Add workflow to update major alias tags, templates

[nwiltsie]

Description

This one is a little more sprawling than I intended, so apologies for the scope creep. Everything is kind of interdependent.

The major changes in this PR are:

• A new workflow to update major release tags. This workflow is triggered when a release is published or deleted. If the modified release has a semantic version tag (e.g. v1.2.3), then the workflow will update the matching alias tag v1 to point at the highest full release with that major version. This follow's GitHub's guidance for Action and workflow release management.
• When preparing a release, prerelease is now a separate checkbox rather than a bump type choice like major/minor/patch. Previously choosing prerelease would only bump the patch number, so there was no way to create the version 2.0.0-rc.1.
  • The resulting GitHub Release created from a prerelease tag will also be marked as a prerelease.
• I've added workflow templates in the templates/ directory (closes Documentation suggestion: Adding YAML files #9)! Those can be copied verbatim into another repository and they'll work.
• I've enabled Dependabot to update the bundled python package, the workflows used by this repository, and the templates! That means that the non-used-by-this-repository workflow files will still be kept up-to-date for us.
• I've done a bunch of refactoring to make this more DRY and (hopefully) prevent more of the v-prefix nonsense from spreading.
• Finally, I've added unit tests for the version bumping (including the new prerelease flag) and the aliasing.

I have one more feature to implement in a different PR (updating hardcoded version numbers in __version__.py and nextflow.config files), and then I believe these workflows will be ready for widespread use. Given that, please do dig into the nitty-gritty details.

I've been testing this with the https://github.com/uclahs-cds/docker-internal-tests repository - it is using duplicates of the new template workflows (modified to point to this branch). Please feel free to test the workflows by creating releases, deleting releases, etc. All of this is intended to be robust and handle edge cases gracefully.

Closes #9

Checklist

• This PR does NOT contain Protected Health Information (PHI). A repo may need to be deleted if such data is uploaded.
  Disclosing PHI is a major problem¹ - Even a small leak can be costly².

• This PR does NOT contain germline genetic data³, RNA-Seq, DNA methylation, microbiome or other molecular data⁴.

• This PR does NOT contain other non-plain text files, such as: compressed files, images (e.g. .png, .jpeg), .pdf, .RData, .xlsx, .doc, .ppt, or other output files.

  To automatically exclude such files using a .gitignore file, see here for example.

• I have read the code review guidelines and the code review best practice on GitHub check-list.

• I have set up or verified the main branch protection rule following the github standards before opening this pull request.

• The name of the branch is meaningful and well formatted following the standards, using [AD_username (or 5 letters of AD if AD is too long)]-[brief_description_of_branch].

• I have added the major changes included in this pull request to the CHANGELOG.md under the next release version or unreleased, and updated the date.

Footnotes

1. UCLA Health reaches $7.5m settlement over 2015 breach of 4.5m patient records ↩

2. The average healthcare data breach costs $2.2 million, despite the majority of breaches releasing fewer than 500 records. ↩

3. Genetic information is considered PHI.
   Forensic assays can identify patients with as few as 21 SNPs ↩

4. RNA-Seq, DNA methylation, microbiome, or other molecular data can be used to predict genotypes (PHI) and reveal a patient's identity. ↩

[aholmes]

note: I thought this was bread :(

[nwiltsie]

ChatGPT told me to do it!

For a workflow that is responsible for creating software releases, the most appropriate emojis to highlight the purpose of the workflow would be:

🚀 :rocket:

• Represents launching or releasing something, making it a popular and intuitive choice for release workflows.

🏷️ :label:

• Represents a tag or label, which aligns well with tagging versions or releases in a repository.

📦 :package:

• Symbolizes packaging or bundling software, often associated with creating and distributing software releases.

[aholmes]

I was just sad it wasn't bread ):

[aholmes]

suggestion: rename to IneligibleAliasError

[nwiltsie]

Excellent suggestion - done with d42c04c.

[aholmes]

suggestion: though not required, usages of := can be clarified by grouping, e.g.,

if (
    unknown_tags := (
        self.tag_to_release_map.keys()
        - self.tag_to_commit_map.keys()
    )
): ...

This makes the intention clear that unknown_tags is the result of unknown_tags = (a - b) and not (unknown_tags = a) - b

[nwiltsie]

Yeah what I have here is misleading. Fixed up with fa2cceb.

[aholmes]

suggestion: The various usages of some_var.keys() might be more readable if the values are realized earlier, and once, e.g.:

release_keys = tag_to_release_map.keys()
commit_keys = tag_to_commit_map.keys()
version_keys = tag_to_version_map.keys()

if (release_keys ... commit_keys): ...

if (version_keys ... release_keys): ...

# etc.

[nwiltsie]

Good call, this is way more readable: 64f3d3e.

[yashpatel6]

question (non-blocking): I guess once this repo is public, this token should also no longer be necessary?

[nwiltsie]

Correct, the secret won't be necessary for this purpose.

Separately, I might need to add an input for the token to be used when creating the release (in the release workflow). I ran into that constant issue where the alias workflow would not be triggered unless the release workflow was run with a non-standard token.

[nwiltsie]

Specifically this block:

tool-create-release/.github/workflows/wf-finalize-release.yaml

Lines 36 to 45 in 668db63

	- id: parse-version
	uses: actions/github-script@v7
	env:
	INPUT_DRAFT: ${{ inputs.draft }}
	with:
	# Use the separate token so that `published` events will be fired
	github-token: ${{ secrets.UCLAHS_CDS_REPO_READ_TOKEN }}
	script: |
	const script = require('./scripts/finalize-release.js')
	await script({github, context, core})