diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml index 402c07cb1..5eac4a7f9 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/release-cli.yml @@ -3,6 +3,10 @@ name: Build CLI and prepare release on: workflow_dispatch: inputs: + versionName: + type: string + description: "Version to use for the release (e.g. v1.2.3)" + required: true ref: type: string description: "Git ref to checkout" @@ -22,6 +26,10 @@ on: required: true workflow_call: inputs: + versionName: + type: string + description: "Version to use for the release (e.g. v1.2.3)" + required: true ref: type: string description: "Git ref to checkout" @@ -387,7 +395,7 @@ jobs: with: draft: true generate_release_notes: true - tag_name: ${{ inputs.ref }} + tag_name: ${{ inputs.versionName || inputs.ref || github.head_ref }} files: | constellation-* cosign.pub diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ffeb97eed..e12812f5c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -239,30 +239,9 @@ jobs: git commit -m "attestation: hardcode measurements for ${VERSION}" git push - tag-release: - name: Tag release - needs: [verify-inputs, update-hardcoded-measurements] - runs-on: ubuntu-22.04 - permissions: - contents: write - env: - VERSION: ${{ inputs.version }} - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - - - name: Tag release - run: | - git config --global user.name "edgelessci" - git config --global user.email "edgelessci@users.noreply.github.com" - git tag -a "${VERSION}" -m "Release ${VERSION}" - git push --force origin "refs/tags/${VERSION}" # force push to overwrite existing tag - draft-release-cli: name: Draft release (CLI) - needs: [verify-inputs, tag-release] + needs: [verify-inputs, update-hardcoded-measurements] uses: ./.github/workflows/release-cli.yml permissions: actions: read @@ -271,7 +250,8 @@ jobs: packages: write secrets: inherit with: - ref: "refs/tags/${{ inputs.version }}" + versionName: ${{ inputs.version }} + ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} pushContainers: true key: 'release' diff --git a/dev-docs/workflows/release.md b/dev-docs/workflows/release.md index 21f24fdd2..7e943404b 100644 --- a/dev-docs/workflows/release.md +++ b/dev-docs/workflows/release.md @@ -5,9 +5,7 @@ This checklist will prepare `v1.3.0` from `v1.2.0` (minor release) or `v1.3.1` f ## Preparation 1. Search the code for TODOs and FIXMEs that should be resolved before releasing. -2. [Update titles and labels for all PRs relevant for this release](/dev-docs/conventions.md#pr-conventions) to aid in the [changelog generation](/.github/release.yml). - - +2. [Update titles and labels for all PRs relevant for this release](/dev-docs/workflows/pull-request.md) to aid in the [changelog generation](/.github/release.yml). ## Automated release @@ -16,6 +14,7 @@ Releases should be performed using [the automated release pipeline](https://gith ### Prepare temporary working branch 1. Create a temporary working branch to prepare the release. This branch should be based on main if preparing a minor release or be based on the existing release branch if it is a patch release. + ```sh ver=v1.3.1 # replace me minor=$(echo ${ver} | cut -d '.' -f 1,2) @@ -31,41 +30,51 @@ Releases should be performed using [the automated release pipeline](https://gith git push origin ${working_branch} ``` - ### Patch release 1. `cherry-pick` (only) the required commits from `main` * Check PRs with label [needs-backport](https://github.com/edgelesssys/constellation/pulls?q=is%3Apr+is%3Aclosed+label%3A%22needs+backport%22) to find candidates that should be included in a patch release. 2. trigger the automated release pipeline from the working branch created above: + ```sh gh workflow run release.yml --ref ${working_branch} -F version=${ver} -F kind=patch ``` + 3. wait for the pipeline to finish 4. while in editing mode for the release, clear the textbox, select the last patch release for the current release branch and click "Generate release notes". 5. look over the autogenerated draft release. When fixing the changelog, prioritize updating the PR title/labels/description and regenerating the changelog over fixing things in the final changelog. The changelog should be primarily aimed at users. Rule of thumb: first part of the sentence should describe what changed for the user, second part can describe what has been changed to achieve this. -6. publish. +6. in the GitHub release UI, set the tag to create on publish to `$ver`. +7. publish. + ### Minor release 1. Merge ready PRs 2. trigger the automated release pipeline from the working branch created above: + ```sh gh workflow run release.yml --ref ${working_branch} -F version=${ver} -F kind=minor ``` + 3. wait for the pipeline to finish 4. upgrade the dogfooding cluster. Note that `upgrade check --update-config` will not yet show the new image. But you can manually set it in the config: -```sh -./constellation upgrade check --update-config -yq eval -i '.image="vX.YY.Z"' constellation-conf.yaml -./constellation config fetch-measurements -./constellation upgrade apply --yes --debug -``` -Then wait until the node / Kubernetes upgrades are finished by periodically checking: -```sh -./constellation status -``` + + ```sh + ./constellation upgrade check --update-config + yq eval -i '.image="vX.YY.Z"' constellation-conf.yaml + ./constellation config fetch-measurements + ./constellation upgrade apply --yes --debug + ``` + + Then wait until the node / Kubernetes upgrades are finished by periodically checking: + + ```sh + ./constellation status + ``` + 5. while in editing mode for the release, clear the textbox, select the last minor release and click "Generate release notes". 6. look over the autogenerated draft release. When fixing the changelog, prioritize updating the PR title/labels/description and regenerating the changelog over fixing things in the final changelog. The changelog should be primarily aimed at users. Rule of thumb: first part of the sentence should describe what changed for the user, second part can describe what has been changed to achieve this. -7. publish. +7. in the GitHub release UI, set the tag to create on publish to `$ver`. +8. publish. ## Post release steps @@ -75,25 +84,29 @@ Then wait until the node / Kubernetes upgrades are finished by periodically chec 2. Add the next release manager and an approximate release date to the milestone description 3. Close the milestone for the release 4. Move open issues and PRs from closed milestone to next milestone -3. If the release is a minor version release, bump the pre-release version in the `version.txt` file. +3. If the release is a minor version release, bump the pre-release version in the `version.txt` file. 4. Update the `fromVersion` in `e2e-test-release.yml` and `e2e-test-weekly.yaml` to the newly released version. To check the current values, run: `grep "fromVersion: \[.*\]" -R .github`. 5. Reset `upgradeRequiresIAMMigration` in `iamupgradeapply.go`. ## Troubleshooting: Pipeline cleanup + No manual steps should be necessary anymore but in case you encounter issues, create a ticket to fix it. These are instructions to do some cleanup steps manually: + ### General Depending on how far the pipeline ran we need to delete: -- the working branch (remove automated commits made by the process, keep any cherry picks) -- the release tag create by the pipeline: `v1.3.0`/`v1.3.1` -- (only minor releases) the branch to merge changes back to main: `feat/release/v1.3.0` + +* the working branch (remove automated commits made by the process, keep any cherry picks) +* (only minor releases) the branch to merge changes back to main: `feat/release/v1.3.0` ### GCP + 1. Navigate to [Images](https://console.cloud.google.com/compute/images?tab=images&project=constellation-images) tab of the "constellation-images" project 2. Search for the image versions "v1-3-0-gcp-sev-es-stable" and "v1-3-0-gcp-sev-snp-stable" -3. Select the images and press "DELETE"  +3. Select the images and press "DELETE" ### Azure + 1. Navigate to [Azure compute galleries](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2Fgalleries) 2. Select "Constellation_CVM" (this is for confidential vms on AMD SEV SNP) 3. Select image definition "constellation" @@ -101,17 +114,21 @@ Depending on how far the pipeline ran we need to delete: 5. Press "Delete" button NEXT TO THE IMAGE VERSION TABLE. Do no delete the image definition. ### AWS + **Important:** You need to repeat the following steps for every region supported by Constellation! -Currently, this includes:  -- Frankfurt (eu-central-1) -- Ireland (eu-west-1) -- Paris (eu-west-3) -- Ohio (us-east-2) -- Mumbai (ap-south-1)  +Currently, this includes: + +* Frankfurt (eu-central-1) +* Ireland (eu-west-1) +* Paris (eu-west-3) +* Ohio (us-east-2) +* Mumbai (ap-south-1) #### Automated script + This is a script to automate the deletion but please be super careful to set the version correctly. -``` + +```shell VERSION=vX.XX.X # !! DOUBLE CHECK CORRECTNESS! regions=("eu-central-1" "eu-west-1" "eu-west-3" "us-east-2" "ap-south-1") for region in "${regions[@]}" @@ -124,6 +141,7 @@ done ``` #### Manual GUI steps + 1. Navigate to [AMI](https://eu-central-1.console.aws.amazon.com/ec2/home?region=eu-central-1#Images:visibility=owned-by-me) 2. Search for release version "constellation-v1.3.0" and select the AMIs for both variants ("constellation-v1.3.0-aws-sev-snp" and "constellation-v1.3.0-aws-nitro-tpm") 3. On the "Actions" button (top right) select "Deregister AMI"