-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add reusable workflows for release #63
Changes from all commits
1662375
c282ca3
c7ea6f1
919c26c
8f5f06d
36a39b2
585a5b1
6acdf78
f666d7c
9f7d513
49029ad
867277f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,18 +5,18 @@ | |
# will require a specfic sec-scanners-config.yaml. | ||
# | ||
# The script `render-sec-scanners-config.sh` will in all cases require a version that is used to tag the corresponding image | ||
# of the controller. For this reason, passing the input `version_tag` is required. | ||
# of the controller. For this reason, passing the input `VERSION` is required. | ||
# | ||
# To create a PR and monitor it, this workflow will require a classic github personal access token (pat) passed | ||
# as a secret named `BOT_PAT`. The token must be configured to have all rights for `repo`, `user` and `workflow`. | ||
# Further reads: | ||
# Setting a secret for a repo: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions | ||
# | ||
# If changes were done by the script, the workflow will create a PR and wait for it to be merged. | ||
# The waiting will happen with a timeout that can be set via the input of `timeout`. The units are seconds. | ||
# It has a default value of 3600 (seconds (= 1 hour)). Note that GitHub Action jobs will automatically fail after 6 hours: | ||
# Further reads: | ||
# Default limits for GitHub Actions: https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits | ||
# The waiting will happen with a timeout that can be set via the input of `TIMEOUT`. The units are seconds. | ||
# | ||
# Examples of using this workflow: | ||
# 1. Set all awailable inputs and secrets. | ||
|
@@ -25,8 +25,8 @@ | |
# call-this-workflow: | ||
# uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main | ||
# with: | ||
# version_tag: 2.3.4 | ||
# timeout: 3600 # 1 hour | ||
# VERSION: 2.3.4 | ||
# TIMEOUT: 3600 # 1 hour | ||
# secrets: | ||
# BOT_PAT: ${{ secrets.my_pat }} | ||
# | ||
|
@@ -36,7 +36,7 @@ | |
# call-this-workflow::working_dir: g | ||
# uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main | ||
# with: | ||
# version_tag: 2.3.4 | ||
# VERSION: 2.3.4 | ||
# secrets: | ||
# BOT_PAT: ${{ secrets.my_pat }} | ||
|
||
|
@@ -45,11 +45,11 @@ name: bump sec-scanners-config.yaml (reusable) | |
on: | ||
workflow_call: | ||
inputs: | ||
version_tag: | ||
VERSION: | ||
required: true | ||
type: string | ||
description: The semantic version number, that will be used to tag the main image in the sec scanner config. | ||
timeout: | ||
TIMEOUT: | ||
required: false | ||
type: number | ||
description: The time in seconds this workflow will wait for a resulting PR to be merged. | ||
|
@@ -62,22 +62,23 @@ jobs: | |
bump: | ||
name: Bump sec-scanners-config.yaml | ||
runs-on: ubuntu-latest | ||
env: | ||
REPO: ${{ github.repository }} | ||
|
||
steps: | ||
- name: Checkout Code | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
|
||
- name: "Setup yq" # Required for rendering the sec-scanners-config. | ||
uses: dcarbone/[email protected] | ||
|
||
- name: Render sec-scanners-config.yaml | ||
env: | ||
VERSION_TAG: ${{ inputs.version_tag }} | ||
VERSION: ${{ inputs.VERSION }} | ||
shell: bash | ||
# Where ever you use this workflow, the script hack/scripts/render-sec-scanners-config.sh must exist. | ||
run: ./hack/scripts/render-sec-scanners-config.sh "${VERSION_TAG}" | ||
run: ./hack/scripts/render-sec-scanners-config.sh "${VERSION}" | ||
|
||
# Check if there are changes so we can determin if all following steps can be skipped. | ||
- name: Check For Changes | ||
- name: Check for changes | ||
shell: bash | ||
run: | | ||
if [ -z "$(git status --porcelain)" ]; then | ||
|
@@ -87,29 +88,30 @@ jobs: | |
echo "CREATE_PR=true" >> $GITHUB_ENV | ||
fi | ||
|
||
- name: Print Content of sec-scanners-config.yaml | ||
- name: Print out sec-scanners-config.yaml | ||
if: ${{ always() }} | ||
shell: bash | ||
run: | | ||
FILE="sec-scanners-config.yaml" | ||
[ -f "${FILE}" ] && cat "${FILE}" || echo "${FILE} not found." | ||
|
||
- name: Set Up Git | ||
- name: Set up git | ||
if: ${{ env.CREATE_PR == 'true' }} | ||
env: | ||
GH_TOKEN: ${{ secrets.BOT_PAT }} | ||
REPO: ${{ github.repository }} | ||
shell: bash | ||
run: | | ||
# set git username | ||
ghusername=$(curl -H "Authorization: token ${GH_TOKEN}" https://api.github.com/user) | ||
ghusername=$(curl -s -H "Authorization: token ${GH_TOKEN}" https://api.github.com/user | jq '.login') | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there a step to install There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
git config user.name "${ghusername}" | ||
# set git mail address | ||
ghmailaddress=$(curl -H "Authorization: token ${GH_TOKEN}" https://api.github.com/email) | ||
git config user.email "${ghmailaddress}" | ||
ghemailaddress="${ghusername}@users.noreply.github.com" | ||
git config user.email "${ghemailaddress}" | ||
# set remote url | ||
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" | ||
|
||
- name: Set All Variables | ||
- name: Set all variables | ||
if: ${{ env.CREATE_PR == 'true' }} | ||
shell: bash | ||
run: | | ||
|
@@ -125,9 +127,10 @@ jobs: | |
echo "name of the new branch: ${BRANCH_NAME}" | ||
echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITHUB_ENV | ||
|
||
- name: Create a Pull Request | ||
- name: Create a pull request | ||
if: ${{ env.CREATE_PR == 'true' }} | ||
env: | ||
REPO: ${{ github.repository }} | ||
CURRENT_BRANCH: ${{ env.CURRENT_BRANCH }} | ||
PR_DATE: ${{ env.PR_DATE }} | ||
BRANCH_NAME: ${{ env.BRANCH_NAME }} | ||
|
@@ -157,11 +160,11 @@ jobs: | |
run: | | ||
echo "please review ${PR_URL}" | ||
|
||
- name: Wait for PR to be Merged | ||
- name: Wait for PR to be merged | ||
if: ${{ env.CREATE_PR == 'true' }} | ||
shell: bash | ||
env: | ||
TIMEOUT: ${{ inputs.timeout }} | ||
TIMEOUT: ${{ inputs.TIMEOUT }} | ||
PR_URL: ${{ env.PR_URL }} | ||
GH_TOKEN: ${{ secrets.BOT_PAT }} | ||
run: | | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
name: Create draft release (reusable) | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
VERSION: | ||
required: true | ||
type: string | ||
description: The semantic version number. | ||
secrets: | ||
BOT_PAT: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. (nit) for readability, does it make sense to rename There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Mhh, I am indifferent to the wording. My argument for PAT is that the personal access token is a special kind of token. But There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What do you say? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It is a nitpick, let's keep the pat! |
||
required: true | ||
description: The github personal access token of your bot. | ||
GH_TOKEN: | ||
required: true | ||
|
||
jobs: | ||
create-draft-release: | ||
name: Create a draft release | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
|
||
- name: Write changelog to file | ||
env: | ||
VERSION: ${{ inputs.VERSION }} | ||
GH_TOKEN: ${{ secrets.GH_TOKEN }} | ||
shell: bash | ||
run: | | ||
# Note: your repository needs to have this script. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If this script does not exist, will there be an error message indicating that? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yes |
||
# Running this script should result in a file named CHANGELOG.md, located in the base directory. | ||
./hack/scripts/create_changelog.sh "${VERSION}" | ||
|
||
- name: Print out changelog | ||
run: cat CHANGELOG.md | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If there are no changes, what will be printed? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That depends on the script. With what we have it will be only headlines and a link to the full changelogs. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does it make sense here to print a message before and after the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's the reason why I placed this in its own step. I makes it easy to find and easy to read. It will look like this
So to answer the question, no, I think it is good already. |
||
|
||
- name: Create the draft release | ||
env: | ||
VERSION: ${{ inputs.VERSION }} | ||
GH_TOKEN: ${{ secrets.BOT_PAT }} | ||
shell: bash | ||
run: | | ||
gh release create "${VERSION}" --draft --notes-file CHANGELOG.md |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
name: Get version from release branch (reusable) | ||
|
||
on: | ||
workflow_call: | ||
outputs: | ||
VERSION: | ||
description: "The semantic version x.y.z, e.g.: 1.7.4" | ||
value: ${{ jobs.create-version.outputs.VERSION }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is the name There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In github actions it is customary practice to name jobs and step IDs with a dash. my-job:
steps:
- name: "my step"
id: my-step while env vars and secrets spelled most of the time with an underscore e.g. |
||
|
||
jobs: | ||
create-version: | ||
name: generate version number | ||
runs-on: ubuntu-latest | ||
outputs: | ||
VERSION: ${{ steps.generate.outputs.VERSION }} | ||
|
||
steps: | ||
- name: checkout code | ||
uses: actions/checkout@v4 | ||
|
||
- name: Verify that the current is branch is a release branch | ||
shell: bash | ||
run: | | ||
CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD) | ||
[[ $CURRENT_BRANCH =~ ^release-([0-9]+)\.([0-9]+)$ ]] || exit 1 | ||
echo "MAJOR=${BASH_REMATCH[1]}" >> $GITHUB_ENV | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What is the value of There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
echo "MINOR=${BASH_REMATCH[2]}" >> $GITHUB_ENV | ||
exit 0 | ||
|
||
- name: Generate version | ||
id: generate | ||
shell: bash | ||
env: | ||
MAJOR: ${{ env.MAJOR }} | ||
MINOR: ${{ env.MINOR }} | ||
run: | | ||
TAGS=$(git tag -l "$MAJOR.$MINOR.*") | ||
if [[ -z $TAGS ]]; then | ||
PATCH=0 | ||
else | ||
PATCH=$(( $(echo $TAGS | cut -d '.' -f 3 | sort -n | tail -n 1) + 1)) | ||
fi | ||
VERSION="${MAJOR}.${MINOR}.${PATCH:-0}" | ||
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT | ||
exit 0 |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
name: Publish release (reusable) | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
VERSION: | ||
required: true | ||
type: string | ||
description: The semantic version number. | ||
secrets: | ||
BOT_PAT: | ||
required: true | ||
description: The github personal access token of your bot. | ||
|
||
jobs: | ||
publish-release: | ||
name: Publish release | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
|
||
- name: Publish | ||
env: | ||
VERSION: ${{ inputs.VERSION }} | ||
GH_TOKEN: ${{ secrets.BOT_PAT }} | ||
shell: bash | ||
run: | | ||
gh release edit "${VERSION}" --draft=false --latest | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. you have There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I have set the
In this step we edit the draft release and turn it into a real release. We also set it to be the |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
name: Render and upload manifests (reusable) | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
VERSION: | ||
required: true | ||
type: string | ||
description: The semantic version number. | ||
CR_FILE: | ||
type: string | ||
required: true | ||
description: The file name of the CR. | ||
CRD_FILE: | ||
type: string | ||
required: true | ||
description: The file name of the CRD. | ||
secrets: | ||
BOT_PAT: | ||
required: true | ||
description: The github personal access token of your bot. | ||
|
||
jobs: | ||
render-and-upload-manifests: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
|
||
- name: Render CRD | ||
env: | ||
VERSION: ${{ inputs.VERSION }} | ||
shell: bash | ||
# Note: your repository needs to have this script. | ||
run: ./hack/scripts/render_crd.sh "${VERSION}" | ||
|
||
- name: Print out CR file | ||
env: | ||
CR_FILE: ${{ inputs.CR_FILE }} | ||
shell: bash | ||
run: cat "${CR_FILE}" | ||
|
||
- name: Print out CRD file | ||
env: | ||
CRD_FILE: ${{ inputs.CRD_FILE }} | ||
shell: bash | ||
run: cat "${CRD_FILE}" | ||
|
||
- name: Upload manifests | ||
env: | ||
VERSION: ${{ inputs.VERSION }} | ||
GH_TOKEN: ${{ secrets.BOT_PAT }} | ||
CRD_FILE: ${{ inputs.CRD_FILE }} | ||
CR_FILE: ${{ inputs.CR_FILE }} | ||
shell: bash | ||
run: | | ||
gh release upload "${VERSION}" "${CR_FILE}" | ||
gh release upload "${VERSION}" "${CRD_FILE}" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
name: Trigger prow build job (reusable) | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
VERSION: | ||
required: true | ||
type: string | ||
description: The semantic version number. | ||
TIMEOUT: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I see |
||
type: number | ||
default: 60000 # 10 minutes in miliseconds | ||
INTERVAL: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I see |
||
type: number | ||
default: 60000 # 1 minute in miliseconds | ||
CONTEXT: | ||
required: true | ||
type: string | ||
description: The context is the name of the prow job we are waiting for. | ||
secrets: | ||
BOT_PAT: | ||
required: true | ||
GH_TOKEN: | ||
required: true | ||
|
||
jobs: | ||
trigger-prow-build-job: | ||
name: Trigger prow build job | ||
runs-on: ubuntu-latest | ||
env: | ||
VERSION: ${{ inputs.VERSION }} | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
|
||
- name: Set up git | ||
if: ${{ env.CREATE_PR == 'true' }} | ||
env: | ||
GH_TOKEN: ${{ secrets.BOT_PAT }} | ||
REPO: ${{ github.repository }} | ||
shell: bash | ||
run: | | ||
# set git username | ||
ghusername=$(curl -s -H "Authorization: token ${GH_TOKEN}" https://api.github.com/user | jq '.login') | ||
git config user.name "${ghusername}" | ||
# set git mail address | ||
ghemailaddress="${ghusername}@users.noreply.github.com" | ||
git config user.email "${ghemailaddress}" | ||
# set remote url | ||
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" | ||
|
||
- name: Push git tag to trigger the prow build job | ||
run: | | ||
git tag "${VERSION}" | ||
git push origin "${VERSION}" | ||
|
||
- name: Wait for the build job to succeed | ||
id: wait-build | ||
uses: kyma-project/wait-for-commit-status-action@2b3ffe09af8b6f40e1213d5fb7f91a7bd41ffb20 | ||
env: | ||
GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" | ||
GITHUB_OWNER: "${{ github.repository_owner }}" | ||
GITHUB_REPO: ${{ github.event.repository.name }} | ||
with: | ||
context: "${{ inputs.CONTEXT }}" | ||
commit_ref: "release-${VERSION}" # the name of the release branch. | ||
timeout: ${{ inputs.TIMEOUT }} | ||
check_interval: ${{ inputs.INTERVAL }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why
shell: bash
is removed?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that was a mishap and I will revert it.