Skip to content

Cut Release

Cut Release #32

Workflow file for this run

name: Cut Release
on: workflow_dispatch
jobs:
check-requirements:
name: Check Requirements
runs-on: ubuntu-latest
environment: release-check
steps:
- name: Check For Admin Permission
uses: actions-cool/check-user-permission@v2
with:
require: admin
username: ${{ github.triggering_actor }}
- name: Check Repository
run: |
if [ "${{ vars.RUN_RELEASE_BUILDS }}" = "1" ]; then
MSG="Running workflow because RUN_RELEASE_BUILDS=1"
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
exit 0
fi
echo "Trying to run the release workflow from repository ${{ github.repository }}"
if [ "${{ github.repository }}" != "saltstack/salt-bootstrap" ]; then
MSG="Running the release workflow from the ${{ github.repository }} repository is not allowed"
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
MSG="Allowed repository: saltstack/salt-bootstrap"
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
exit 1
else
MSG="Allowed to release from repository ${{ github.repository }}"
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
fi
- name: Check Branch
run: |
echo "Trying to run the release workflow from branch ${{ github.ref_name }}"
if [ "${{ github.ref_name }}" != "develop" ]; then
echo "Running the release workflow from the ${{ github.ref_name }} branch is not allowed"
echo "Allowed branches: develop"
exit 1
else
echo "Allowed to release from branch ${{ github.ref_name }}"
fi
update-develop:
name: Update CHANGELOG.md and bootstrap-salt.sh
runs-on:
- self-hosted
- linux
- repo-release
permissions:
contents: write # To be able to publish the release
environment: release
needs:
- check-requirements
outputs:
release-version: ${{ steps.update-repo.outputs.release-version }}
steps:
- uses: actions/checkout@v3
with:
ref: develop
repository: ${{ github.repository }}
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
- name: Install Requirements
run: |
python3 -m pip install -r requirements/release.txt
pre-commit install --install-hooks
- name: Setup GnuPG
run: |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
GNUPGHOME="$(mktemp -d -p /run/gpg)"
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
cat <<EOF > "${GNUPGHOME}/gpg.conf"
batch
no-tty
pinentry-mode loopback
EOF
- name: Get Secrets
id: get-secrets
env:
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
run: |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text | jq .default_key -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
| gpg --import -
sync
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
sync
rm "$SECRETS_KEY_FILE"
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
- name: Configure Git
shell: bash
run: |
git config --global --add safe.directory "$(pwd)"
git config --global user.name "Salt Project Packaging"
git config --global user.email saltproject-packaging@vmware.com
git config --global user.signingkey 64CBBC8173D76B3F
git config --global commit.gpgsign true
- name: Update Repository
id: update-repo
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
python3 .github/workflows/scripts/cut-release.py --repo ${{ github.repository }}
- name: Show Changes
run: |
git status
git diff
- name: Commit Changes
run: |
git commit -am "Update develop branch for the ${{ steps.update-repo.outputs.release-version }} release" || \
git commit -am "Update develop branch for the ${{ steps.update-repo.outputs.release-version }} release"
- name: Push Changes
uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839
with:
ssh: true
atomic: true
branch: develop
repository: ${{ github.repository }}
- name: Upload Release Details
uses: actions/upload-artifact@v3
with:
name: release-details
path: |
.cut_release_version
.cut_release_changes
merge-develop-into-stable:
name: Merge develop into stable
runs-on:
- self-hosted
- linux
- repo-release
needs:
- update-develop
environment: release
permissions:
contents: write # To be able to publish the release
steps:
- uses: actions/checkout@v3
with:
ref: stable
repository: ${{ github.repository }}
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
fetch-depth: 0
- name: Setup GnuPG
run: |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
GNUPGHOME="$(mktemp -d -p /run/gpg)"
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
cat <<EOF > "${GNUPGHOME}/gpg.conf"
batch
no-tty
pinentry-mode loopback
EOF
- name: Get Secrets
id: get-secrets
env:
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
run: |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text | jq .default_key -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
| gpg --import -
sync
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
sync
rm "$SECRETS_KEY_FILE"
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
- name: Configure Git
shell: bash
run: |
git config --global --add safe.directory "$(pwd)"
git config --global user.name "Salt Project Packaging"
git config --global user.email saltproject-packaging@vmware.com
git config --global user.signingkey 64CBBC8173D76B3F
git config --global commit.gpgsign true
- name: Download Release Details
uses: actions/download-artifact@v3
with:
name: release-details
- name: Merge develop into stable
run: |
git merge --no-ff -m "Merge develop into stable for ${{ needs.update-develop.outputs.release-version }} release" origin/develop || touch .git-conflicts
if [ -f .git-conflicts ]
then
git diff
for f in $(git status | grep 'both modified' | awk '{ print $3 }')
do
git checkout --theirs "$f"
pre-commit run -av --files "$f"
git add "$f"
done
git commit -a -m "Merge develop into stable for ${{ needs.update-develop.outputs.release-version }} release(auto resolving conflicts to the develop version)"
fi
- name: Tag The ${{ needs.update-develop.outputs.release-version }} Release
run: |
git tag -m "Release ${{ needs.update-develop.outputs.release-version }}" -as ${{ needs.update-develop.outputs.release-version }}
- name: Update bootstrap-salt.sh sha256sum's
run: |
sha256sum bootstrap-salt.sh | awk '{ print $1 }' > bootstrap-salt.sh.sha256
sha256sum bootstrap-salt.ps1 | awk '{ print $1 }' > bootstrap-salt.ps1.sha256
git commit -a -m "Update sha256 checksums" || git commit -a -m "Update sha256 checksums"
- name: Push Changes
uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839
with:
ssh: true
tags: true
atomic: true
branch: stable
repository: ${{ github.repository }}
publish-release:
name: Create GitHub Release
runs-on:
- self-hosted
- linux
needs:
- merge-develop-into-stable
environment: release
permissions:
contents: write # To be able to publish the release
steps:
- uses: actions/checkout@v3
with:
ref: stable
repository: ${{ github.repository }}
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
- name: Download Release Details
uses: actions/download-artifact@v3
with:
name: release-details
- name: Update Environment
run: |
CUT_RELEASE_VERSION=$(cat .cut_release_version)
echo "CUT_RELEASE_VERSION=${CUT_RELEASE_VERSION}" >> "$GITHUB_ENV"
- name: Create Github Release
uses: softprops/action-gh-release@v1
with:
name: ${{ env.CUT_RELEASE_VERSION }}
tag_name: ${{ env.CUT_RELEASE_VERSION }}
body_path: .cut_release_changes
target_commitish: stable
draft: false
prerelease: false
generate_release_notes: false
files: |
bootstrap-salt.sh
bootstrap-salt.sh.sha256
bootstrap-salt.ps1
bootstrap-salt.ps1.sha256
LICENSE
- name: Delete Release Details Artifact
uses: geekyeggo/delete-artifact@v2
with:
name: release-details
failOnError: false
update-s3-bucket:
name: Update S3 Bucket
runs-on:
- self-hosted
- linux
- repo-release
needs:
- publish-release
environment: release
steps:
- uses: actions/checkout@v3
with:
ref: stable
repository: ${{ github.repository }}
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
- name: Get Salt Project GitHub Actions Bot Environment
run: |
TOKEN=$(curl -sS -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30")
SPB_ENVIRONMENT=$(curl -sS -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance/spb:environment)
echo "SPB_ENVIRONMENT=$SPB_ENVIRONMENT" >> "$GITHUB_ENV"
- name: Setup GnuPG
run: |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
GNUPGHOME="$(mktemp -d -p /run/gpg)"
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
cat <<EOF > "${GNUPGHOME}/gpg.conf"
batch
no-tty
pinentry-mode loopback
EOF
- name: Get Secrets
id: get-secrets
env:
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
run: |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text | jq .default_key -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
| gpg --import -
sync
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
sync
rm "$SECRETS_KEY_FILE"
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
- name: Install Requirements
run: |
python3 -m pip install -r requirements/release.txt
- name: Upload Stable Release to S3
run: |
tools release s3-publish --key-id 64CBBC8173D76B3F stable
update-develop-checksums:
name: Update Release Checksums on Develop
runs-on:
- self-hosted
- linux
- repo-release
needs:
- publish-release
environment: release
permissions:
contents: write # For action peter-evans/create-pull-request
pull-requests: write # For action peter-evans/create-pull-request
steps:
- uses: actions/checkout@v3
with:
ref: stable
repository: ${{ github.repository }}
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
- name: Get bootstrap-salt.sh on stable branch sha256sum
run: |
echo "SH=$(sha256sum bootstrap-salt.sh | awk '{ print $1 }')" >> "$GITHUB_ENV"
echo "BS_VERSION=$(sh bootstrap-salt.sh -v | awk '{ print $4 }')" >> "$GITHUB_ENV"
- uses: actions/checkout@v3
with:
ref: develop
repository: ${{ github.repository }}
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
- name: Setup GnuPG
run: |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
GNUPGHOME="$(mktemp -d -p /run/gpg)"
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
cat <<EOF > "${GNUPGHOME}/gpg.conf"
batch
no-tty
pinentry-mode loopback
EOF
- name: Get Secrets
id: get-secrets
env:
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
run: |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text | jq .default_key -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
| gpg --import -
sync
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
sync
rm "$SECRETS_KEY_FILE"
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
- name: Configure Git
shell: bash
run: |
git config --global --add safe.directory "$(pwd)"
git config --global user.name "Salt Project Packaging"
git config --global user.email saltproject-packaging@vmware.com
git config --global user.signingkey 64CBBC8173D76B3F
git config --global commit.gpgsign true
- name: Update Latest Release on README
run: |
python3 .github/workflows/scripts/update-release-shasum.py ${{ env.BS_VERSION }} ${{ env.SH }}
- name: Show Changes
run: |
git status
git diff
- name: Commit Changes
run: |
git commit -am "Update README.rst with ${{ env.BS_VERSION }} release sha256sum" || \
git commit -am "Update README.rst with ${{ env.BS_VERSION }} release sha256sum"
- name: Push Changes
uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839
with:
ssh: true
atomic: true
branch: develop
repository: ${{ github.repository }}