040563adb16443c987be82ffe7ba470e-a-partner-or-redhat-associate-submits-a-signed-chart-tarball-when-public-key-is-not-in-owners-d1862f6-redhat-redhat-vault-0.17.0 #107456
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release-Workflow | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened, edited, ready_for_review, labeled] | |
| jobs: | |
| check-contributor: | |
| name: Check contributor | |
| uses: ./.github/workflows/check-contributor.yml | |
| with: | |
| user: ${{ github.event.pull_request.user.login }} | |
| fail-workflow-if-not: true | |
| determine-workflow-conditions: | |
| name: Determine workflow conditions | |
| needs: [check-contributor] | |
| runs-on: ubuntu-22.04 | |
| if: | | |
| github.event.pull_request.draft == false && | |
| needs.check-contributor.outputs.is-repo-owner == 'true' | |
| outputs: | |
| create-pull-requests: ${{ steps.reflect_on_pr_content.outputs.create_pull_requests }} | |
| pr-includes-release-only: ${{ steps.check_only_version_in_PR_and_authorized.outputs.PR_includes_release_only }} | |
| charts-repo: ${{ steps.check_only_version_in_PR_and_authorized.outputs.charts_repo }} | |
| stage-repo: ${{ steps.check_only_version_in_PR_and_authorized.outputs.stage_repo }} | |
| sender-not-authorized: ${{ steps.check_only_version_in_PR_and_authorized.outputs.sender_not_authorized }} | |
| pr-version: ${{ steps.check_only_version_in_PR_and_authorized.outputs.PR_version }} | |
| auto-release-pr-version: ${{ steps.check_created_release_pr.outputs.PR_version }} | |
| pr-body: ${{ steps.check_only_version_in_PR_and_authorized.outputs.PR_release_body }} | |
| is-dev-release-branch: ${{ steps.check_created_release_pr.outputs.dev_release_branch }} | |
| steps: | |
| - name: Checkout Base Branch | |
| uses: actions/checkout@v4 | |
| - name: Checkout Pull Request | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| token: ${{ secrets.BOT_TOKEN }} | |
| fetch-depth: 0 | |
| path: "pr-branch" | |
| - name: Set up Python | |
| uses: ./.github/actions/setup-python | |
| - name: Set up Python scripts in pr-branch | |
| working-directory: ./pr-branch | |
| run: | | |
| # set up python scripts | |
| echo "set up python script in $PWD" | |
| python3 -m venv ve1 | |
| cd scripts | |
| ../ve1/bin/pip3 install -r requirements.txt | |
| ../ve1/bin/pip3 install . | |
| cd .. | |
| - name: Check if dev repo is targetted, only release file is in PR and user is authorized | |
| id: check_only_version_in_PR_and_authorized | |
| working-directory: ./pr-branch | |
| env: | |
| BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
| run: | | |
| # if dev repo is targetted check if release file only is included in PR and if so that user is authorized. | |
| ./ve1/bin/release-checker --api-url=${{ github.event.pull_request._links.self.href }} \ | |
| --sender=${{ github.event.sender.login }} \ | |
| --pr_base_repo='${{ github.event.pull_request.base.repo.full_name }}' | |
| # This task handles the final step of workflow releases: the merging of | |
| # Auto Release PRs. | |
| # | |
| # Once the submitted release_info.json is merged, automation will create a | |
| # pull request to the development repository that syncs the charts/* | |
| # directory from production to the development repo. This is the "Auto Release". | |
| # | |
| # When this happens, this task will emit the necessary GITHUB_OUTPUT | |
| # components that will allow this workflow to automatically merge it. | |
| - name: Check if PR created as part of release process | |
| id: check_created_release_pr | |
| working-directory: ./pr-branch | |
| if: | | |
| steps.check_only_version_in_PR_and_authorized.outputs.PR_includes_release_only != 'true' | |
| env: | |
| BOT_NAME: ${{ secrets.BOT_NAME }} | |
| BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
| run: | | |
| # check if PR was created as part of release processing | |
| ./ve1/bin/release-checker --api-url=${{ github.event.pull_request._links.self.href }} \ | |
| --sender='${{ github.event.sender.login }}' \ | |
| --pr_branch='${{ github.event.pull_request.head.ref }}' \ | |
| --pr_body="${{ github.event.pull_request.body }}" \ | |
| --pr_base_repo='${{ github.event.pull_request.base.repo.full_name }}' \ | |
| --pr_head_repo='${{ github.event.pull_request.head.repo.full_name }}' | |
| - name: Reflect on PR Content | |
| id: reflect_on_pr_content | |
| env: | |
| RELEASE_INFO_ONLY: ${{ steps.check_only_version_in_PR_and_authorized.outputs.PR_includes_release_only }} | |
| NOT_AUTHORIZED: ${{ steps.check_only_version_in_PR_and_authorized.outputs.sender_not_authorized }} | |
| DEV_PR_FOR_RELEASE: ${{ steps.check_created_release_pr.outputs.dev_release_branch }} | |
| run: | | |
| # Determine if and how processing should continue' | |
| if [ "${NOT_AUTHORIZED}" == 'true' ]; then | |
| echo "Unauthorized Request" | |
| exit 1 | |
| elif [ "${RELEASE_INFO_ONLY}" == 'true' ]; then | |
| echo "PR contains only release_info file" | |
| echo "create_pull_requests=true" | tee -a $GITHUB_OUTPUT | |
| elif [ "${DEV_PR_FOR_RELEASE}" != 'true' ]; then | |
| echo "No release work to do" | |
| exit | |
| fi | |
| test-e2e: | |
| name: Run All Tests | |
| # check-contributor not necessary because determine-workflow-conditions | |
| # already asserts this. | |
| needs: | |
| - determine-workflow-conditions | |
| if: | | |
| needs.determine-workflow-conditions.outputs.create-pull-requests == 'true' | |
| uses: ./.github/workflows/behave.yml | |
| with: | |
| tags: full | |
| behave-logging-level: WARNING | |
| pr-body: "Test triggered by release PR ${{ github.event.pull_request.html_url }}." | |
| # checkout parameters passed to ensure we're testing the release content | |
| checkout-fetch-depth: 0 | |
| checkout-repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| checkout-ref: ${{ github.event.pull_request.head.ref }} | |
| secrets: | |
| bot-name: ${{ secrets.BOT_NAME }} | |
| bot-token: ${{ secrets.BOT_TOKEN }} | |
| sync-repos: | |
| name: Sync Repositories | |
| outputs: | |
| release-was-updated: ${{ steps.check_version_updated.outputs.release_updated }} | |
| chart-pr-threw-error: ${{ steps.sync_repositories.outputs.charts_pr_error }} | |
| dev-pr-threw-error: ${{ steps.sync_repositories.outputs.dev_pr_error }} | |
| stage-pr-threw-error: ${{ steps.sync_repositories.outputs.stage_pr_error }} | |
| dev-pr-not-need: ${{ steps.sync_repositories.outputs.dev_pr_not_needed }} | |
| needs: | |
| - determine-workflow-conditions | |
| - test-e2e | |
| if: needs.determine-workflow-conditions.outputs.create-pull-requests == 'true' | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout base repo | |
| uses: actions/checkout@v4 | |
| - name: Checkout charts repo | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| repository: ${{ needs.determine-workflow-conditions.outputs.charts-repo }} | |
| token: ${{ secrets.BOT_TOKEN }} | |
| path: "charts-repo" | |
| - name: Checkout development repo | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| repository: ${{ github.event.pull_request.base.repo.full_name }} | |
| token: ${{ secrets.BOT_TOKEN }} | |
| path: "dev-repo" | |
| - name: Checkout stage repo | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| repository: ${{ needs.determine-workflow-conditions.outputs.stage-repo }} | |
| token: ${{ secrets.BOT_TOKEN }} | |
| path: "stage-repo" | |
| - name: Set up Python 3.x Part 1 | |
| uses: ./.github/actions/setup-python | |
| - name: Set up CI scripts | |
| run: | | |
| # set up python scripts | |
| echo "set up python script in $PWD" | |
| python3 -m venv ve1 | |
| cd scripts | |
| ../ve1/bin/pip3 install -r requirements.txt | |
| ../ve1/bin/pip3 install . | |
| cd .. | |
| - name: Check if version updated | |
| id: check_version_updated | |
| env: | |
| BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
| run: | | |
| # check if version file was changed | |
| ./ve1/bin/release-checker \ | |
| --version=${{ needs.determine-workflow-conditions.outputs.pr-version }} | |
| - name: Sync the repositories | |
| id: sync_repositories | |
| if: | | |
| steps.check_version_updated.outputs.release_updated == 'true' | |
| env: | |
| BOT_NAME: ${{ secrets.BOT_NAME }} | |
| BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
| run: | | |
| ./ve1/bin/releaser \ | |
| --version=${{ needs.determine-workflow-conditions.outputs.pr-version }}\ | |
| --pr_dir="./pr-branch" \ | |
| --development_dir="./dev-repo" \ | |
| --charts_dir="./charts-repo" \ | |
| --stage_dir="./stage-repo" \ | |
| --dev_pr_body="${{ needs.determine-workflow-conditions.outputs.pr-body }}" \ | |
| --target_branch="${{ github.event.pull_request.base.ref }}" \ | |
| --target_repository="${{ github.event.pull_request.base.repo.full_name }}" | |
| determine-merge-and-release-conditions: | |
| name: Determine merge and release conditions | |
| needs: | |
| - determine-workflow-conditions | |
| - sync-repos | |
| outputs: | |
| should-merge: ${{ steps.check_merge_and_release.outputs.merge }} | |
| release-tag: ${{ steps.check_merge_and_release.outputs.release_tag }} | |
| release-body: ${{ steps.check_merge_and_release.outputs.release_body }} | |
| runs-on: ubuntu-22.04 | |
| # cancelled() required because jobs this workflow depends on can skip. | |
| if: | | |
| !cancelled() && | |
| needs.determine-workflow-conditions.result == 'success' && | |
| ( needs.sync-repos.result == 'success' || needs.sync-repos.result == 'skipped' ) | |
| steps: | |
| - name: Determine if merge and release are needed | |
| id: check_merge_and_release | |
| env: | |
| REPOSITORIES_SYNCED: ${{ needs.sync-repos.outputs.release-was-updated }} | |
| CHART_PR_ERROR: ${{ needs.sync-repos.outputs.chart-pr-threw-error }} | |
| DEV_PR_ERROR: ${{ needs.sync-repos.outputs.dev-pr-threw-error }} | |
| STAGE_PR_ERROR: ${{ needs.sync-repos.outputs.stage-pr-threw-error }} | |
| DEV_PR_NOT_NEEDED: ${{ needs.sync-repos.outputs.dev-pr-not-need }} | |
| DEV_PR_FOR_RELEASE: ${{ needs.determine-workflow-conditions.outputs.is-dev-release-branch }} | |
| run: | | |
| # determine what should be done next | |
| # mitigate unmatched quote error in bash | |
| if [ "${REPOSITORIES_SYNCED}" == 'true' ]; then | |
| if [ "${CHART_PR_ERROR}" == 'true' ]; then | |
| echo "Error creating charts pull request" | |
| exit 1 | |
| elif [ "${DEV_PR_ERROR}" == 'true' ]; then | |
| echo "Error creating development pull request" | |
| exit 1 | |
| elif [ "${STAGE_PR_ERROR}" == 'true' ]; then | |
| echo "Error creating stage pull request" | |
| exit 1 | |
| else | |
| echo "At least one PR was created - merge this one" | |
| echo "merge=true" | tee -a $GITHUB_OUTPUT | |
| fi | |
| if [ "${DEV_PR_NOT_NEEDED}" == 'true' ]; then | |
| echo "No dev PR so create release" | |
| echo "release_body=${{ needs.determine-workflow-conditions.outputs.pr-body }}" | tee -a $GITHUB_OUTPUT | |
| echo "release_tag=${{ needs.determine-workflow-conditions.outputs.pr-version }}" | tee -a $GITHUB_OUTPUT | |
| fi | |
| elif [ "${DEV_PR_FOR_RELEASE}" == 'true' ]; then | |
| echo "Dev PR so create release" | |
| echo "merge=true" | tee -a $GITHUB_OUTPUT | |
| echo "release_body=${{ github.event.pull_request.body }}" | tee -a $GITHUB_OUTPUT | |
| echo "release_tag=${{ needs.determine-workflow-conditions.outputs.auto-release-pr-version }}" |tee -a $GITHUB_OUTPUT | |
| fi | |
| approve-merge-release: | |
| name: Approve, merge, release | |
| needs: [determine-merge-and-release-conditions] | |
| runs-on: ubuntu-22.04 | |
| # cancelled() required because jobs this workflow depends on can skip. | |
| if: | | |
| !cancelled() && | |
| needs.determine-merge-and-release-conditions.outputs.should-merge == 'true' || | |
| needs.determine-merge-and-release-conditions.outputs.release-tag != '' | |
| steps: | |
| - name: Checkout base repo | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: ./.github/actions/setup-python | |
| - name: Set up CI scripts | |
| run: | | |
| # set up python scripts | |
| echo "set up python script in $PWD" | |
| python3 -m venv ve1 | |
| cd scripts | |
| ../ve1/bin/pip3 install -r requirements.txt | |
| ../ve1/bin/pip3 install . | |
| cd .. | |
| - name: Approve PR | |
| id: approve_pr | |
| if: | | |
| needs.determine-merge-and-release-conditions.outputs.should-merge == 'true' | |
| uses: hmarr/auto-approve-action@v4 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Merge PR | |
| id: merge_pr | |
| if: | | |
| needs.determine-merge-and-release-conditions.outputs.should-merge == 'true' | |
| uses: pascalgn/[email protected] | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| MERGE_METHOD: squash | |
| MERGE_LABELS: "" | |
| - name: Check for PR merge | |
| if: | | |
| needs.determine-merge-and-release-conditions.outputs.should-merge == 'true' | |
| env: | |
| BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
| run: | | |
| ./ve1/bin/check-auto-merge --api-url=${{ github.event.pull_request._links.self.href }} | |
| - name: Create the the release | |
| id: create_release | |
| if: | | |
| needs.determine-merge-and-release-conditions.outputs.release-tag != '' | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tag_name: ${{ needs.determine-merge-and-release-conditions.outputs.release-tag }} | |
| body: ${{ needs.determine-merge-and-release-conditions.outputs.release-body }} |