Merge pull request #1456 from Acepresso/release-notes-EC-1164

Acepresso · web-flow · commit 8ef1106308b6 · 2025-08-06T14:44:26.000+03:00
Add automated release creation workflow
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,162 @@
+# Copyright The Conforma Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+name: Release
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 9 * * 3' # every Wednesday
+
+permissions:
+  contents: read
+
+env:
+  TRACKED_PATHS: "acceptance/ policy/"
+  
+jobs:
+
+  get_info:
+
+    runs-on: ubuntu-latest
+    outputs:
+      latest_tag: ${{ steps.get_info.outputs.latest_tag }}
+      latest_tag_sha: ${{ steps.get_info.outputs.latest_tag_sha }}
+      changed: ${{ steps.get_info.outputs.changed }}
+      next_version: ${{ steps.get_info.outputs.next_version }}
+
+    steps:
+
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Get info
+        id: get_info
+        run: |
+          set -e
+          git fetch --tags
+          source hack/derive-version.sh $TRACKED_PATHS
+          
+          echo latest_tag=$LATEST_TAG | tee -a "$GITHUB_OUTPUT"
+          echo latest_tag_sha=$LATEST_TAG_SHA | tee -a "$GITHUB_OUTPUT"
+          echo changed=$HAVE_CHANGED | tee -a "$GITHUB_OUTPUT"
+          echo next_version=$NEXT_VERSION | tee -a "$GITHUB_OUTPUT"
+
+  generate_release_notes:
+
+    needs: get_info
+    if: needs.get_info.outputs.changed == 'true'
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Fetch tags
+        id: fetch_tags
+        run: |
+          git fetch --tags
+
+      - name: Generate release notes
+        uses: google-gemini/gemini-cli-action@main
+        with:
+          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
+          version: latest
+          settings_json: |
+            {
+              "sandbox": true,
+              "autoAccept": true
+            }
+          prompt: |
+            Make a list of all notable changes since the tag ${{needs.get_info.outputs.latest_tag}}
+            and categorize it nicely with emojis, output as Markdown and a
+            one liner of the change. Add a jira link for each change if 
+            specified in the commit message. put the link in the begining 
+            of the line.
+            Preface the release notes with a brief summary of the release.
+            Don't create a title for the release.
+            Also save the release notes in a file named "release-notes.md".
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-notes
+          path: release-notes.md
+
+
+  create_release:
+    needs: [get_info, generate_release_notes]
+    if: ${{ needs.get_info.outputs.changed == 'true' && needs.generate_release_notes.result == 'success'}}
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+
+    steps:
+
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Tag
+        run: |
+          set -e
+          git fetch --tags
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"          
+          
+          source hack/add-auto-tag.sh
+          git push -f --tags
+
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: release-notes
+
+      - name: Create a release
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+        with:
+          name: ${{ needs.get_info.outputs.next_version }}
+          tag_name: ${{ needs.get_info.outputs.next_version }}
+          body_path: "release-notes.md"
+          make_latest: false
+          generate_release_notes: false
diff --git a/hack/add-auto-tag.sh b/hack/add-auto-tag.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+# Copyright The Conforma Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+AUTO_TAG=$(hack/derive-version.sh)
+
+if [ -z "$(git tag -l $AUTO_TAG)" ]; then
+  # Create a tag
+  echo "Creating tag $AUTO_TAG"
+  git tag -a -m 'Version tag added automatically' "$AUTO_TAG"
+
+else
+  # The tag exists already
+  # Hopefully this won't happen, but let's not break the build if it does
+  THIS_SHA=$(git rev-list -n1 --abbrev-commit HEAD)
+  TAG_SHA=$(git rev-list -n1 --abbrev-commit "$AUTO_TAG")
+
+  if [ "$TAG_SHA" = "$THIS_SHA" ]; then
+    # Tag is already what we wanted it to be. No big deal.
+    echo "Tag $AUTO_TAG exists already"
+
+  else
+    # This is more surprising. If you see this it's likely you want to do
+    # some debugging to figure out what happened and why
+    echo "Tag $AUTO_TAG exists already but on $TAG_SHA not $THIS_SHA. Skipping tag creation."
+    echo "You should try to figure out why this happened!"
+
+    # Todo: Once we think this is stable enough we should fail more loudly
+    #exit 1
+
+  fi
+fi
diff --git a/hack/derive-version.sh b/hack/derive-version.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# Copyright The Conforma Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Assumptions:
+# 1. A tag exists on branch "main" and contains the major.minor.patch version number
+# 2. Git checkouts are done with fetch-depth=0 so we have enough history
+# 3. Tags are fetched
+
+# Pass in paths that will be checked for changes since last version.
+# Leave blank for "all".
+TRACKED_PATHS=$@
+
+# Obtain most recent version tag
+LATEST_TAG=$(git describe --tags --abbrev=0 --match="v*.*.*" main)
+LATEST_TAG_SHA=$(git rev-parse --verify "$LATEST_TAG"^{commit})
+
+# Check for changes since last version
+HAVE_CHANGED=false
+DIFF=$(git diff --name-only $LATEST_TAG_SHA -- $TRACKED_PATHS)
+[ -z "$DIFF" ] || HAVE_CHANGED=true
+
+# Bump patch version
+CURRENT_VERSION_SANITIZED=$(echo "$LATEST_TAG" | grep -Eo '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}')
+NEXT_VERSION=$(echo "$CURRENT_VERSION_SANITIZED" | awk -F. -v OFS=. '{$NF++;print}')
+NEXT_VERSION=v$NEXT_VERSION
+
+echo ${NEXT_VERSION}
