Cut Release #32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Cut Release | |
on: workflow_dispatch | |
jobs: | |
check-requirements: | |
name: Check Requirements | |
runs-on: ubuntu-latest | |
environment: release-check | |
steps: | |
- name: Check For Admin Permission | |
uses: actions-cool/check-user-permission@v2 | |
with: | |
require: admin | |
username: ${{ github.triggering_actor }} | |
- name: Check Repository | |
run: | | |
if [ "${{ vars.RUN_RELEASE_BUILDS }}" = "1" ]; then | |
MSG="Running workflow because RUN_RELEASE_BUILDS=1" | |
echo "${MSG}" | |
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}" | |
exit 0 | |
fi | |
echo "Trying to run the release workflow from repository ${{ github.repository }}" | |
if [ "${{ github.repository }}" != "saltstack/salt-bootstrap" ]; then | |
MSG="Running the release workflow from the ${{ github.repository }} repository is not allowed" | |
echo "${MSG}" | |
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}" | |
MSG="Allowed repository: saltstack/salt-bootstrap" | |
echo "${MSG}" | |
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}" | |
exit 1 | |
else | |
MSG="Allowed to release from repository ${{ github.repository }}" | |
echo "${MSG}" | |
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}" | |
fi | |
- name: Check Branch | |
run: | | |
echo "Trying to run the release workflow from branch ${{ github.ref_name }}" | |
if [ "${{ github.ref_name }}" != "develop" ]; then | |
echo "Running the release workflow from the ${{ github.ref_name }} branch is not allowed" | |
echo "Allowed branches: develop" | |
exit 1 | |
else | |
echo "Allowed to release from branch ${{ github.ref_name }}" | |
fi | |
update-develop: | |
name: Update CHANGELOG.md and bootstrap-salt.sh | |
runs-on: | |
- self-hosted | |
- linux | |
- repo-release | |
permissions: | |
contents: write # To be able to publish the release | |
environment: release | |
needs: | |
- check-requirements | |
outputs: | |
release-version: ${{ steps.update-repo.outputs.release-version }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: develop | |
repository: ${{ github.repository }} | |
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} | |
- name: Install Requirements | |
run: | | |
python3 -m pip install -r requirements/release.txt | |
pre-commit install --install-hooks | |
- name: Setup GnuPG | |
run: | | |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | |
GNUPGHOME="$(mktemp -d -p /run/gpg)" | |
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | |
cat <<EOF > "${GNUPGHOME}/gpg.conf" | |
batch | |
no-tty | |
pinentry-mode loopback | |
EOF | |
- name: Get Secrets | |
id: get-secrets | |
env: | |
SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | |
run: | | |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | |
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | |
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | |
--query SecretString --output text | jq .default_key -r | base64 -d \ | |
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | |
| gpg --import - | |
sync | |
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | |
--query SecretString --output text| jq .default_passphrase -r | base64 -d \ | |
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | |
sync | |
rm "$SECRETS_KEY_FILE" | |
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | |
- name: Configure Git | |
shell: bash | |
run: | | |
git config --global --add safe.directory "$(pwd)" | |
git config --global user.name "Salt Project Packaging" | |
git config --global user.email saltproject-packaging@vmware.com | |
git config --global user.signingkey 64CBBC8173D76B3F | |
git config --global commit.gpgsign true | |
- name: Update Repository | |
id: update-repo | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
python3 .github/workflows/scripts/cut-release.py --repo ${{ github.repository }} | |
- name: Show Changes | |
run: | | |
git status | |
git diff | |
- name: Commit Changes | |
run: | | |
git commit -am "Update develop branch for the ${{ steps.update-repo.outputs.release-version }} release" || \ | |
git commit -am "Update develop branch for the ${{ steps.update-repo.outputs.release-version }} release" | |
- name: Push Changes | |
uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839 | |
with: | |
ssh: true | |
atomic: true | |
branch: develop | |
repository: ${{ github.repository }} | |
- name: Upload Release Details | |
uses: actions/upload-artifact@v3 | |
with: | |
name: release-details | |
path: | | |
.cut_release_version | |
.cut_release_changes | |
merge-develop-into-stable: | |
name: Merge develop into stable | |
runs-on: | |
- self-hosted | |
- linux | |
- repo-release | |
needs: | |
- update-develop | |
environment: release | |
permissions: | |
contents: write # To be able to publish the release | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: stable | |
repository: ${{ github.repository }} | |
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} | |
fetch-depth: 0 | |
- name: Setup GnuPG | |
run: | | |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | |
GNUPGHOME="$(mktemp -d -p /run/gpg)" | |
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | |
cat <<EOF > "${GNUPGHOME}/gpg.conf" | |
batch | |
no-tty | |
pinentry-mode loopback | |
EOF | |
- name: Get Secrets | |
id: get-secrets | |
env: | |
SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | |
run: | | |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | |
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | |
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | |
--query SecretString --output text | jq .default_key -r | base64 -d \ | |
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | |
| gpg --import - | |
sync | |
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | |
--query SecretString --output text| jq .default_passphrase -r | base64 -d \ | |
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | |
sync | |
rm "$SECRETS_KEY_FILE" | |
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | |
- name: Configure Git | |
shell: bash | |
run: | | |
git config --global --add safe.directory "$(pwd)" | |
git config --global user.name "Salt Project Packaging" | |
git config --global user.email saltproject-packaging@vmware.com | |
git config --global user.signingkey 64CBBC8173D76B3F | |
git config --global commit.gpgsign true | |
- name: Download Release Details | |
uses: actions/download-artifact@v3 | |
with: | |
name: release-details | |
- name: Merge develop into stable | |
run: | | |
git merge --no-ff -m "Merge develop into stable for ${{ needs.update-develop.outputs.release-version }} release" origin/develop || touch .git-conflicts | |
if [ -f .git-conflicts ] | |
then | |
git diff | |
for f in $(git status | grep 'both modified' | awk '{ print $3 }') | |
do | |
git checkout --theirs "$f" | |
pre-commit run -av --files "$f" | |
git add "$f" | |
done | |
git commit -a -m "Merge develop into stable for ${{ needs.update-develop.outputs.release-version }} release(auto resolving conflicts to the develop version)" | |
fi | |
- name: Tag The ${{ needs.update-develop.outputs.release-version }} Release | |
run: | | |
git tag -m "Release ${{ needs.update-develop.outputs.release-version }}" -as ${{ needs.update-develop.outputs.release-version }} | |
- name: Update bootstrap-salt.sh sha256sum's | |
run: | | |
sha256sum bootstrap-salt.sh | awk '{ print $1 }' > bootstrap-salt.sh.sha256 | |
sha256sum bootstrap-salt.ps1 | awk '{ print $1 }' > bootstrap-salt.ps1.sha256 | |
git commit -a -m "Update sha256 checksums" || git commit -a -m "Update sha256 checksums" | |
- name: Push Changes | |
uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839 | |
with: | |
ssh: true | |
tags: true | |
atomic: true | |
branch: stable | |
repository: ${{ github.repository }} | |
publish-release: | |
name: Create GitHub Release | |
runs-on: | |
- self-hosted | |
- linux | |
needs: | |
- merge-develop-into-stable | |
environment: release | |
permissions: | |
contents: write # To be able to publish the release | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: stable | |
repository: ${{ github.repository }} | |
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} | |
- name: Download Release Details | |
uses: actions/download-artifact@v3 | |
with: | |
name: release-details | |
- name: Update Environment | |
run: | | |
CUT_RELEASE_VERSION=$(cat .cut_release_version) | |
echo "CUT_RELEASE_VERSION=${CUT_RELEASE_VERSION}" >> "$GITHUB_ENV" | |
- name: Create Github Release | |
uses: softprops/action-gh-release@v1 | |
with: | |
name: ${{ env.CUT_RELEASE_VERSION }} | |
tag_name: ${{ env.CUT_RELEASE_VERSION }} | |
body_path: .cut_release_changes | |
target_commitish: stable | |
draft: false | |
prerelease: false | |
generate_release_notes: false | |
files: | | |
bootstrap-salt.sh | |
bootstrap-salt.sh.sha256 | |
bootstrap-salt.ps1 | |
bootstrap-salt.ps1.sha256 | |
LICENSE | |
- name: Delete Release Details Artifact | |
uses: geekyeggo/delete-artifact@v2 | |
with: | |
name: release-details | |
failOnError: false | |
update-s3-bucket: | |
name: Update S3 Bucket | |
runs-on: | |
- self-hosted | |
- linux | |
- repo-release | |
needs: | |
- publish-release | |
environment: release | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: stable | |
repository: ${{ github.repository }} | |
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} | |
- name: Get Salt Project GitHub Actions Bot Environment | |
run: | | |
TOKEN=$(curl -sS -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30") | |
SPB_ENVIRONMENT=$(curl -sS -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance/spb:environment) | |
echo "SPB_ENVIRONMENT=$SPB_ENVIRONMENT" >> "$GITHUB_ENV" | |
- name: Setup GnuPG | |
run: | | |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | |
GNUPGHOME="$(mktemp -d -p /run/gpg)" | |
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | |
cat <<EOF > "${GNUPGHOME}/gpg.conf" | |
batch | |
no-tty | |
pinentry-mode loopback | |
EOF | |
- name: Get Secrets | |
id: get-secrets | |
env: | |
SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | |
run: | | |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | |
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | |
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | |
--query SecretString --output text | jq .default_key -r | base64 -d \ | |
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | |
| gpg --import - | |
sync | |
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | |
--query SecretString --output text| jq .default_passphrase -r | base64 -d \ | |
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | |
sync | |
rm "$SECRETS_KEY_FILE" | |
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | |
- name: Install Requirements | |
run: | | |
python3 -m pip install -r requirements/release.txt | |
- name: Upload Stable Release to S3 | |
run: | | |
tools release s3-publish --key-id 64CBBC8173D76B3F stable | |
update-develop-checksums: | |
name: Update Release Checksums on Develop | |
runs-on: | |
- self-hosted | |
- linux | |
- repo-release | |
needs: | |
- publish-release | |
environment: release | |
permissions: | |
contents: write # For action peter-evans/create-pull-request | |
pull-requests: write # For action peter-evans/create-pull-request | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: stable | |
repository: ${{ github.repository }} | |
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} | |
- name: Get bootstrap-salt.sh on stable branch sha256sum | |
run: | | |
echo "SH=$(sha256sum bootstrap-salt.sh | awk '{ print $1 }')" >> "$GITHUB_ENV" | |
echo "BS_VERSION=$(sh bootstrap-salt.sh -v | awk '{ print $4 }')" >> "$GITHUB_ENV" | |
- uses: actions/checkout@v3 | |
with: | |
ref: develop | |
repository: ${{ github.repository }} | |
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} | |
- name: Setup GnuPG | |
run: | | |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | |
GNUPGHOME="$(mktemp -d -p /run/gpg)" | |
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | |
cat <<EOF > "${GNUPGHOME}/gpg.conf" | |
batch | |
no-tty | |
pinentry-mode loopback | |
EOF | |
- name: Get Secrets | |
id: get-secrets | |
env: | |
SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | |
run: | | |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | |
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | |
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | |
--query SecretString --output text | jq .default_key -r | base64 -d \ | |
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | |
| gpg --import - | |
sync | |
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | |
--query SecretString --output text| jq .default_passphrase -r | base64 -d \ | |
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | |
sync | |
rm "$SECRETS_KEY_FILE" | |
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | |
- name: Configure Git | |
shell: bash | |
run: | | |
git config --global --add safe.directory "$(pwd)" | |
git config --global user.name "Salt Project Packaging" | |
git config --global user.email saltproject-packaging@vmware.com | |
git config --global user.signingkey 64CBBC8173D76B3F | |
git config --global commit.gpgsign true | |
- name: Update Latest Release on README | |
run: | | |
python3 .github/workflows/scripts/update-release-shasum.py ${{ env.BS_VERSION }} ${{ env.SH }} | |
- name: Show Changes | |
run: | | |
git status | |
git diff | |
- name: Commit Changes | |
run: | | |
git commit -am "Update README.rst with ${{ env.BS_VERSION }} release sha256sum" || \ | |
git commit -am "Update README.rst with ${{ env.BS_VERSION }} release sha256sum" | |
- name: Push Changes | |
uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839 | |
with: | |
ssh: true | |
atomic: true | |
branch: develop | |
repository: ${{ github.repository }} |