name: Release on: workflow_dispatch: inputs: version: description: "Version to release (e.g. v1.2.3)" required: true kind: description: "Release kind" type: choice options: [minor, patch] required: true default: "minor" jobs: verify-inputs: name: Verify inputs runs-on: ubuntu-22.04 env: FULL_VERSION: ${{ inputs.version }} outputs: WITHOUT_V: ${{ steps.version-info.outputs.WITHOUT_V }} PART_MAJOR: ${{ steps.version-info.outputs.PART_MAJOR }} PART_MINOR: ${{ steps.version-info.outputs.PART_MINOR }} PART_PATCH: ${{ steps.version-info.outputs.PART_PATCH }} MAJOR: ${{ steps.version-info.outputs.MAJOR }} MAJOR_MINOR: ${{ steps.version-info.outputs.MAJOR_MINOR }} MAJOR_MINOR_PATCH: ${{ steps.version-info.outputs.MAJOR_MINOR_PATCH }} RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }} steps: - name: Verify version run: | if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "Version must be in the form of vX.Y.Z" exit 1 fi - name: Extract version info id: version-info run: | WITHOUT_V=${FULL_VERSION#v} PART_MAJOR=${WITHOUT_V%%.*} PART_MINOR=${WITHOUT_V#*.} PART_MINOR=${PART_MINOR%%.*} PART_PATCH=${WITHOUT_V##*.} { echo "WITHOUT_V=${WITHOUT_V}" echo "PART_MAJOR=${PART_MAJOR}" echo "PART_MINOR=${PART_MINOR}" echo "PART_PATCH=${PART_PATCH}" echo "MAJOR=${PART_MAJOR}" echo "MAJOR_MINOR=${PART_MAJOR}.${PART_MINOR}" echo "MAJOR_MINOR_PATCH=${PART_MAJOR}.${PART_MINOR}.${PART_PATCH}" echo "RELEASE_BRANCH=release/v${PART_MAJOR}.${PART_MINOR}" } | tee "$GITHUB_OUTPUT" docs: name: Create docs release runs-on: ubuntu-22.04 if: inputs.kind == 'minor' needs: verify-inputs permissions: contents: write pull-requests: write env: VERSION: ${{ inputs.version }} MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }} BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }} steps: - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.head_ref }} - name: Create docs release working-directory: docs run: | npm install npm run docusaurus docs:version "${MAJOR_MINOR}" - name: Create docs pull request uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3 with: branch: ${{ env.BRANCH }} base: main title: "docs: add release ${{ env.VERSION }}" body: | :robot: *This is an automated PR.* :robot: The PR is triggered as part of the automated release process of version ${{ env.VERSION }}. It releases a new version of the documentation. commit-message: "docs: add release ${{ env.VERSION }}" committer: edgelessci labels: no changelog # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work. token: ${{ !github.event.pull_request.head.repo.fork && secrets.TIDY_RENOVATE_PUSH || '' }} prepare-release-branch: name: Prepare release branch runs-on: ubuntu-22.04 needs: verify-inputs permissions: contents: write env: BRANCH: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.head_ref }} - name: Create release branch if: inputs.kind == 'minor' run: | git fetch git pull git checkout "${BRANCH}" || git checkout -B "${BRANCH}" git push origin "${BRANCH}" micro-services: name: Build micro services runs-on: ubuntu-22.04 needs: [verify-inputs, prepare-release-branch] permissions: contents: read packages: write strategy: matrix: koTarget: [ ./joinservice/cmd, ./keyservice/cmd, ./verify/cmd, ./operators/constellation-node-operator, ] include: - koTarget: ./joinservice/cmd name: join-service - koTarget: ./keyservice/cmd name: key-service - koTarget: ./verify/cmd name: verification-service - koTarget: ./operators/constellation-node-operator name: node-operator steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} - name: Build ${{ matrix.name }} micro service uses: ./.github/actions/build_micro_service_ko with: koTarget: ${{ matrix.koTarget }} name: ${{ matrix.name }} pushTag: ${{ inputs.version }} githubToken: ${{ secrets.GITHUB_TOKEN }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} micro-services-metadata: name: Build docker images runs-on: ubuntu-22.04 needs: [verify-inputs, prepare-release-branch] permissions: contents: read packages: write strategy: matrix: appName: [qemu-metadata-api, libvirt] include: - appName: qemu-metadata-api dockerfile: ./hack/qemu-metadata-api/Dockerfile - appName: libvirt dockerfile: ./cli/internal/libvirt/Dockerfile steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} - name: Build docker image uses: ./.github/actions/build_micro_service with: name: ${{ matrix.appName }} pushTag: ${{ inputs.version }} projectVersion: ${{ needs.verify-inputs.outputs.WITHOUT_V }} dockerfile: ${{ matrix.dockerfile }} githubToken: ${{ secrets.GITHUB_TOKEN }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} update-versions: name: Update container image versions needs: [verify-inputs, micro-services] runs-on: ubuntu-22.04 permissions: contents: write packages: read env: VERSION: ${{ inputs.version }} WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }} steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} - name: Install crane uses: ./.github/actions/setup_crane - name: Update enterprise image version run: | sed -i "s/defaultImage = \"v[0-9]\+\.[0-9]\+\.[0-9]\+\"/defaultImage = \"${VERSION}\"/" internal/config/images_enterprise.go git add internal/config/images_enterprise.go - name: Update CMakeLists.txt run: | sed -i "s/project(constellation LANGUAGES C VERSION [0-9]\+\.[0-9]\+\.[0-9]\+)/project(constellation LANGUAGES C VERSION ${WITHOUT_V})/" CMakeLists.txt git add CMakeLists.txt - name: Update micro service versions run: | for service in node-operator join-service key-service verification-service qemu-metadata-api; do name=ghcr.io/edgelesssys/constellation/${service} digest=$(crane digest "${name}:${VERSION}") sed -i "s#\"${name}:v[0-9]\+\.[0-9]\+\.[0-9]\+[^@]*@sha256:[0-9a-f]\+\"#\"${name}:${VERSION}@${digest}\"#" internal/versions/versions.go done git add internal/versions/versions.go - name: Commit run: | git config --global user.name "release[bot]" git config --global user.email "release[bot]@users.noreply.github.com" git commit -m "deps: update version to ${VERSION}" git push os-image: name: Build OS image needs: [verify-inputs, update-versions] uses: ./.github/workflows/build-os-image.yml permissions: id-token: write contents: read packages: read secrets: inherit with: imageVersion: ${{ inputs.version }} isRelease: true stream: "stable" ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} update-hardcoded-measurements: name: Update hardcoded measurements (in the CLI) needs: [verify-inputs, os-image] permissions: contents: write runs-on: ubuntu-22.04 env: VERSION: ${{ inputs.version }} WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }} steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} - name: Setup Go environment uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: "1.20.1" cache: true - name: Build generateMeasurements tool working-directory: internal/attestation/measurements/measurement-generator run: go build -o generate -tags=enterprise . - name: Update hardcoded measurements working-directory: internal/attestation/measurements run: | ./measurement-generator/generate git add measurements_enterprise.go - name: Commit run: | git config --global user.name "release[bot]" git config --global user.email "release[bot]@users.noreply.github.com" git commit -m "attestation: hardcode measurements for ${VERSION}" git push e2e-tests: name: Run E2E tests needs: [verify-inputs, update-hardcoded-measurements] secrets: inherit strategy: matrix: runner: [ubuntu-22.04, macos-12] csp: [aws, azure, gcp] uses: ./.github/workflows/e2e-test-manual.yml permissions: id-token: write contents: read with: workerNodesCount: 2 controlNodesCount: 3 cloudProvider: ${{ matrix.csp }} runner: ${{ matrix.runner }} test: "sonobuoy full" kubernetesVersion: "v1.25" keepMeasurements: true osImage: ${{ inputs.version }} machineType: "default" git-ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} e2e-mini: name: Run E2E tests for mini Constellation needs: [verify-inputs, update-hardcoded-measurements] uses: ./.github/workflows/e2e-mini.yml permissions: id-token: write contents: read secrets: inherit with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} tag-release: name: Tag release needs: [verify-inputs, e2e-tests, e2e-mini] runs-on: ubuntu-22.04 permissions: contents: write env: VERSION: ${{ inputs.version }} steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} - name: Tag release run: | git config --global user.name "release[bot]" git config --global user.email "release[bot]@users.noreply.github.com" git tag -a "${VERSION}" -m "Release ${VERSION}" git push origin "refs/tags/${VERSION}" draft-release-cli: name: Draft release (CLI) needs: [verify-inputs, tag-release] uses: ./.github/workflows/release-cli.yml permissions: actions: read contents: write id-token: write secrets: inherit with: ref: "refs/tags/${{ inputs.version }}" pr-get-changes-back-into-main: name: PR to Merge changes from release branch into main if: inputs.kind == 'minor' runs-on: ubuntu-22.04 permissions: contents: write needs: [verify-inputs, tag-release] env: VERSION: ${{ inputs.version }} NEW_BRANCH: feat/release/${{ inputs.version }}/changes-to-main steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} - name: Create branch with changes run: | git config --global user.name "release[bot]" git config --global user.email "release[bot]@users.noreply.github.com" git fetch git checkout -b "${NEW_BRANCH}" - name: Update CMakeLists.txt run: | sed -i "s/project(constellation LANGUAGES C VERSION [0-9]\+\.[0-9]\+\.[0-9]\+)/project(constellation LANGUAGES C VERSION 0.0.0)/" CMakeLists.txt git add CMakeLists.txt git commit -m "deps: set PROJECT_VERSION to prerelease" git push --set-upstream origin "${NEW_BRANCH}" - name: Create PR uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3 with: branch: ${{ env.NEW_BRANCH }} base: main title: "release: bring back changes from ${{ env.VERSION }}" body: | :robot: *This is an automated PR.* :robot: This PR is triggered as part of the release process of version ${{ env.VERSION }}. It brings back changes from the release branch into the main branch. commit-message: "release: bring back changes from ${{ env.VERSION }}" committer: edgelessci labels: no changelog # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work. token: ${{ !github.event.pull_request.head.repo.fork && secrets.TIDY_RENOVATE_PUSH || '' }}