark with `!` or `BREAKING CHANGE:` footer
+4. **Descriptive Messages**: Write clear commit messages for better changelogs
+
+## Examples
+
+### Good Commit Messages
+
+```
+feat(codeql-scan): add support for C++ language
+fix(trivy-scan): resolve SARIF file parsing error
+docs: update README with new examples
+refactor(codeql-scan): improve PR comment formatting
+```
+
+### Breaking Change Example
+
+```
+feat(codeql-scan)!: change default build-mode to none
+
+BREAKING CHANGE: The default build-mode is now 'none' instead of 'autobuild'.
+Users must explicitly set build-mode: 'autobuild' if they want the previous behavior.
+```
+
+## References
+
+- [Conventional Commits Specification](https://www.conventionalcommits.org/)
+- [Semantic Versioning](https://semver.org/)
+- [GitHub Actions: Creating releases](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository)

.github/workflows/release.yml

@@ -0,0 +1,61 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write      # Create releases and tags
+  issues: write        # Comment on released issues
+  pull-requests: write # Comment on released PRs
+
+jobs:
+  release:
+    name: Semantic Release
+    runs-on: ubuntu-latest # FIXME: Replace with NV Runners
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Required for semantic-release
+          persist-credentials: false
+
+      - name: Semantic Release
+        id: semantic
+        uses: ./.github/actions/semantic-release
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          tag-format: v${version}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update Major Version Tag
+        if: steps.semantic.outputs.new-release-published == 'true'
+        run: |
+          NEW_VERSION="v${{ steps.semantic.outputs.new-release-version }}"
+          MAJOR_VERSION="v${{ steps.semantic.outputs.new-release-major-version }}"
+
+          # Configure git
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          # Force update major version tag (e.g., v1 points to latest v1.x.x)
+          git tag -fa "$MAJOR_VERSION" -m "Update $MAJOR_VERSION to $NEW_VERSION"
+          git push origin "$MAJOR_VERSION" --force
+
+          echo "✅ Updated major version tag: $MAJOR_VERSION -> $NEW_VERSION"