Skip to content

ZXCron: Promote Build Candidate #4

ZXCron: Promote Build Candidate

ZXCron: Promote Build Candidate #4

##
# Copyright (C) 2023-2024 Hedera Hashgraph, LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
name: "ZXCron: Promote Build Candidate"
on:
workflow_dispatch:
schedule:
# Runs Promote Build Candidate at 2000 hours
- cron: '0 20 * * *'
permissions:
actions: read
contents: read
defaults:
run:
shell: bash
jobs:
determine-build-candidate:
name: Fetch Latest Build Candidate
runs-on: network-node-linux-medium
outputs:
build-candidate-exists: ${{ steps.find-build-candidates.outputs.build-candidate-exists }}
build-candidate-commit: ${{ steps.find-build-candidates.outputs.build-candidate-commit }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
# Checkout the latest from dev
- name: Checkout Code
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: '0'
ref: develop
token: ${{ secrets.GH_ACCESS_TOKEN }}
- name: Find Build Candidates
id: find-build-candidates
run: |
TAG_PATTERN="xts-pass-*"
CANDIDATE_TAG="$(git tag --list --sort=-version:refname "${TAG_PATTERN}" | head --lines 1)"
if [[ -n "${CANDIDATE_TAG}" ]]; then
CANDIDATE_COMMIT=$(git rev-list --max-count 1 ${CANDIDATE_TAG})
if git branch --contains "${CANDIDATE_COMMIT}" | grep --quiet develop >/dev/null 2>&1; then
git push --delete origin $(git tag --list "${TAG_PATTERN}")
git tag --delete $(git tag --list "${TAG_PATTERN}")
echo "build-candidate-exists=true" >> "${GITHUB_OUTPUT}"
echo "build-candidate-commit=${CANDIDATE_COMMIT}" >> "${GITHUB_OUTPUT}"
echo "### Build Candidate Found" >> "${GITHUB_STEP_SUMMARY}"
echo "build-candidate-commit=${CANDIDATE_COMMIT}" >> "${GITHUB_STEP_SUMMARY}"
echo "build_candidate_tag=${CANDIDATE_TAG}" >> "${GITHUB_STEP_SUMMARY}"
else
gh run cancel "${{ github.run_id }}"
fi
else
gh run cancel "${{ github.run_id }}"
fi
promote-build-candidate:
name: Promote Build Candidate
runs-on: network-node-linux-medium
needs: determine-build-candidate
if: ${{ needs.determine-build-candidate.result == 'success' && needs.determine-build-candidate.outputs.build-candidate-exists == 'true' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- name: Checkout Tagged Code
id: checkout-tagged-code
if: ${{ needs.determine-build-candidate.outputs.build-candidate-exists == 'true' }}
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: '0'
ref: ${{ needs.determine-build-candidate.outputs.build-candidate-commit }}
token: ${{ secrets.GH_ACCESS_TOKEN }}
- name: Import GPG Key
id: gpg_importer
uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0
with:
git_commit_gpgsign: true
git_tag_gpgsign: true
git_user_signingkey: true
gpg_private_key: ${{ secrets.SVCS_GPG_KEY_CONTENTS }}
passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }}
- name: Tag Build Candidate
env:
BUILD_INDEX: ${{ vars.XTS_BUILD_PROMOTION_INDEX }}
run: |
BUILD_TAG="$(printf "build-%05d" "${BUILD_INDEX}")"
git tag --annotate ${BUILD_TAG} --message "chore: tagging commit for build promotion"
git push --set-upstream origin --tags
echo "### Build Promotion Tag Information" >> "${GITHUB_STEP_SUMMARY}"
echo "build-tag=${BUILD_TAG}" >> "${GITHUB_STEP_SUMMARY}"
- name: Increment Build Promotion Index
uses: action-pack/increment@14c9f7fbbf560e7518ccaeab781aeca7bff15069 # v2.12
id: increment
with:
name: 'XTS_BUILD_PROMOTION_INDEX'
token: ${{ secrets.GH_ACCESS_TOKEN }}
- name: Preview Next Build
env:
NEXT_BUILD_ID: ${{ steps.increment.outputs.value }}
run: |
NEXT_BUILD_TAG="$(printf "build-%05d" "${NEXT_BUILD_ID}")"
echo "### Preview Next Build Tag" >> "${GITHUB_STEP_SUMMARY}"
echo "Next build tag is: ${NEXT_BUILD_TAG}" >> "${GITHUB_STEP_SUMMARY}"
report-failure:
name: Report XTS execution failure
runs-on: network-node-linux-medium
needs:
- determine-build-candidate
- promote-build-candidate
if: ${{ (needs.determine-build-candidate.result != 'success' || needs.promote-build-candidate.result != 'success') && !cancelled() && always() }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- name: Report failure (slack)
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
env:
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CITR_WEBHOOK }}
with:
payload: |
{
"attachments": [
{
"color": "#7647cd",
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": ":grey_exclamation: Hedera Services - Build Candidate Promotion Error Report",
"emoji": true
}
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Build Candidate Promotion Job Resulted in failure. See status below.*"
},
"fields": [
{
"type": "plain_text",
"text": "Fetch Latest Build Candidate"
},
{
"type": "plain_text",
"text": "${{ needs.determine-build-candidate.result }}"
},
{
"type": "plain_text",
"text": "Promote Build Candidate"
},
{
"type": "plain_text",
"text": "${{ needs.promote-build-candidate.result }}"
}
]
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Source Commit*: \n<${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}>"
}
}
]
}
]
}