Add workflow for canary test

.github/workflows/canary.yml

@@ -0,0 +1,39 @@
+name: Test a branch on canary
+on:
+  workflow_dispatch:
+    inputs:
+      COMMIT_SHA:
+        description: 'Commit SHA to be tested'
+        required: true
+
+env:
+  COMMIT_SHA: ${{ github.event.inputs.COMMIT_SHA }}
+defaults:
+  run:
+    shell: pwsh
+
+jobs:
+  update_tag:
+    name: Update the rc tag to ${{ github.event.inputs.COMMIT_SHA }} commit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+    - uses: step-security/harden-runner@v1
+      with:
+        allowed-endpoints: 
+          api.github.com:443
+          github.com:443
+
+    - uses: actions/checkout@v2
+    - name: Update the rc tag
+      uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
+      with:
+        rc-sha: ${{ env.COMMIT_SHA }}
+        rc: true
+
+    - name: Canary test
+      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      env:
+        PAT: ${{ secrets.PAT }}
+        canary: true

.github/workflows/release.yml

@@ -27,10 +27,10 @@ jobs:
         allowed-endpoints: 
           api.github.com:443
           github.com:443
-          
+
     - uses: actions/checkout@v2
     - name: Update the rc tag
-      uses: step-security/publish-action@cde4f11ad41e4f61d537fbbb989ea5fe812f8d50
+      uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
       with:
         source-tag: ${{ env.TAG_NAME }}
         rc: true
@@ -42,6 +42,6 @@ jobs:
         canary: true
 
     - name: Update the ${{ env.TAG_NAME }} tag
-      uses: step-security/publish-action@cde4f11ad41e4f61d537fbbb989ea5fe812f8d50
+      uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
       with:
         source-tag: ${{ env.TAG_NAME }}