From d491378dbbeef63bf8616f1a1b2b1a49ea5f9eeb Mon Sep 17 00:00:00 2001 From: Friedrich Date: Thu, 1 Feb 2024 17:24:15 +0100 Subject: [PATCH] Add reusable workflows for release (#63) * add reusable workflows for release * improve bum-sec-scanners-config * add comments * add workflow to trigger prow jobs * pass timeout and interval * pass github token * updated comments * revert removed shell instructions * rename file * change spelling * remove CRD_FILE * add yq --- .../bump-sec-scanners-config-reusable.yml | 47 +++++++------ .../create-draft-release-reusable.yml | 44 ++++++++++++ ...t-version-from-release-branch-reusable.yml | 45 ++++++++++++ .../workflows/publish-release-reusable.yml | 29 ++++++++ .../render-and-upload-manifests-reusable.yml | 59 ++++++++++++++++ .../trigger-prow-build-job-reusable.yml | 68 +++++++++++++++++++ 6 files changed, 270 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/create-draft-release-reusable.yml create mode 100644 .github/workflows/get-version-from-release-branch-reusable.yml create mode 100644 .github/workflows/publish-release-reusable.yml create mode 100644 .github/workflows/render-and-upload-manifests-reusable.yml create mode 100644 .github/workflows/trigger-prow-build-job-reusable.yml diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index 8bcc5e0..cdc2582 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -5,7 +5,7 @@ # will require a specfic sec-scanners-config.yaml. # # The script `render-sec-scanners-config.sh` will in all cases require a version that is used to tag the corresponding image -# of the controller. For this reason, passing the input `version_tag` is required. +# of the controller. For this reason, passing the input `VERSION` is required. # # To create a PR and monitor it, this workflow will require a classic github personal access token (pat) passed # as a secret named `BOT_PAT`. The token must be configured to have all rights for `repo`, `user` and `workflow`. @@ -13,10 +13,10 @@ # Setting a secret for a repo: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions # # If changes were done by the script, the workflow will create a PR and wait for it to be merged. -# The waiting will happen with a timeout that can be set via the input of `timeout`. The units are seconds. # It has a default value of 3600 (seconds (= 1 hour)). Note that GitHub Action jobs will automatically fail after 6 hours: # Further reads: # Default limits for GitHub Actions: https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits +# The waiting will happen with a timeout that can be set via the input of `TIMEOUT`. The units are seconds. # # Examples of using this workflow: # 1. Set all awailable inputs and secrets. @@ -25,8 +25,8 @@ # call-this-workflow: # uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main # with: -# version_tag: 2.3.4 -# timeout: 3600 # 1 hour +# VERSION: 2.3.4 +# TIMEOUT: 3600 # 1 hour # secrets: # BOT_PAT: ${{ secrets.my_pat }} # @@ -36,7 +36,7 @@ # call-this-workflow::working_dir: g # uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main # with: -# version_tag: 2.3.4 +# VERSION: 2.3.4 # secrets: # BOT_PAT: ${{ secrets.my_pat }} @@ -45,11 +45,11 @@ name: bump sec-scanners-config.yaml (reusable) on: workflow_call: inputs: - version_tag: + VERSION: required: true type: string description: The semantic version number, that will be used to tag the main image in the sec scanner config. - timeout: + TIMEOUT: required: false type: number description: The time in seconds this workflow will wait for a resulting PR to be merged. @@ -62,22 +62,23 @@ jobs: bump: name: Bump sec-scanners-config.yaml runs-on: ubuntu-latest - env: - REPO: ${{ github.repository }} steps: - - name: Checkout Code + - name: Checkout code uses: actions/checkout@v4 + - name: "Setup yq" # Required for rendering the sec-scanners-config. + uses: dcarbone/install-yq-action@v1.1.1 + - name: Render sec-scanners-config.yaml env: - VERSION_TAG: ${{ inputs.version_tag }} + VERSION: ${{ inputs.VERSION }} shell: bash # Where ever you use this workflow, the script hack/scripts/render-sec-scanners-config.sh must exist. - run: ./hack/scripts/render-sec-scanners-config.sh "${VERSION_TAG}" + run: ./hack/scripts/render-sec-scanners-config.sh "${VERSION}" # Check if there are changes so we can determin if all following steps can be skipped. - - name: Check For Changes + - name: Check for changes shell: bash run: | if [ -z "$(git status --porcelain)" ]; then @@ -87,29 +88,30 @@ jobs: echo "CREATE_PR=true" >> $GITHUB_ENV fi - - name: Print Content of sec-scanners-config.yaml + - name: Print out sec-scanners-config.yaml if: ${{ always() }} shell: bash run: | FILE="sec-scanners-config.yaml" [ -f "${FILE}" ] && cat "${FILE}" || echo "${FILE} not found." - - name: Set Up Git + - name: Set up git if: ${{ env.CREATE_PR == 'true' }} env: GH_TOKEN: ${{ secrets.BOT_PAT }} + REPO: ${{ github.repository }} shell: bash run: | # set git username - ghusername=$(curl -H "Authorization: token ${GH_TOKEN}" https://api.github.com/user) + ghusername=$(curl -s -H "Authorization: token ${GH_TOKEN}" https://api.github.com/user | jq '.login') git config user.name "${ghusername}" # set git mail address - ghmailaddress=$(curl -H "Authorization: token ${GH_TOKEN}" https://api.github.com/email) - git config user.email "${ghmailaddress}" + ghemailaddress="${ghusername}@users.noreply.github.com" + git config user.email "${ghemailaddress}" # set remote url git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" - - name: Set All Variables + - name: Set all variables if: ${{ env.CREATE_PR == 'true' }} shell: bash run: | @@ -125,9 +127,10 @@ jobs: echo "name of the new branch: ${BRANCH_NAME}" echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITHUB_ENV - - name: Create a Pull Request + - name: Create a pull request if: ${{ env.CREATE_PR == 'true' }} env: + REPO: ${{ github.repository }} CURRENT_BRANCH: ${{ env.CURRENT_BRANCH }} PR_DATE: ${{ env.PR_DATE }} BRANCH_NAME: ${{ env.BRANCH_NAME }} @@ -157,11 +160,11 @@ jobs: run: | echo "please review ${PR_URL}" - - name: Wait for PR to be Merged + - name: Wait for PR to be merged if: ${{ env.CREATE_PR == 'true' }} shell: bash env: - TIMEOUT: ${{ inputs.timeout }} + TIMEOUT: ${{ inputs.TIMEOUT }} PR_URL: ${{ env.PR_URL }} GH_TOKEN: ${{ secrets.BOT_PAT }} run: | diff --git a/.github/workflows/create-draft-release-reusable.yml b/.github/workflows/create-draft-release-reusable.yml new file mode 100644 index 0000000..1c71f18 --- /dev/null +++ b/.github/workflows/create-draft-release-reusable.yml @@ -0,0 +1,44 @@ +name: Create draft release (reusable) + +on: + workflow_call: + inputs: + VERSION: + required: true + type: string + description: The semantic version number. + secrets: + BOT_PAT: + required: true + description: The github personal access token of your bot. + GH_TOKEN: + required: true + +jobs: + create-draft-release: + name: Create a draft release + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Write changelog to file + env: + VERSION: ${{ inputs.VERSION }} + GH_TOKEN: ${{ secrets.GH_TOKEN }} + shell: bash + run: | + # Note: your repository needs to have this script. + # Running this script should result in a file named CHANGELOG.md, located in the base directory. + ./hack/scripts/create_changelog.sh "${VERSION}" + + - name: Print out changelog + run: cat CHANGELOG.md + + - name: Create the draft release + env: + VERSION: ${{ inputs.VERSION }} + GH_TOKEN: ${{ secrets.BOT_PAT }} + shell: bash + run: | + gh release create "${VERSION}" --draft --notes-file CHANGELOG.md diff --git a/.github/workflows/get-version-from-release-branch-reusable.yml b/.github/workflows/get-version-from-release-branch-reusable.yml new file mode 100644 index 0000000..40a1811 --- /dev/null +++ b/.github/workflows/get-version-from-release-branch-reusable.yml @@ -0,0 +1,45 @@ +name: Get version from release branch (reusable) + +on: + workflow_call: + outputs: + VERSION: + description: "The semantic version x.y.z, e.g.: 1.7.4" + value: ${{ jobs.create-version.outputs.VERSION }} + +jobs: + create-version: + name: generate version number + runs-on: ubuntu-latest + outputs: + VERSION: ${{ steps.generate.outputs.VERSION }} + + steps: + - name: checkout code + uses: actions/checkout@v4 + + - name: Verify that the current is branch is a release branch + shell: bash + run: | + CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD) + [[ $CURRENT_BRANCH =~ ^release-([0-9]+)\.([0-9]+)$ ]] || exit 1 + echo "MAJOR=${BASH_REMATCH[1]}" >> $GITHUB_ENV + echo "MINOR=${BASH_REMATCH[2]}" >> $GITHUB_ENV + exit 0 + + - name: Generate version + id: generate + shell: bash + env: + MAJOR: ${{ env.MAJOR }} + MINOR: ${{ env.MINOR }} + run: | + TAGS=$(git tag -l "$MAJOR.$MINOR.*") + if [[ -z $TAGS ]]; then + PATCH=0 + else + PATCH=$(( $(echo $TAGS | cut -d '.' -f 3 | sort -n | tail -n 1) + 1)) + fi + VERSION="${MAJOR}.${MINOR}.${PATCH:-0}" + echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT + exit 0 diff --git a/.github/workflows/publish-release-reusable.yml b/.github/workflows/publish-release-reusable.yml new file mode 100644 index 0000000..996aac8 --- /dev/null +++ b/.github/workflows/publish-release-reusable.yml @@ -0,0 +1,29 @@ +name: Publish release (reusable) + +on: + workflow_call: + inputs: + VERSION: + required: true + type: string + description: The semantic version number. + secrets: + BOT_PAT: + required: true + description: The github personal access token of your bot. + +jobs: + publish-release: + name: Publish release + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Publish + env: + VERSION: ${{ inputs.VERSION }} + GH_TOKEN: ${{ secrets.BOT_PAT }} + shell: bash + run: | + gh release edit "${VERSION}" --draft=false --latest diff --git a/.github/workflows/render-and-upload-manifests-reusable.yml b/.github/workflows/render-and-upload-manifests-reusable.yml new file mode 100644 index 0000000..f185156 --- /dev/null +++ b/.github/workflows/render-and-upload-manifests-reusable.yml @@ -0,0 +1,59 @@ +name: Render and upload manifests (reusable) + +on: + workflow_call: + inputs: + VERSION: + required: true + type: string + description: The semantic version number. + CR_FILE: + type: string + required: true + description: The file name of the CR. + CRD_FILE: + type: string + required: true + description: The file name of the CRD. + secrets: + BOT_PAT: + required: true + description: The github personal access token of your bot. + +jobs: + render-and-upload-manifests: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Render CRD + env: + VERSION: ${{ inputs.VERSION }} + shell: bash + # Note: your repository needs to have this script. + run: ./hack/scripts/render_crd.sh "${VERSION}" + + - name: Print out CR file + env: + CR_FILE: ${{ inputs.CR_FILE }} + shell: bash + run: cat "${CR_FILE}" + + - name: Print out CRD file + env: + CRD_FILE: ${{ inputs.CRD_FILE }} + shell: bash + run: cat "${CRD_FILE}" + + - name: Upload manifests + env: + VERSION: ${{ inputs.VERSION }} + GH_TOKEN: ${{ secrets.BOT_PAT }} + CRD_FILE: ${{ inputs.CRD_FILE }} + CR_FILE: ${{ inputs.CR_FILE }} + shell: bash + run: | + gh release upload "${VERSION}" "${CR_FILE}" + gh release upload "${VERSION}" "${CRD_FILE}" diff --git a/.github/workflows/trigger-prow-build-job-reusable.yml b/.github/workflows/trigger-prow-build-job-reusable.yml new file mode 100644 index 0000000..4571109 --- /dev/null +++ b/.github/workflows/trigger-prow-build-job-reusable.yml @@ -0,0 +1,68 @@ +name: Trigger prow build job (reusable) + +on: + workflow_call: + inputs: + VERSION: + required: true + type: string + description: The semantic version number. + TIMEOUT: + type: number + default: 60000 # 10 minutes in miliseconds + INTERVAL: + type: number + default: 60000 # 1 minute in miliseconds + CONTEXT: + required: true + type: string + description: The context is the name of the prow job we are waiting for. + secrets: + BOT_PAT: + required: true + GH_TOKEN: + required: true + +jobs: + trigger-prow-build-job: + name: Trigger prow build job + runs-on: ubuntu-latest + env: + VERSION: ${{ inputs.VERSION }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up git + if: ${{ env.CREATE_PR == 'true' }} + env: + GH_TOKEN: ${{ secrets.BOT_PAT }} + REPO: ${{ github.repository }} + shell: bash + run: | + # set git username + ghusername=$(curl -s -H "Authorization: token ${GH_TOKEN}" https://api.github.com/user | jq '.login') + git config user.name "${ghusername}" + # set git mail address + ghemailaddress="${ghusername}@users.noreply.github.com" + git config user.email "${ghemailaddress}" + # set remote url + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" + + - name: Push git tag to trigger the prow build job + run: | + git tag "${VERSION}" + git push origin "${VERSION}" + + - name: Wait for the build job to succeed + id: wait-build + uses: kyma-project/wait-for-commit-status-action@2b3ffe09af8b6f40e1213d5fb7f91a7bd41ffb20 + env: + GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" + GITHUB_OWNER: "${{ github.repository_owner }}" + GITHUB_REPO: ${{ github.event.repository.name }} + with: + context: "${{ inputs.CONTEXT }}" + commit_ref: "release-${VERSION}" # the name of the release branch. + timeout: ${{ inputs.TIMEOUT }} + check_interval: ${{ inputs.INTERVAL }}