release #75

Workflow file for this run

.github/workflows/release.yml at 6f7ca9c

	name: release

	on:
	workflow_dispatch:
	inputs:
	version:
	description: Version to release (e.g. v1.2.3)
	required: true
	kind:
	description: Release kind
	type: choice
	options: [minor, patch]
	required: true
	default: minor

	env:
	container_registry: ghcr.io/edgelesssys
	azure_resource_group: contrast-ci

	concurrency:
	group: ${{ github.ref }}
	cancel-in-progress: true

	jobs:
	process-inputs:
	name: Process inputs
	runs-on: ubuntu-22.04
	env:
	FULL_VERSION: ${{ inputs.version }}
	outputs:
	WITHOUT_V: ${{ steps.version-info.outputs.WITHOUT_V }}
	PART_MAJOR: ${{ steps.version-info.outputs.PART_MAJOR }}
	PART_MINOR: ${{ steps.version-info.outputs.PART_MINOR }}
	PART_PATCH: ${{ steps.version-info.outputs.PART_PATCH }}
	MAJOR: ${{ steps.version-info.outputs.MAJOR }}
	MAJOR_MINOR: ${{ steps.version-info.outputs.MAJOR_MINOR }}
	MAJOR_MINOR_PATCH: ${{ steps.version-info.outputs.MAJOR_MINOR_PATCH }}
	RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
	WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
	NEXT_MINOR: ${{ steps.version-info.outputs.NEXT_MINOR }}
	NEXT_MINOR_PRE_WITHOUT_V: ${{ steps.version-info.outputs.NEXT_MINOR_PRE_WITHOUT_V }}
	NEXT_PATCH_PRE_WITHOUT_V: ${{ steps.version-info.outputs.NEXT_PATCH_PRE_WITHOUT_V }}
	steps:
	- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Working branch
	run: \|
	echo "WORKING_BRANCH=$(git branch --show-current)" \| tee -a "$GITHUB_ENV"
	- name: Verify minor version bump
	if: ${{ inputs.kind == 'minor' }}
	run: \|
	if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	echo "Version must be in the form of vX.Y.Z"
	exit 1
	fi
	- name: Verify patch version bump
	if: ${{ inputs.kind == 'patch' }}
	run: \|
	if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[1-9]+$ ]]; then
	echo "Version must be in the form of vX.Y.Z, where Z > 0"
	exit 1
	fi
	- name: Verify temporary branch for minor release
	run: \|
	if [[ ! "${WORKING_BRANCH}" =~ ^tmp/v[0-9]+\.[0-9]+\.[0-9] ]]; then
	echo "Workflow can only be triggered from a temporary branch in the form of tmp/vX.Y.Z"
	exit 1
	fi
	- name: Extract version info
	id: version-info
	run: \|
	WITHOUT_V=${FULL_VERSION#v}
	PART_MAJOR=${WITHOUT_V%%.*}
	PART_MINOR=${WITHOUT_V#*.}
	PART_MINOR=${PART_MINOR%%.*}
	PART_PATCH=${WITHOUT_V##*.}
	RELEASE_BRANCH=release/v${PART_MAJOR}.${PART_MINOR}
	NEXT_MINOR=${PART_MAJOR}.$((PART_MINOR + 1)).0
	NEXT_MINOR_PRE_WITHOUT_V=${PART_MAJOR}.$((PART_MINOR + 1)).0-pre
	NEXT_PATCH_PRE_WITHOUT_V=${PART_MAJOR}.${PART_MINOR}.$((PART_PATCH + 1))-pre
	{
	echo "WITHOUT_V=${WITHOUT_V}"
	echo "PART_MAJOR=${PART_MAJOR}"
	echo "PART_MINOR=${PART_MINOR}"
	echo "PART_PATCH=${PART_PATCH}"
	echo "MAJOR=${PART_MAJOR}"
	echo "MAJOR_MINOR=${PART_MAJOR}.${PART_MINOR}"
	echo "MAJOR_MINOR_PATCH=${PART_MAJOR}.${PART_MINOR}.${PART_PATCH}"
	echo "RELEASE_BRANCH=${RELEASE_BRANCH}"
	echo "WORKING_BRANCH=${WORKING_BRANCH}"
	echo "NEXT_MINOR=${NEXT_MINOR}"
	echo "NEXT_MINOR_PRE_WITHOUT_V=${NEXT_MINOR_PRE_WITHOUT_V}"
	echo "NEXT_PATCH_PRE_WITHOUT_V=${NEXT_PATCH_PRE_WITHOUT_V}"
	} \| tee -a "$GITHUB_OUTPUT"
	echo "RELEASE_BRANCH=${RELEASE_BRANCH}" \| tee -a "$GITHUB_ENV"

	update-main:
	name: Update main branch
	if: ${{ inputs.kind == 'minor' }}
	runs-on: ubuntu-22.04
	needs: process-inputs
	permissions:
	contents: write
	env:
	RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }}
	WORKING_BRANCH: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
	steps:
	- name: Checkout working branch
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
	path: contrast-working
	- name: Checkout main
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: main
	path: contrast-main
	- uses: ./contrast-working/.github/actions/setup_nix
	with:
	githubToken: ${{ secrets.GITHUB_TOKEN }}
	cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
	- name: Configure git
	run: \|
	git config --global user.name "edgelessci"
	git config --global user.email "[email protected]"
	- name: Create docs release
	working-directory: contrast-main/docs
	run: \|
	nix run .#yarn install
	nix run .#yarn docusaurus docs:version ${{ needs.process-inputs.outputs.WITHOUT_V }}
	git add .
	git commit -am "docs: release ${{ needs.process-inputs.outputs.WITHOUT_V }}"
	# Clean up auxiliary files, so next steps run on a clean tree
	git clean -fx :/
	- name: Bump flake version to post release patch pre-version
	id: bump
	uses: ./contrast-working/.github/actions/bump_version # Run action from working branch!
	with:
	version: ${{ needs.process-inputs.outputs.NEXT_MINOR_PRE_WITHOUT_V }}
	working-directory: contrast-main
	commit: false
	- name: Create PR
	uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3
	with:
	title: Post ${{ needs.process-inputs.outputs.WITHOUT_V }} release updates to main
	body: \|
	Updating main as part of the ${{ needs.process-inputs.outputs.WITHOUT_V }} release.
	Only merge after the release is published.
	commit-message: ${{ steps.bump.outputs.commit-msg }}
	base: main
	draft: false
	labels: "no changelog"
	branch: automated/update-main-after-${{ needs.process-inputs.outputs.WORKING_BRANCH }}
	committer: edgelessci <[email protected]>
	author: edgelessci <[email protected]>
	token: ${{ secrets.NUNKI_CI_COMMIT_PUSH_PR }}
	path: ./contrast-main

	release:
	name: Build and push artifacts, create release
	runs-on: ubuntu-22.04
	needs: process-inputs
	permissions:
	contents: write
	packages: write
	env:
	RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }}
	WORKING_BRANCH: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
	steps:
	- name: Checkout
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
	- uses: ./.github/actions/setup_nix
	with:
	githubToken: ${{ secrets.GITHUB_TOKEN }}
	cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
	- name: Log in to ghcr.io Container registry
	uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Bump flake version temporarily to release version
	uses: ./.github/actions/bump_version
	with:
	version: ${{ needs.process-inputs.outputs.WITHOUT_V }}
	commit: false
	- name: Push containers with release tag
	run: \|
	coordinatorImg=$(nix run .#containers.push-coordinator -- "$container_registry/contrast/coordinator")
	initializerImg=$(nix run .#containers.push-initializer -- "$container_registry/contrast/initializer")
	echo "coordinatorImg=$coordinatorImg" \| tee -a "$GITHUB_ENV"
	echo "initializerImg=$initializerImg" \| tee -a "$GITHUB_ENV"
	- name: Add tag to Coordinator image
	run: \|
	frontCoord=${coordinatorImg%@*}
	backCoord=${coordinatorImg#*@}
	echo "coordinatorImgTagged=${frontCoord}:${{ inputs.version }}@${backCoord}" \| tee -a "$GITHUB_ENV"
	- name: Create file with image replacements
	run: \|
	echo "ghcr.io/edgelesssys/contrast/coordinator:latest=$coordinatorImgTagged" > image-replacements.txt
	echo "ghcr.io/edgelesssys/contrast/initializer:latest=$initializerImg" >> image-replacements.txt
	- name: Create portable coordinator resource definitions
	run: \|
	mkdir -p workspace
	nix run .#scripts.write-coordinator-yaml -- "${coordinatorImgTagged}" > workspace/coordinator.yml
	nix run .#scripts.write-emojivoto-demo -- "./image-replacements.txt" "deployments/emojivoto-demo.yml"
	zip -r deployments/emojivoto-demo.zip deployments/emojivoto-demo.yml
	- name: Update coordinator policy hash
	run: \|
	yq < workspace/coordinator.yml \
	'select(.kind == "Deployment") \| .spec.template.metadata.annotations["io.katacontainers.config.agent.policy"]' \|
	base64 -d \| sha256sum \| cut -d " " -f1 > cli/cmd/assets/coordinator-policy-hash

	git config --global user.name "edgelessci"
	git config --global user.email "[email protected]"
	git add cli/cmd/assets/coordinator-policy-hash
	git diff --staged --quiet \|\| git commit -m "release: update coordinator policy hash"
	- name: Build CLI
	run: \|
	nix build -L .#cli-release
	- name: Create draft release
	uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
	with:
	draft: true
	generate_release_notes: true
	tag_name: ${{ inputs.version }}
	target_commitish: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
	files: \|
	result-cli/bin/contrast
	workspace/coordinator.yml
	deployments/emojivoto-demo.zip
	- name: Reset temporary changes
	run: \|
	git reset --hard ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
	- name: Bump flake version to post release patch pre-version
	uses: ./.github/actions/bump_version
	with:
	version: ${{ needs.process-inputs.outputs.NEXT_PATCH_PRE_WITHOUT_V }}
	commit: true

	test:
	runs-on: ubuntu-22.04
	permissions:
	# Job needs content:write to see draft releases.
	contents: write
	packages: read
	needs: release
	steps:
	- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- uses: ./.github/actions/setup_nix
	with:
	githubToken: ${{ secrets.GITHUB_TOKEN }}
	cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
	- name: Log in to ghcr.io Container registry
	uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Login to Azure
	uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
	with:
	creds: ${{ secrets.CONTRAST_CI_INFRA_AZURE }}
	- uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
	- name: Create justfile.env
	run: \|
	cat <<EOF > justfile.env
	container_registry=${{ env.container_registry }}
	azure_resource_group=${{ env.azure_resource_group }}
	EOF
	- name: Get credentials for CI cluster
	run: \|
	just get-credentials
	- name: E2E Test
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	nix shell .#contrast.e2e --command release.test -test.v --tag ${{ inputs.version }}

	create-github-stuff:
	name: Create backport label and milestone
	if: ${{ inputs.kind == 'minor' }}
	needs: process-inputs
	runs-on: ubuntu-22.04
	permissions:
	issues: write
	contents: read
	env:
	RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }}
	NEXT_MINOR: ${{ needs.process-inputs.outputs.NEXT_MINOR }}
	GH_TOKEN: ${{ github.token }}
	steps:
	- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
	- name: Create backport label
	run: \|
	gh label create "backport ${RELEASE_BRANCH}" --color 576F61 --force
	- name: Create milestone
	run: \|
	gh api \
	-H "Accept: application/vnd.github+json" \
	-H "X-GitHub-Api-Version: 2022-11-28" \
	/repos/edgelesssys/contrast/milestones \|
	jq -r '.[] \| .title' \| \
	grep -xqF "${NEXT_MINOR}" && exit 0
	gh api \
	--method POST \
	-H "Accept: application/vnd.github+json" \
	-H "X-GitHub-Api-Version: 2022-11-28" \
	/repos/edgelesssys/contrast/milestones \
	-f title='${NEXT_MINOR}' \
	-f state='open'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

release #75

Workflow file

release #75

Jobs

Run details

Workflow file for this run