name: Release on: workflow_dispatch: inputs: version: description: "Version to release (e.g. v1.2.3)" required: true kind: description: "Release kind" type: choice options: [minor, patch] required: true default: "minor" concurrency: group: ${{ github.ref }} cancel-in-progress: true jobs: verify-inputs: name: Verify inputs runs-on: ubuntu-24.04 env: FULL_VERSION: ${{ inputs.version }} outputs: WITHOUT_V: ${{ steps.version-info.outputs.WITHOUT_V }} PART_MAJOR: ${{ steps.version-info.outputs.PART_MAJOR }} PART_MINOR: ${{ steps.version-info.outputs.PART_MINOR }} PART_PATCH: ${{ steps.version-info.outputs.PART_PATCH }} MAJOR: ${{ steps.version-info.outputs.MAJOR }} MAJOR_MINOR: ${{ steps.version-info.outputs.MAJOR_MINOR }} MAJOR_MINOR_PATCH: ${{ steps.version-info.outputs.MAJOR_MINOR_PATCH }} RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }} WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Working branch run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV" - name: Verify version run: | if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "Version must be in the form of vX.Y.Z" exit 1 fi - name: Verify temporary branch run: | if [[ ! "${WORKING_BRANCH}" =~ ^tmp/v[0-9]+\.[0-9]+\.[0-9] ]]; then echo "Workflow can only be triggered from a temporary branch in the form of tmp/vX.Y.Z" exit 1 fi - name: Extract version info id: version-info run: | WITHOUT_V=${FULL_VERSION#v} PART_MAJOR=${WITHOUT_V%%.*} PART_MINOR=${WITHOUT_V#*.} PART_MINOR=${PART_MINOR%%.*} PART_PATCH=${WITHOUT_V##*.} { echo "WITHOUT_V=${WITHOUT_V}" echo "PART_MAJOR=${PART_MAJOR}" echo "PART_MINOR=${PART_MINOR}" echo "PART_PATCH=${PART_PATCH}" echo "MAJOR=${PART_MAJOR}" echo "MAJOR_MINOR=${PART_MAJOR}.${PART_MINOR}" echo "MAJOR_MINOR_PATCH=${PART_MAJOR}.${PART_MINOR}.${PART_PATCH}" echo "RELEASE_BRANCH=release/v${PART_MAJOR}.${PART_MINOR}" echo "WORKING_BRANCH=${WORKING_BRANCH}" } | tee -a "$GITHUB_OUTPUT" update-main-branch: name: Update main branch with release changes runs-on: ubuntu-24.04 needs: verify-inputs permissions: contents: write pull-requests: write env: VERSION: ${{ inputs.version }} MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }} BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: main - name: Configure git run: | git config --global user.name "edgelessci" git config --global user.email "edgelessci@users.noreply.github.com" - name: Create docs release if: inputs.kind == 'minor' working-directory: docs run: | npm ci npm run docusaurus docs:version "${MAJOR_MINOR}" git add . git commit -am "docs: release ${MAJOR_MINOR}" # Clean up auxiliary files, so next steps run on a clean tree git clean -fdx :/ - name: Update version.txt if: inputs.kind == 'minor' run: | pre_release_version="v${{ needs.verify-inputs.outputs.PART_MAJOR }}.$((${{ needs.verify-inputs.outputs.PART_MINOR }} + 1)).0-pre" echo "${pre_release_version}" > version.txt git add version.txt git commit -m "chore: update version.txt to ${pre_release_version}" - name: Update CI for new version run: | sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-release.yml sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml - name: Create docs pull request uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: branch: ${{ env.BRANCH }} base: main title: "Post ${{ env.VERSION }} release updates to main" body: | :robot: *This is an automated PR.* :robot: The PR is triggered as part of the automated release process of version ${{ env.VERSION }}. commit-message: "chore: update CI for ${{ env.VERSION }}" committer: edgelessci author: edgelessci labels: no changelog assignees: ${{ github.actor }} reviewers: ${{ github.actor }} # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work. token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }} check-working-branch: name: Check temporary working branch runs-on: ubuntu-24.04 needs: verify-inputs permissions: contents: write env: RELEASE_BRANCH: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - name: Check if we are strictly ahead of the release branch (if it exists) run: | git fetch git pull git checkout "${RELEASE_BRANCH}" || exit 0 git checkout "${WORKING_BRANCH}" ahead=$(git rev-list HEAD --not "${RELEASE_BRANCH}" | wc -l) if [[ "${ahead}" -eq 0 ]]; then echo "The current branch is not strictly ahead of the release branch. Please rebase." exit 1 fi - name: Write version to version.txt run: | git checkout "${WORKING_BRANCH}" echo "${{ inputs.version }}" > version.txt git config --global user.name "edgelessci" git config --global user.email "edgelessci@users.noreply.github.com" git add version.txt git diff --staged --quiet || git commit -m "chore: update version.txt to ${{ inputs.version }}" git push origin "${WORKING_BRANCH}" update-versions: name: Update container image versions needs: [verify-inputs, check-working-branch] runs-on: ubuntu-24.04 permissions: contents: write packages: read env: VERSION: ${{ inputs.version }} WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }} steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - name: Update enterprise image version run: | defaultVersionReg='defaultImage = \"[^\"]*\"' # Ensure regexp matches (otherwise the file was changed or the workflow is broken). grep -E "${defaultVersionReg}" internal/config/image_enterprise.go # Update version. sed -i "s/${defaultVersionReg}/defaultImage = \"${VERSION}\"/" internal/config/image_enterprise.go git add internal/config/image_enterprise.go - name: Update s3proxy Chart version run: | yq eval -i ".version = \"$WITHOUT_V\"" s3proxy/deploy/s3proxy/Chart.yaml yq eval -i ".image = \"ghcr.io/edgelesssys/constellation/s3proxy:$VERSION\"" s3proxy/deploy/s3proxy/values.yaml git add s3proxy/deploy/s3proxy/Chart.yaml s3proxy/deploy/s3proxy/values.yaml - name: Commit run: | git config --global user.name "edgelessci" git config --global user.email "edgelessci@users.noreply.github.com" if git diff-index --quiet HEAD --; then echo "No changes to commit" else git commit -m "deps: update versions to ${VERSION}" git push fi - name: Publish s3proxy uses: ./.github/actions/publish_helmchart with: chartPath: ${{ github.workspace }}/s3proxy/deploy/s3proxy githubToken: ${{ secrets.CI_GITHUB_REPOSITORY }} os-image: name: Build OS image needs: [verify-inputs, update-versions] uses: ./.github/workflows/build-os-image.yml permissions: id-token: write contents: read packages: read secrets: inherit with: imageVersion: ${{ inputs.version }} isRelease: true stream: "stable" ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} update-hardcoded-measurements: name: Update hardcoded measurements (in the CLI) needs: [verify-inputs, os-image] permissions: contents: write runs-on: ubuntu-24.04 env: VERSION: ${{ inputs.version }} WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }} steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} - name: Setup Go environment uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: go-version: "1.23.2" cache: true - name: Build generateMeasurements tool working-directory: internal/attestation/measurements/measurement-generator run: go build -o generate -tags=enterprise . - name: Update hardcoded measurements working-directory: internal/attestation/measurements run: | ./measurement-generator/generate git add measurements_enterprise.go - name: Commit run: | git config --global user.name "edgelessci" git config --global user.email "edgelessci@users.noreply.github.com" if git diff-index --quiet HEAD --; then echo "No changes to commit" else git commit -m "attestation: hardcode measurements for ${VERSION}" git push fi draft-release: name: Draft release (CLI) needs: [verify-inputs, update-hardcoded-measurements] uses: ./.github/workflows/draft-release.yml permissions: actions: read contents: write id-token: write packages: write secrets: inherit with: versionName: ${{ inputs.version }} ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} pushContainers: true key: 'release' e2e-tests: name: Run E2E tests needs: [verify-inputs, draft-release] uses: ./.github/workflows/e2e-test-release.yml permissions: checks: write packages: write id-token: write contents: read actions: write secrets: inherit with: ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }} targetVersion: ${{ inputs.version }} mini-e2e: name: Run mini E2E tests needs: [verify-inputs, draft-release] uses: ./.github/workflows/e2e-mini.yml permissions: checks: write packages: write id-token: write contents: read secrets: inherit with: ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}