Create release 0.0.1 #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Create release" | |
| run-name: Create release ${{ inputs.name }} | |
| # Required repository secrets: | |
| # - GITHUB_TOKEN | |
| # - GIT_BOT_TOKEN | |
| # Required repository variables: | |
| # - GIT_BOT_EMAIL | |
| # - GIT_BOT_NAME | |
| # This workflow creates a release for kyma-companion. | |
| # The steps are: | |
| # 1. Get release tag as user input. | |
| # 2. Validate the release tag if its formated like x.y.z. | |
| # 3. Check if the release branch `release-x.y` already exists. If not, fail the workflow. | |
| # 4. Check if release tag already exists. If yes, fail the workflow. | |
| # 5. Run unit tests from the release branch. | |
| # 6. Create a git tag from the release branch. | |
| # 7. Build a container image against the git tag and push it to registry. | |
| # 8. Create a draft release against the git tag. | |
| # 9. Create a PR to bump image in sec-scanners-config in main branch and wait until the PR is approved and merged. | |
| # 10. Check if all the pre-requisites are met for publishing the release. | |
| # NOTE: The draft release needs to be manually reviewed and published. | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| name: # release tag | |
| description: 'Release tag (i.e. x.y.z). Make sure that branch with name release-x.y exists.' | |
| default: "" | |
| required: true | |
| sec-scanners-config: | |
| type: boolean | |
| description: 'Create PR with sec-scanners-config bump' | |
| default: true | |
| # global env variables. | |
| env: | |
| REPOSITORY_FULL_NAME: "${{ github.repository }}" # <owner>/<repository-name>. | |
| IMAGE_NAME: "europe-docker.pkg.dev/kyma-project/prod/kyma-companion" # without tag. | |
| RELEASE_TAG: "${{ inputs.name }}" | |
| jobs: | |
| validate-input-params: | |
| name: Validate input parameters | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: "main" | |
| - name: Check if that release tag is valid | |
| id: check-release-tag | |
| run: | | |
| ./hack/scripts/check_release_tag.sh "${RELEASE_TAG}" | |
| - name: Check if release tag already exists | |
| run: | | |
| if [ $(git tag -l "${RELEASE_TAG}") ]; then | |
| echo "Error: Release tag "${RELEASE_TAG}" already exists" | |
| exit 1 | |
| fi | |
| - name: Export release branch name as action output | |
| id: export-branch-name | |
| run: | | |
| MAJOR=$(echo "$RELEASE_TAG" | cut -d. -f1) | |
| MINOR=$(echo "$RELEASE_TAG" | cut -d. -f2) | |
| export RELEASE_BRANCH="release-$MAJOR.$MINOR" | |
| echo "exporting branch name: $RELEASE_BRANCH" | |
| echo "release_branch=$RELEASE_BRANCH" >> $GITHUB_OUTPUT | |
| outputs: | |
| release_branch: ${{ steps.export-branch-name.outputs.release_branch }} | |
| run-unit-tests: | |
| name: Run unit tests | |
| needs: validate-input-params | |
| runs-on: ubuntu-latest | |
| env: | |
| RELEASE_BRANCH: ${{ needs.validate-input-params.outputs.release_branch }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: # checkout the release branch. | |
| ref: ${{ needs.validate-input-params.outputs.release_branch }} | |
| - name: Check if the checked out branch is the release branch. | |
| run: | | |
| git branch --show-current | |
| git branch --show-current | grep -q ${RELEASE_BRANCH} | |
| - name: Run unit tests | |
| run: | | |
| echo "Running unit tests" | |
| echo "TODO: Dummy run - it will be replaced with actual unit tests!" | |
| create-git-tag: | |
| name: Create git tag for release | |
| needs: [ validate-input-params, run-unit-tests] | |
| runs-on: ubuntu-latest | |
| env: | |
| RELEASE_BRANCH: ${{ needs.validate-input-params.outputs.release_branch }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: # checkout the release branch. This is the branch where the release tag will be created. | |
| ref: ${{ needs.validate-input-params.outputs.release_branch }} | |
| - name: Check if the checked out branch is the release branch. | |
| run: | | |
| git branch --show-current | |
| git branch --show-current | grep -q ${RELEASE_BRANCH} | |
| - name: Create git tag | |
| run: | | |
| git tag "${RELEASE_TAG}" | |
| git push origin "${RELEASE_TAG}" | |
| build-image: | |
| name: Build container image | |
| needs: [ validate-input-params, create-git-tag ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Build image | |
| run: | | |
| echo "Building image with tag: ${RELEASE_TAG}" | |
| echo "TODO: Dummy run - it will be replaced with re-useable build job!" | |
| create-draft: | |
| name: Create draft release | |
| needs: build-image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: # draft release is linked to the release tag. So we run the release scripts from main branch. | |
| ref: main | |
| - name: Create draft release | |
| id: create-draft | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPOSITORY: ${{ github.repository }} | |
| run: | | |
| RELEASE_ID=$(./hack/scripts/create_draft_release.sh) | |
| echo "release_id=$RELEASE_ID" >> $GITHUB_OUTPUT | |
| outputs: | |
| release_id: ${{ steps.create-draft.outputs.release_id }} | |
| bump-sec-scanners-main-branch: | |
| name: Bump image in sec-scanners-config | |
| needs: [ validate-input-params, build-image, create-draft ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| - name: Update sec-scanners-config.yaml | |
| if: ${{ inputs.sec-scanners-config }} | |
| run: ./hack/scripts/create_scan_config.sh "sec-scanners-config.yaml" "${RELEASE_TAG}" | |
| - name: Create PR if anything changed | |
| if: ${{ inputs.sec-scanners-config }} | |
| env: | |
| BUMP_SEC_SCANNERS_BRANCH_NAME: sec-scanners-config-${{ inputs.name }} | |
| GIT_NAME: ${{ vars.GIT_BOT_NAME }} | |
| GIT_EMAIL: ${{ vars.GIT_BOT_EMAIL }} | |
| GH_TOKEN: ${{ secrets.GIT_BOT_TOKEN }} | |
| run: | | |
| prs=$(gh pr list -A ${{ vars.GIT_BOT_NAME }} --state open --json headRefName | jq -r '.[] | .headRefName') | |
| if echo $prs | tr " " '\n' | grep -F -q -x ${{ env.BUMP_SEC_SCANNERS_BRANCH_NAME }}; then | |
| echo "PR already exists, no need to create a new one" | |
| echo "PR_NUMBER=$(gh pr list --search "base:main head:${{ env.BUMP_SEC_SCANNERS_BRANCH_NAME }}" --json number | jq -r '.[] | .number')" >> $GITHUB_ENV | |
| elif [ -z "$(git status --porcelain)" ]; then | |
| echo "Nothing changed, no need to create PR" | |
| echo "PR_NUMBER=-1" >> $GITHUB_ENV | |
| else | |
| PR_STATUS=$(./hack/scripts/create_sec_scanner_bump_pr.sh "${RELEASE_TAG}") | |
| echo "PR_NUMBER=$(echo "$PR_STATUS" | tail -n 1)" >> $GITHUB_ENV | |
| fi | |
| - name: Await PR merge (user input required) | |
| if: ${{ inputs.sec-scanners-config }} | |
| timeout-minutes: 45 | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| if [ "$PR_NUMBER" -gt 0 ]; then | |
| ./hack/scripts/await_pr_merge.sh | |
| else | |
| echo "Step skipped" | |
| fi | |
| check-prerequisites: | |
| name: Check release pre-requisites | |
| needs: [ create-draft, build-image, bump-sec-scanners-main-branch ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| - name: Check pre-requisites before publishing release | |
| run: ./hack/scripts/check_publish_release_prerequisites.sh "${RELEASE_TAG}" |