Create release 0.0.1 #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Create release" | |
| run-name: Create release ${{ inputs.name }} | |
| # Required repository secrets: | |
| # - GITHUB_TOKEN | |
| # - GIT_BOT_TOKEN | |
| # Required repository variables: | |
| # - GIT_BOT_EMAIL | |
| # - GIT_BOT_NAME | |
| # This workflow creates a release for kyma-companion. | |
| # The steps are: | |
| # 1. Get release tag as user input. | |
| # 2. Validate the release tag if its formated like x.y.z. | |
| # 3. Check if the release branch `release-x.y` already exists. If not, fail the workflow. | |
| # 4. Check if release tag already exists. If yes, fail the workflow. | |
| # 5. Run unit tests from the release branch. | |
| # 6. Create a git tag from the release branch. | |
| # 7. Build a container image against the git tag and push it to registry. | |
| # 8. Create a draft release against the git tag. | |
| # 9. Create a PR to bump image in sec-scanners-config in main branch and wait until the PR is approved and merged. | |
| # 10. Check if all the pre-requisites are met for publishing the release. | |
| # NOTE: The draft release needs to be manually reviewed and published. | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| name: # release tag | |
| description: 'Release tag (i.e. x.y.z). Make sure that branch with name release-x.y exists.' | |
| default: "" | |
| required: true | |
| sec-scanners-config: | |
| type: boolean | |
| description: 'Create PR with sec-scanners-config bump' | |
| default: true | |
| # global env variables. | |
| env: | |
| REPOSITORY_FULL_NAME: "${{ github.repository }}" # <owner>/<repository-name>. | |
| IMAGE_NAME: "europe-docker.pkg.dev/kyma-project/prod/kyma-companion" # without tag. | |
| RELEASE_TAG: "${{ inputs.name }}" | |
| jobs: | |
| validate-input-params: | |
| name: Validate input parameters | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # fetch all the branches and tags. | |
| ref: "main" | |
| - name: Check if that release tag is valid | |
| id: check-release-tag | |
| run: | | |
| ./scripts/shell/check_release_tag.sh "${RELEASE_TAG}" | |
| - name: Check if release tag already exists | |
| run: | | |
| if [ $(git tag -l "${RELEASE_TAG}") ]; then | |
| echo "Warning: Release tag ${RELEASE_TAG} already exists" | |
| fi | |
| - name: Export release branch name as action output | |
| id: export-branch-name | |
| run: | | |
| MAJOR=$(echo "$RELEASE_TAG" | cut -d. -f1) | |
| MINOR=$(echo "$RELEASE_TAG" | cut -d. -f2) | |
| export RELEASE_BRANCH="release-$MAJOR.$MINOR" | |
| echo "exporting branch name: $RELEASE_BRANCH" | |
| echo "release_branch=$RELEASE_BRANCH" >> $GITHUB_OUTPUT | |
| outputs: | |
| release_branch: ${{ steps.export-branch-name.outputs.release_branch }} | |
| run-unit-tests: | |
| name: Run unit tests | |
| needs: validate-input-params | |
| runs-on: ubuntu-latest | |
| env: | |
| RELEASE_BRANCH: ${{ needs.validate-input-params.outputs.release_branch }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: # checkout the release branch. | |
| ref: ${{ needs.validate-input-params.outputs.release_branch }} | |
| - name: Check if the checked out branch is the release branch. | |
| run: | | |
| git branch --show-current | |
| git branch --show-current | grep -q ${RELEASE_BRANCH} | |
| - name: Extract Python version | |
| id: python-version | |
| run: ./scripts/shell/extract-python-version.sh | |
| - name: Setup Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install Poetry | |
| run: | | |
| curl -sSL https://install.python-poetry.org | python3 - | |
| echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Install dependencies | |
| run: poetry install --with dev | |
| - name: Run tests | |
| run: poetry run poe test | |
| create-git-tag: | |
| name: Create git tag for release | |
| needs: [ validate-input-params, run-unit-tests] | |
| runs-on: ubuntu-latest | |
| env: | |
| GH_TOKEN: ${{ secrets.GIT_BOT_TOKEN }} # creating git tag using bot token because GITHUB_TOKEN would not trigger build workflow (https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow). | |
| RELEASE_BRANCH: ${{ needs.validate-input-params.outputs.release_branch }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: # checkout the release branch. This is the branch where the release tag will be created. | |
| fetch-depth: 0 # fetch all the branches and tags. | |
| ref: ${{ needs.validate-input-params.outputs.release_branch }} | |
| token: ${{ secrets.GIT_BOT_TOKEN }} # cloning repo using bot token because GITHUB_TOKEN would not trigger build workflow (https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow). | |
| - name: Check if the checked out branch is the release branch. | |
| run: | | |
| git branch --show-current | |
| git branch --show-current | grep -q ${RELEASE_BRANCH} | |
| - name: Create git tag | |
| run: | | |
| ./scripts/shell/create_git_tag.sh "${RELEASE_TAG}" | |
| wait-for-build: | |
| name: Wait for image build job | |
| needs: [ validate-input-params, create-git-tag ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: # release scripts are used from main branch. | |
| ref: main | |
| - name: Setup python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| cache: 'pip' | |
| - name: Install requirements | |
| run: | | |
| pip install -r ./scripts/python/wait-for-commit-check/requirements.txt | |
| - name: wait for build | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| GIT_REF: ${{ inputs.name }} | |
| # The re-useable image-builder workflow from neighbors appends the "Build image" suffix to the check run name. | |
| GIT_CHECK_RUN_NAME: "build-${{ inputs.name }} / Build image" | |
| INTERVAL: 60 | |
| TIMEOUT: 900 | |
| run: | | |
| python ./scripts/python/wait-for-commit-check/run.py | |
| create-draft: | |
| name: Create draft release | |
| needs: wait-for-build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: # draft release is linked to the release tag. So we run the release scripts from main branch. | |
| fetch-depth: 0 # fetch all the branches and tags. | |
| ref: main | |
| - name: Create draft release | |
| id: create-draft | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPOSITORY: ${{ github.repository }} | |
| run: | | |
| ./scripts/shell/create_draft_release.sh | |
| RELEASE_ID=$(cat release_id.txt) | |
| echo "Release ID: $RELEASE_ID" | |
| echo "release_id=$RELEASE_ID" >> $GITHUB_OUTPUT | |
| outputs: | |
| release_id: ${{ steps.create-draft.outputs.release_id }} | |
| bump-sec-scanners-main-branch: | |
| name: Bump image in sec-scanners-config | |
| needs: [ validate-input-params, wait-for-build, create-draft ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| - name: Update sec-scanners-config.yaml | |
| if: ${{ inputs.sec-scanners-config }} | |
| run: ./scripts/shell/create_scan_config.sh "sec-scanners-config.yaml" "${RELEASE_TAG}" | |
| - name: Create PR if anything changed | |
| if: ${{ inputs.sec-scanners-config }} | |
| env: | |
| BUMP_SEC_SCANNERS_BRANCH_NAME: sec-scanners-config-${{ inputs.name }} | |
| GIT_NAME: ${{ vars.GIT_BOT_NAME }} | |
| GIT_EMAIL: ${{ vars.GIT_BOT_EMAIL }} | |
| GH_TOKEN: ${{ secrets.GIT_BOT_TOKEN }} | |
| run: | | |
| prs=$(gh pr list -A ${{ vars.GIT_BOT_NAME }} --state open --json headRefName | jq -r '.[] | .headRefName') | |
| if echo $prs | tr " " '\n' | grep -F -q -x ${{ env.BUMP_SEC_SCANNERS_BRANCH_NAME }}; then | |
| echo "PR already exists, no need to create a new one" | |
| echo "PR_NUMBER=$(gh pr list --search "base:main head:${{ env.BUMP_SEC_SCANNERS_BRANCH_NAME }}" --json number | jq -r '.[] | .number')" >> $GITHUB_ENV | |
| elif [ -z "$(git status --porcelain)" ]; then | |
| echo "Nothing changed, no need to create PR" | |
| echo "PR_NUMBER=-1" >> $GITHUB_ENV | |
| else | |
| PR_STATUS=$(./scripts/shell/create_sec_scanner_bump_pr.sh "${RELEASE_TAG}") | |
| echo "PR_NUMBER=$(echo "$PR_STATUS" | tail -n 1)" >> $GITHUB_ENV | |
| fi | |
| - name: Await PR merge (user input required) | |
| if: ${{ inputs.sec-scanners-config }} | |
| timeout-minutes: 45 | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| if [ "$PR_NUMBER" -gt 0 ]; then | |
| ./scripts/shell/await_pr_merge.sh | |
| else | |
| echo "Step skipped" | |
| fi | |
| check-prerequisites: | |
| name: Check release pre-requisites | |
| needs: [ create-draft, wait-for-build, bump-sec-scanners-main-branch ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| - name: Check pre-requisites before publishing release | |
| run: ./scripts/shell/check_publish_release_prerequisites.sh "${RELEASE_TAG}" |