ci: tag and release

.circleci/config.yml

@@ -67,43 +67,114 @@ jobs:
           mode: auto
           iac-scan: disabled
 
+  determine-version:
+    <<: *go_image
+    steps:
+      - checkout
+      - run:
+          name: Determine version bump and save to workspace
+          command: |
+            chmod +x ./script/version-bump.sh
+            ./script/version-bump.sh
+
+            # Source the environment to make variables available
+            source $BASH_ENV
+
+            # Save to workspace
+            mkdir -p /tmp/workspace
+            echo "$BUMP_TYPE" > /tmp/workspace/bump_type
+            echo "$NEW_VERSION" > /tmp/workspace/new_version
+            echo "$NEW_TAG" > /tmp/workspace/new_tag
+            echo "$PREVIOUS_TAG" > /tmp/workspace/previous_tag
+      - persist_to_workspace:
+          root: /tmp/workspace
+          paths:
+            - bump_type
+            - new_version
+            - new_tag
+            - previous_tag
+
+  tag-release:
+    <<: *go_image
+    steps:
+      - checkout
+      - attach_workspace:
+          at: /tmp/workspace
+      - run:
+          name: Configure git
+          command: |
+            git config user.email "[email protected]"
+            git config user.name "Snyk CI"
+      - run:
+          name: Create and push tag
+          command: |
+            BUMP_TYPE=$(cat /tmp/workspace/bump_type)
+            NEW_TAG=$(cat /tmp/workspace/new_tag)
+
+            if [ "$BUMP_TYPE" = "none" ]; then
+              echo "Chore commit detected - skipping tag creation"
+              circleci-agent step halt
+            fi
+
+            echo "Creating tag: $NEW_TAG"
+            git tag -a "$NEW_TAG" -m "Release $NEW_TAG"
+
+            # Push using HTTPS with GitHub token (no fingerprint needed)
+            git push https://${GH_TOKEN}@github.com/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME} "$NEW_TAG"
+
+# Filters for branches
+filters_pr_only: &filters_pr_only
+  filters:
+    branches:
+      ignore:
+        - main
+
+filters_main_only: &filters_main_only
+  filters:
+    branches:
+      only:
+        - main
+
 workflows:
   version: 2
-  CI:
+  test-and-tag:
     jobs:
+      # PR-only jobs - all testing
+      - lint:
+          <<: *filters_pr_only
+
+      - unit_test:
+          <<: *filters_pr_only
+
       - prodsec/secrets-scan:
           name: Scan repository for secrets
           context:
             - snyk-bot-slack
           channel: snyk-vuln-alerts-unify
-          filters:
-            branches:
-              ignore:
-                - main
-      - security-scans:
-          name: Security Scans
-          context:
-            - analysis_unify
-      - lint:
-          name: Lint
-          filters:
-            branches:
-              ignore:
-                - main
-      - unit_test:
-          name: Unit tests
-          filters:
-            branches:
-              ignore:
-                - main
+          <<: *filters_pr_only
+
       - python_integration_test:
-          name: Python << matrix.python_version >> integration tests
           requires:
-            - Unit tests
+            - unit_test
           matrix:
             parameters:
               python_version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
-          filters:
-            branches:
-              ignore:
-                - main
+          <<: *filters_pr_only
+
+      # Main branch only - security scans and tagging (no test re-runs)
+      - security-scans:
+          context:
+            - analysis_unify
+          <<: *filters_main_only
+
+      - determine-version:
+          requires:
+            - security-scans
+          <<: *filters_main_only
+
+      - tag-release:
+          context:
+            - os-ecosystems
+          requires:
+            - determine-version
+          <<: *filters_main_only

.github/workflows/pr-title-check.yml

@@ -0,0 +1,21 @@
+name: PR Title Check
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+jobs:
+  validate-pr-title:
+    name: Validate PR Title
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Conventional Commit In Pull Requests
+        uses: ytanikin/[email protected]
+        with:
+          task_types: '["feat","fix","docs","style","refactor","perf","test","build","ci","chore","revert"]'

CONTRIBUTING.md

@@ -3,3 +3,59 @@
 This repo is intended for internal (Snyk) contributions only at this time.
 
 Please [reach our support](SUPPORT.md) to give any feedback.
+
+## Commit Message Convention
+
+This project uses **Conventional Commits** for automated versioning and releases. Please follow this format when committing or creating pull requests:
+
+### Format
+```
+<type>[optional scope]: <description>
+
+[optional body]
+
+[optional footer(s)]
+```
+
+### Types and Their Effect on Versioning
+
+- **`fix:`** - Bug fixes (bumps **PATCH** version: 1.0.0 → 1.0.1)
+- **`feat:`** - New features (bumps **MINOR** version: 1.0.0 → 1.1.0)
+- **`type!:`** - Breaking changes (bumps **MAJOR** version: 1.0.0 → 2.0.0)
+- **`chore:`**, **`docs:`**, **`style:`**, **`refactor:`**, **`test:`**, **`ci:`** - No release created
+
+### Examples
+
+```bash
+# Patch release
+fix: resolve memory leak in dependency parser
+fix(parser): handle edge case in requirements file
+
+# Minor release
+feat: add support for Python 3.13
+feat(python): add environment marker support
+
+# Major release (breaking changes - use ! indicator)
+fix!: change API return type
+feat(api)!: redesign core interface
+refactor!: remove deprecated parser
+chore!: drop support for Python 3.7
+
+# No release
+chore: update CI configuration
+docs: improve README documentation
+```
+
+### Pull Request Guidelines
+
+When creating a pull request:
+1. **Use a descriptive title** following the conventional commit format (examples above)
+2. **Check the GitHub Action** - A check will automatically validate your PR title format
+   - ✅ Check passes if title is valid (e.g., `feat:`, `fix:`, `fix!:`)
+   - ❌ Check fails if title format is invalid
+3. **Edit the title if needed** - If validation fails, edit your PR title before merging
+4. **Use "Squash and merge"** - The PR title will become the commit message
+5. **Ensure all tests pass** before merging
+6. **Releases are automatic** - When merged to `main`, CircleCI will automatically create a release
+
+For more details, see the [Release Process Documentation](docs/RELEASE.md).