Skip to content

release

release #39

Workflow file for this run

name: release
on:
workflow_dispatch:
inputs:
version:
description: Version to release (e.g. v1.2.3)
required: true
kind:
description: Release kind
type: choice
options: [minor, patch]
required: true
default: minor
env:
container_registry: ghcr.io/edgelesssys
concurrency:
group: ${{ github.ref }}
cancel-in-progress: true
jobs:
process-inputs:
name: Process inputs
runs-on: ubuntu-22.04
env:
FULL_VERSION: ${{ inputs.version }}
outputs:
WITHOUT_V: ${{ steps.version-info.outputs.WITHOUT_V }}
PART_MAJOR: ${{ steps.version-info.outputs.PART_MAJOR }}
PART_MINOR: ${{ steps.version-info.outputs.PART_MINOR }}
PART_PATCH: ${{ steps.version-info.outputs.PART_PATCH }}
MAJOR: ${{ steps.version-info.outputs.MAJOR }}
MAJOR_MINOR: ${{ steps.version-info.outputs.MAJOR_MINOR }}
MAJOR_MINOR_PATCH: ${{ steps.version-info.outputs.MAJOR_MINOR_PATCH }}
RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
NEXT_MINOR_PRE_WITHOUT_V: ${{ steps.version-info.outputs.NEXT_MINOR_PRE_WITHOUT_V }}
NEXT_PATCH_PRE_WITHOUT_V: ${{ steps.version-info.outputs.NEXT_PATCH_PRE_WITHOUT_V }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Working branch
run: |
echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
- name: Verify minor version bump
if: ${{ inputs.kind == 'minor' }}
run: |
if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Version must be in the form of vX.Y.Z"
exit 1
fi
- name: Verify patch version bump
if: ${{ inputs.kind == 'patch' }}
run: |
if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[1-9]+$ ]]; then
echo "Version must be in the form of vX.Y.Z, where Z > 0"
exit 1
fi
- name: Verify temporary branch for minor release
run: |
if [[ ! "${WORKING_BRANCH}" =~ ^tmp/v[0-9]+\.[0-9]+\.[0-9] ]]; then
echo "Workflow can only be triggered from a temporary branch in the form of tmp/vX.Y.Z"
exit 1
fi
- name: Extract version info
id: version-info
run: |
WITHOUT_V=${FULL_VERSION#v}
PART_MAJOR=${WITHOUT_V%%.*}
PART_MINOR=${WITHOUT_V#*.}
PART_MINOR=${PART_MINOR%%.*}
PART_PATCH=${WITHOUT_V##*.}
RELEASE_BRANCH=release/v${PART_MAJOR}.${PART_MINOR}
NEXT_MINOR_PRE_WITHOUT_V=${PART_MAJOR}.$((PART_MINOR + 1)).0-pre
NEXT_PATCH_PRE_WITHOUT_V=${PART_MAJOR}.${PART_MINOR}.$((PART_PATCH + 1))-pre
{
echo "WITHOUT_V=${WITHOUT_V}"
echo "PART_MAJOR=${PART_MAJOR}"
echo "PART_MINOR=${PART_MINOR}"
echo "PART_PATCH=${PART_PATCH}"
echo "MAJOR=${PART_MAJOR}"
echo "MAJOR_MINOR=${PART_MAJOR}.${PART_MINOR}"
echo "MAJOR_MINOR_PATCH=${PART_MAJOR}.${PART_MINOR}.${PART_PATCH}"
echo "RELEASE_BRANCH=${RELEASE_BRANCH}"
echo "WORKING_BRANCH=${WORKING_BRANCH}"
echo "NEXT_MINOR_PRE_WITHOUT_V=${NEXT_MINOR_PRE_WITHOUT_V}"
echo "NEXT_PATCH_PRE_WITHOUT_V=${NEXT_PATCH_PRE_WITHOUT_V}"
} | tee -a "$GITHUB_OUTPUT"
echo "RELEASE_BRANCH=${RELEASE_BRANCH}" | tee -a "$GITHUB_ENV"
update-main:
name: Update main branch
if: ${{ inputs.kind == 'minor' }}
runs-on: ubuntu-22.04
needs: process-inputs
permissions:
contents: write
env:
RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }}
WORKING_BRANCH: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
steps:
- name: Checkout working branch
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
path: contrast-working
- name: Checkout main
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: main
path: contrast-main
- name: Bump flake version to post release patch pre-version
id: bump
uses: ./contrast-working/.github/actions/bump_version # Run action from working branch!
with:
version: ${{ needs.process-inputs.outputs.NEXT_MINOR_PRE_WITHOUT_V }}
working-directory: contrast-main
commit: false
- name: Create PR
uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1
with:
title: Post ${{ needs.process-inputs.outputs.WITHOUT_V }} release updates to main
body: |
Updating main as part of the ${{ needs.process-inputs.outputs.WITHOUT_V }} release.
Only merge after the release is published.
commit-message: ${{ steps.bump.outputs.commit-msg }}
base: main
draft: false
branch: automated/update-main-after-${{ needs.process-inputs.outputs.WORKING_BRANCH }}
committer: edgelessci <[email protected]>
author: edgelessci <[email protected]>
token: ${{ secrets.NUNKI_CI_COMMIT_PUSH_PR }}
path: ./contrast-main
release:
name: Build and push artifacts, create release
runs-on: ubuntu-22.04
needs: process-inputs
permissions:
contents: write
packages: write
env:
RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }}
WORKING_BRANCH: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
- uses: ./.github/actions/setup_nix
with:
githubToken: ${{ secrets.GITHUB_TOKEN }}
cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
- name: Log in to ghcr.io Container registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Bump flake version temporarily to release version
uses: ./.github/actions/bump_version
with:
version: ${{ needs.process-inputs.outputs.WITHOUT_V }}
commit: false
- name: Push containers with release tag
run: |
nix run .#containers.push-coordinator -- "$container_registry/contrast/coordinator"
nix run .#containers.push-initializer -- "$container_registry/contrast/initializer"
- name: Create portable coordinator resource definitions
run: |
mkdir -p workspace
nix run .#scripts.write-coordinator-yaml -- "${container_registry}/contrast/coordinator:${{ inputs.version }}" > workspace/coordinator.yml
- name: Update coordinator policy hash
run: |
yq < workspace/coordinator.yml \
'select(.kind == "Deployment") | .spec.template.metadata.annotations["io.katacontainers.config.agent.policy"]' |
base64 -d | sha256sum | cut -d " " -f1 > cli/cmd/assets/coordinator-policy-hash
git config --global user.name "edgelessci"
git config --global user.email "[email protected]"
git add cli/cmd/assets/coordinator-policy-hash
git diff --staged --quiet || git commit -m "release: update coordinator policy hash"
- name: Build CLI
run: |
nix build .#cli-release
- name: Create draft release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
draft: true
generate_release_notes: true
tag_name: ${{ inputs.version }}
target_commitish: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
files: |
result-cli/bin/contrast
workspace/coordinator.yml
- name: Reset temporary changes
run: |
git reset --hard ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
- name: Bump flake version to post release patch pre-version
uses: ./.github/actions/bump_version
with:
version: ${{ needs.process-inputs.outputs.NEXT_PATCH_PRE_WITHOUT_V }}
commit: true
create-github-stuff:
name: Create backport label and milestone
needs: process-inputs
runs-on: ubuntu-22.04
permissions:
issues: write
contents: read
env:
RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }}
GH_TOKEN: ${{ github.token }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
- name: Create backport label
run: |
gh label create "backport ${RELEASE_BRANCH}" --color 576F61 --force
- name: Create milestone
run: |
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/edgelesssys/contrast/milestones |
jq -r '.[] | .title' | \
grep -xqF "${{ inputs.version }}" && exit 0
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/edgelesssys/contrast/milestones \
-f title='${{ inputs.version }}' \
-f state='open'