mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-25 14:56:18 -05:00
8f3d6c42f2
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
327 lines
11 KiB
YAML
327 lines
11 KiB
YAML
name: Release
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: "Version to release (e.g. v1.2.3)"
|
|
required: true
|
|
kind:
|
|
description: "Release kind"
|
|
type: choice
|
|
options: [minor, patch]
|
|
required: true
|
|
default: "minor"
|
|
|
|
concurrency:
|
|
group: ${{ github.ref }}
|
|
cancel-in-progress: true
|
|
jobs:
|
|
verify-inputs:
|
|
name: Verify inputs
|
|
runs-on: ubuntu-24.04
|
|
env:
|
|
FULL_VERSION: ${{ inputs.version }}
|
|
outputs:
|
|
WITHOUT_V: ${{ steps.version-info.outputs.WITHOUT_V }}
|
|
PART_MAJOR: ${{ steps.version-info.outputs.PART_MAJOR }}
|
|
PART_MINOR: ${{ steps.version-info.outputs.PART_MINOR }}
|
|
PART_PATCH: ${{ steps.version-info.outputs.PART_PATCH }}
|
|
MAJOR: ${{ steps.version-info.outputs.MAJOR }}
|
|
MAJOR_MINOR: ${{ steps.version-info.outputs.MAJOR_MINOR }}
|
|
MAJOR_MINOR_PATCH: ${{ steps.version-info.outputs.MAJOR_MINOR_PATCH }}
|
|
RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
|
|
WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Working branch
|
|
run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
|
|
|
|
- name: Verify version
|
|
run: |
|
|
if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
|
echo "Version must be in the form of vX.Y.Z"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Verify temporary branch
|
|
run: |
|
|
if [[ ! "${WORKING_BRANCH}" =~ ^tmp/v[0-9]+\.[0-9]+\.[0-9] ]]; then
|
|
echo "Workflow can only be triggered from a temporary branch in the form of tmp/vX.Y.Z"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Extract version info
|
|
id: version-info
|
|
run: |
|
|
WITHOUT_V=${FULL_VERSION#v}
|
|
PART_MAJOR=${WITHOUT_V%%.*}
|
|
PART_MINOR=${WITHOUT_V#*.}
|
|
PART_MINOR=${PART_MINOR%%.*}
|
|
PART_PATCH=${WITHOUT_V##*.}
|
|
{
|
|
echo "WITHOUT_V=${WITHOUT_V}"
|
|
echo "PART_MAJOR=${PART_MAJOR}"
|
|
echo "PART_MINOR=${PART_MINOR}"
|
|
echo "PART_PATCH=${PART_PATCH}"
|
|
echo "MAJOR=${PART_MAJOR}"
|
|
echo "MAJOR_MINOR=${PART_MAJOR}.${PART_MINOR}"
|
|
echo "MAJOR_MINOR_PATCH=${PART_MAJOR}.${PART_MINOR}.${PART_PATCH}"
|
|
echo "RELEASE_BRANCH=release/v${PART_MAJOR}.${PART_MINOR}"
|
|
echo "WORKING_BRANCH=${WORKING_BRANCH}"
|
|
} | tee -a "$GITHUB_OUTPUT"
|
|
|
|
update-main-branch:
|
|
name: Update main branch with release changes
|
|
runs-on: ubuntu-24.04
|
|
needs: verify-inputs
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
env:
|
|
VERSION: ${{ inputs.version }}
|
|
MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
|
|
BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: main
|
|
|
|
- name: Configure git
|
|
run: |
|
|
git config --global user.name "edgelessci"
|
|
git config --global user.email "edgelessci@users.noreply.github.com"
|
|
|
|
- name: Create docs release
|
|
if: inputs.kind == 'minor'
|
|
working-directory: docs
|
|
run: |
|
|
npm ci
|
|
npm run docusaurus docs:version "${MAJOR_MINOR}"
|
|
git add .
|
|
git commit -am "docs: release ${MAJOR_MINOR}"
|
|
# Clean up auxiliary files, so next steps run on a clean tree
|
|
git clean -fdx :/
|
|
|
|
- name: Update version.txt
|
|
if: inputs.kind == 'minor'
|
|
run: |
|
|
pre_release_version="v${{ needs.verify-inputs.outputs.PART_MAJOR }}.$((${{ needs.verify-inputs.outputs.PART_MINOR }} + 1)).0-pre"
|
|
echo "${pre_release_version}" > version.txt
|
|
git add version.txt
|
|
git commit -m "chore: update version.txt to ${pre_release_version}"
|
|
|
|
- name: Update CI for new version
|
|
run: |
|
|
sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-release.yml
|
|
sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml
|
|
|
|
- name: Create docs pull request
|
|
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
|
|
with:
|
|
branch: ${{ env.BRANCH }}
|
|
base: main
|
|
title: "Post ${{ env.VERSION }} release updates to main"
|
|
body: |
|
|
:robot: *This is an automated PR.* :robot:
|
|
|
|
The PR is triggered as part of the automated release process of version ${{ env.VERSION }}.
|
|
commit-message: "chore: update CI for ${{ env.VERSION }}"
|
|
committer: edgelessci <edgelessci@users.noreply.github.com>
|
|
author: edgelessci <edgelessci@users.noreply.github.com>
|
|
labels: no changelog
|
|
assignees: ${{ github.actor }}
|
|
reviewers: ${{ github.actor }}
|
|
# We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
|
|
token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
|
|
|
|
check-working-branch:
|
|
name: Check temporary working branch
|
|
runs-on: ubuntu-24.04
|
|
needs: verify-inputs
|
|
permissions:
|
|
contents: write
|
|
env:
|
|
RELEASE_BRANCH: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
|
WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
|
|
|
- name: Check if we are strictly ahead of the release branch (if it exists)
|
|
run: |
|
|
git fetch
|
|
git pull
|
|
git checkout "${RELEASE_BRANCH}" || exit 0
|
|
git checkout "${WORKING_BRANCH}"
|
|
ahead=$(git rev-list HEAD --not "${RELEASE_BRANCH}" | wc -l)
|
|
if [[ "${ahead}" -eq 0 ]]; then
|
|
echo "The current branch is not strictly ahead of the release branch. Please rebase."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Write version to version.txt
|
|
run: |
|
|
git checkout "${WORKING_BRANCH}"
|
|
echo "${{ inputs.version }}" > version.txt
|
|
git config --global user.name "edgelessci"
|
|
git config --global user.email "edgelessci@users.noreply.github.com"
|
|
git add version.txt
|
|
git diff --staged --quiet || git commit -m "chore: update version.txt to ${{ inputs.version }}"
|
|
git push origin "${WORKING_BRANCH}"
|
|
|
|
update-versions:
|
|
name: Update container image versions
|
|
needs: [verify-inputs, check-working-branch]
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
contents: write
|
|
packages: read
|
|
env:
|
|
VERSION: ${{ inputs.version }}
|
|
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
|
|
|
- name: Update enterprise image version
|
|
run: |
|
|
defaultVersionReg='defaultImage = \"[^\"]*\"'
|
|
|
|
# Ensure regexp matches (otherwise the file was changed or the workflow is broken).
|
|
grep -E "${defaultVersionReg}" internal/config/image_enterprise.go
|
|
|
|
# Update version.
|
|
sed -i "s/${defaultVersionReg}/defaultImage = \"${VERSION}\"/" internal/config/image_enterprise.go
|
|
git add internal/config/image_enterprise.go
|
|
|
|
- name: Update s3proxy Chart version
|
|
run: |
|
|
yq eval -i ".version = \"$WITHOUT_V\"" s3proxy/deploy/s3proxy/Chart.yaml
|
|
yq eval -i ".image = \"ghcr.io/edgelesssys/constellation/s3proxy:$VERSION\"" s3proxy/deploy/s3proxy/values.yaml
|
|
|
|
git add s3proxy/deploy/s3proxy/Chart.yaml s3proxy/deploy/s3proxy/values.yaml
|
|
|
|
- name: Commit
|
|
run: |
|
|
git config --global user.name "edgelessci"
|
|
git config --global user.email "edgelessci@users.noreply.github.com"
|
|
if git diff-index --quiet HEAD --; then
|
|
echo "No changes to commit"
|
|
else
|
|
git commit -m "deps: update versions to ${VERSION}"
|
|
git push
|
|
fi
|
|
|
|
- name: Publish s3proxy
|
|
uses: ./.github/actions/publish_helmchart
|
|
with:
|
|
chartPath: ${{ github.workspace }}/s3proxy/deploy/s3proxy
|
|
githubToken: ${{ secrets.CI_GITHUB_REPOSITORY }}
|
|
|
|
os-image:
|
|
name: Build OS image
|
|
needs: [verify-inputs, update-versions]
|
|
uses: ./.github/workflows/build-os-image.yml
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
packages: read
|
|
secrets: inherit
|
|
with:
|
|
imageVersion: ${{ inputs.version }}
|
|
isRelease: true
|
|
stream: "stable"
|
|
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
|
|
|
update-hardcoded-measurements:
|
|
name: Update hardcoded measurements (in the CLI)
|
|
needs: [verify-inputs, os-image]
|
|
permissions:
|
|
contents: write
|
|
runs-on: ubuntu-24.04
|
|
env:
|
|
VERSION: ${{ inputs.version }}
|
|
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
|
|
|
- name: Setup Go environment
|
|
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
|
|
with:
|
|
go-version: "1.23.2"
|
|
cache: true
|
|
|
|
- name: Build generateMeasurements tool
|
|
working-directory: internal/attestation/measurements/measurement-generator
|
|
run: go build -o generate -tags=enterprise .
|
|
|
|
- name: Update hardcoded measurements
|
|
working-directory: internal/attestation/measurements
|
|
run: |
|
|
./measurement-generator/generate
|
|
git add measurements_enterprise.go
|
|
|
|
- name: Commit
|
|
run: |
|
|
git config --global user.name "edgelessci"
|
|
git config --global user.email "edgelessci@users.noreply.github.com"
|
|
if git diff-index --quiet HEAD --; then
|
|
echo "No changes to commit"
|
|
else
|
|
git commit -m "attestation: hardcode measurements for ${VERSION}"
|
|
git push
|
|
fi
|
|
|
|
draft-release:
|
|
name: Draft release (CLI)
|
|
needs: [verify-inputs, update-hardcoded-measurements]
|
|
uses: ./.github/workflows/draft-release.yml
|
|
permissions:
|
|
actions: read
|
|
contents: write
|
|
id-token: write
|
|
packages: write
|
|
secrets: inherit
|
|
with:
|
|
versionName: ${{ inputs.version }}
|
|
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
|
pushContainers: true
|
|
key: 'release'
|
|
|
|
e2e-tests:
|
|
name: Run E2E tests
|
|
needs: [verify-inputs, draft-release]
|
|
uses: ./.github/workflows/e2e-test-release.yml
|
|
permissions:
|
|
checks: write
|
|
packages: write
|
|
id-token: write
|
|
contents: read
|
|
actions: write
|
|
secrets: inherit
|
|
with:
|
|
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|
|
targetVersion: ${{ inputs.version }}
|
|
|
|
mini-e2e:
|
|
name: Run mini E2E tests
|
|
needs: [verify-inputs, draft-release]
|
|
uses: ./.github/workflows/e2e-mini.yml
|
|
permissions:
|
|
checks: write
|
|
packages: write
|
|
id-token: write
|
|
contents: read
|
|
secrets: inherit
|
|
with:
|
|
ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
|