release #39
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: Version to release (e.g. v1.2.3) | |
required: true | |
kind: | |
description: Release kind | |
type: choice | |
options: [minor, patch] | |
required: true | |
default: minor | |
env: | |
container_registry: ghcr.io/edgelesssys | |
concurrency: | |
group: ${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
process-inputs: | |
name: Process inputs | |
runs-on: ubuntu-22.04 | |
env: | |
FULL_VERSION: ${{ inputs.version }} | |
outputs: | |
WITHOUT_V: ${{ steps.version-info.outputs.WITHOUT_V }} | |
PART_MAJOR: ${{ steps.version-info.outputs.PART_MAJOR }} | |
PART_MINOR: ${{ steps.version-info.outputs.PART_MINOR }} | |
PART_PATCH: ${{ steps.version-info.outputs.PART_PATCH }} | |
MAJOR: ${{ steps.version-info.outputs.MAJOR }} | |
MAJOR_MINOR: ${{ steps.version-info.outputs.MAJOR_MINOR }} | |
MAJOR_MINOR_PATCH: ${{ steps.version-info.outputs.MAJOR_MINOR_PATCH }} | |
RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }} | |
WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }} | |
NEXT_MINOR_PRE_WITHOUT_V: ${{ steps.version-info.outputs.NEXT_MINOR_PRE_WITHOUT_V }} | |
NEXT_PATCH_PRE_WITHOUT_V: ${{ steps.version-info.outputs.NEXT_PATCH_PRE_WITHOUT_V }} | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Working branch | |
run: | | |
echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV" | |
- name: Verify minor version bump | |
if: ${{ inputs.kind == 'minor' }} | |
run: | | |
if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
echo "Version must be in the form of vX.Y.Z" | |
exit 1 | |
fi | |
- name: Verify patch version bump | |
if: ${{ inputs.kind == 'patch' }} | |
run: | | |
if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[1-9]+$ ]]; then | |
echo "Version must be in the form of vX.Y.Z, where Z > 0" | |
exit 1 | |
fi | |
- name: Verify temporary branch for minor release | |
run: | | |
if [[ ! "${WORKING_BRANCH}" =~ ^tmp/v[0-9]+\.[0-9]+\.[0-9] ]]; then | |
echo "Workflow can only be triggered from a temporary branch in the form of tmp/vX.Y.Z" | |
exit 1 | |
fi | |
- name: Extract version info | |
id: version-info | |
run: | | |
WITHOUT_V=${FULL_VERSION#v} | |
PART_MAJOR=${WITHOUT_V%%.*} | |
PART_MINOR=${WITHOUT_V#*.} | |
PART_MINOR=${PART_MINOR%%.*} | |
PART_PATCH=${WITHOUT_V##*.} | |
RELEASE_BRANCH=release/v${PART_MAJOR}.${PART_MINOR} | |
NEXT_MINOR_PRE_WITHOUT_V=${PART_MAJOR}.$((PART_MINOR + 1)).0-pre | |
NEXT_PATCH_PRE_WITHOUT_V=${PART_MAJOR}.${PART_MINOR}.$((PART_PATCH + 1))-pre | |
{ | |
echo "WITHOUT_V=${WITHOUT_V}" | |
echo "PART_MAJOR=${PART_MAJOR}" | |
echo "PART_MINOR=${PART_MINOR}" | |
echo "PART_PATCH=${PART_PATCH}" | |
echo "MAJOR=${PART_MAJOR}" | |
echo "MAJOR_MINOR=${PART_MAJOR}.${PART_MINOR}" | |
echo "MAJOR_MINOR_PATCH=${PART_MAJOR}.${PART_MINOR}.${PART_PATCH}" | |
echo "RELEASE_BRANCH=${RELEASE_BRANCH}" | |
echo "WORKING_BRANCH=${WORKING_BRANCH}" | |
echo "NEXT_MINOR_PRE_WITHOUT_V=${NEXT_MINOR_PRE_WITHOUT_V}" | |
echo "NEXT_PATCH_PRE_WITHOUT_V=${NEXT_PATCH_PRE_WITHOUT_V}" | |
} | tee -a "$GITHUB_OUTPUT" | |
echo "RELEASE_BRANCH=${RELEASE_BRANCH}" | tee -a "$GITHUB_ENV" | |
update-main: | |
name: Update main branch | |
if: ${{ inputs.kind == 'minor' }} | |
runs-on: ubuntu-22.04 | |
needs: process-inputs | |
permissions: | |
contents: write | |
env: | |
RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }} | |
WORKING_BRANCH: ${{ needs.process-inputs.outputs.WORKING_BRANCH }} | |
steps: | |
- name: Checkout working branch | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }} | |
path: contrast-working | |
- name: Checkout main | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
ref: main | |
path: contrast-main | |
- name: Bump flake version to post release patch pre-version | |
id: bump | |
uses: ./contrast-working/.github/actions/bump_version # Run action from working branch! | |
with: | |
version: ${{ needs.process-inputs.outputs.NEXT_MINOR_PRE_WITHOUT_V }} | |
working-directory: contrast-main | |
commit: false | |
- name: Create PR | |
uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1 | |
with: | |
title: Post ${{ needs.process-inputs.outputs.WITHOUT_V }} release updates to main | |
body: | | |
Updating main as part of the ${{ needs.process-inputs.outputs.WITHOUT_V }} release. | |
Only merge after the release is published. | |
commit-message: ${{ steps.bump.outputs.commit-msg }} | |
base: main | |
draft: false | |
branch: automated/update-main-after-${{ needs.process-inputs.outputs.WORKING_BRANCH }} | |
committer: edgelessci <[email protected]> | |
author: edgelessci <[email protected]> | |
token: ${{ secrets.NUNKI_CI_COMMIT_PUSH_PR }} | |
path: ./contrast-main | |
release: | |
name: Build and push artifacts, create release | |
runs-on: ubuntu-22.04 | |
needs: process-inputs | |
permissions: | |
contents: write | |
packages: write | |
env: | |
RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }} | |
WORKING_BRANCH: ${{ needs.process-inputs.outputs.WORKING_BRANCH }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }} | |
- uses: ./.github/actions/setup_nix | |
with: | |
githubToken: ${{ secrets.GITHUB_TOKEN }} | |
cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
- name: Log in to ghcr.io Container registry | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Bump flake version temporarily to release version | |
uses: ./.github/actions/bump_version | |
with: | |
version: ${{ needs.process-inputs.outputs.WITHOUT_V }} | |
commit: false | |
- name: Push containers with release tag | |
run: | | |
nix run .#containers.push-coordinator -- "$container_registry/contrast/coordinator" | |
nix run .#containers.push-initializer -- "$container_registry/contrast/initializer" | |
- name: Create portable coordinator resource definitions | |
run: | | |
mkdir -p workspace | |
nix run .#scripts.write-coordinator-yaml -- "${container_registry}/contrast/coordinator:${{ inputs.version }}" > workspace/coordinator.yml | |
- name: Update coordinator policy hash | |
run: | | |
yq < workspace/coordinator.yml \ | |
'select(.kind == "Deployment") | .spec.template.metadata.annotations["io.katacontainers.config.agent.policy"]' | | |
base64 -d | sha256sum | cut -d " " -f1 > cli/cmd/assets/coordinator-policy-hash | |
git config --global user.name "edgelessci" | |
git config --global user.email "[email protected]" | |
git add cli/cmd/assets/coordinator-policy-hash | |
git diff --staged --quiet || git commit -m "release: update coordinator policy hash" | |
- name: Build CLI | |
run: | | |
nix build .#cli-release | |
- name: Create draft release | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 | |
with: | |
draft: true | |
generate_release_notes: true | |
tag_name: ${{ inputs.version }} | |
target_commitish: ${{ needs.process-inputs.outputs.WORKING_BRANCH }} | |
files: | | |
result-cli/bin/contrast | |
workspace/coordinator.yml | |
- name: Reset temporary changes | |
run: | | |
git reset --hard ${{ needs.process-inputs.outputs.WORKING_BRANCH }} | |
- name: Bump flake version to post release patch pre-version | |
uses: ./.github/actions/bump_version | |
with: | |
version: ${{ needs.process-inputs.outputs.NEXT_PATCH_PRE_WITHOUT_V }} | |
commit: true | |
create-github-stuff: | |
name: Create backport label and milestone | |
needs: process-inputs | |
runs-on: ubuntu-22.04 | |
permissions: | |
issues: write | |
contents: read | |
env: | |
RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }} | |
GH_TOKEN: ${{ github.token }} | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }} | |
- name: Create backport label | |
run: | | |
gh label create "backport ${RELEASE_BRANCH}" --color 576F61 --force | |
- name: Create milestone | |
run: | | |
gh api \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
/repos/edgelesssys/contrast/milestones | | |
jq -r '.[] | .title' | \ | |
grep -xqF "${{ inputs.version }}" && exit 0 | |
gh api \ | |
--method POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
/repos/edgelesssys/contrast/milestones \ | |
-f title='${{ inputs.version }}' \ | |
-f state='open' |