-
Notifications
You must be signed in to change notification settings - Fork 64
198 lines (175 loc) · 7.13 KB
/
Copy pathrelease.yml
File metadata and controls
198 lines (175 loc) · 7.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
on:
push:
# Sequence of patterns matched against refs/tags
tags:
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
name: Create Release
# Least-privilege default for the whole workflow — jobs that need more
# override at the job level. Matches the convention used by
# cleanup-jp.yml / nonregression-jp.yml.
permissions:
contents: read
jobs:
build:
name: Create Release
runs-on: ubuntu-22.04
# actions/create-release@v1 needs contents: write to publish a Release.
permissions:
contents: write
outputs:
release_url: ${{ steps.create_release.outputs.html_url }}
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Get Release Changes
id: recentCommits
run: |
echo ::set-output name=release_body::$(git log --no-merges --pretty=format:'%s' $(git describe --abbrev=0 --tags)...HEAD)
- name: Create Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
tag_name: ${{ github.ref }}
release_name: Release ${{ github.ref }}
body: ${{steps.recentCommits.outputs.release_body}}
draft: false
prerelease: false
zip-recipes:
runs-on: ubuntu-22.04
needs: build
# actions/upload-release-asset needs contents: write to attach recipes.zip.
permissions:
contents: write
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Get release
id: get_release
uses: bruceadams/get-release@v1.2.2
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Write version
uses: DamianReeves/write-file-action@v1.0
with:
path: recipes/version.txt
contents: ${{ steps.get_release.outputs.tag_name }}
write-mode: overwrite
- name: Zip recipes
uses: vimtor/action-zip@v1
with:
files: recipes/ version.txt
dest: recipes.zip
- name: Upload recipes zip file to GitHub
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.get_release.outputs.upload_url }}
asset_path: ${{ github.workspace }}/recipes.zip
asset_name: recipes.zip
asset_content_type: application/octet-stream
- name: Install aws cli
run: |
sudo apt-get update -y
sudo apt-get install awscli -y
- name: Write config 1
uses: DamianReeves/write-file-action@v1.0
with:
path: /home/runner/.aws/credentials
contents: |
[virtuoso_user]
aws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}
write-mode: overwrite
- name: Write config 2
uses: DamianReeves/write-file-action@v1.0
with:
path: /home/runner/.aws/config
contents: |
[profile virtuoso]
role_arn = ${{ secrets.AWS_ROLE_ARN }}
region = ${{ secrets.AWS_DEFAULT_REGION }}
source_profile = virtuoso_user
write-mode: overwrite
- name: Upload recipes zip file to S3 (download.newrelic.com)
id: upload-recipes-s3
run: |
aws s3 cp ${{ github.workspace }}/recipes.zip s3://nr-downloads-main/install/open-install-library/${{ steps.get_release.outputs.tag_name }}/recipes.zip --profile virtuoso
- name: Upload currentVersion.txt to S3
id: upload-current-version-s3
run: |
aws s3 cp recipes/version.txt s3://nr-downloads-main/install/open-install-library/currentVersion.txt --profile virtuoso --cache-control no-cache
- name: Cleanup configs
run: |
rm -rf /home/runner/.aws/credentials
rm -rf /home/runner/.aws/config
commit-release-notes:
name: Record release on main
runs-on: ubuntu-22.04
needs: build
# No override needed — the push uses secrets.RELEASE_TOKEN (a PAT), not
# the default GITHUB_TOKEN, so this job only needs the workflow-level
# `contents: read` (for actions/checkout).
steps:
- name: Checkout main
uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
# RELEASE_TOKEN (PAT) is required because main is protected — rules
# forbid direct pushes and require FOSSA to pass. The default
# GITHUB_TOKEN cannot bypass those rules. RELEASE_TOKEN is the same
# PAT the CLI's OIL→CLI workflow already uses to push tags into OIL.
token: ${{ secrets.RELEASE_TOKEN }}
- name: Commit release marker to main
env:
RELEASE_URL: ${{ needs.build.outputs.release_url }}
run: |
set -euo pipefail
# Strip refs/tags/ → e.g. v0.82.0
TAG="${GITHUB_REF#refs/tags/}"
RELEASE_DATE=$(date -u +'%-d %B %Y')
# Previous release tag = second-newest v* tag by semver sort.
# `git tag --sort=-v:refname` puts the newest first; filter out the just-released tag.
PREV=$(git tag --list 'v*' --sort=-v:refname | grep -v "^${TAG}$" | head -1 || true)
# Compact subject: `chore(release): OIL <tag>, <date>`.
#
# Change list excludes prior release-marker commits so a release
# doesn't list its predecessors. --extended-regexp matches both the
# current shorter format ("OIL v...") and the legacy longer one
# ("Open Install Library Release v...") so older markers on main
# stay filtered too.
#
# `[skip ci]` at the end tells GitHub Actions not to run
# push-triggered workflows on the marker commit itself — the
# release just built the artifacts, there's nothing to re-verify.
{
printf 'chore(release): OIL %s, %s\n\n' "$TAG" "$RELEASE_DATE"
if [ -n "$PREV" ]; then
printf 'Changes since %s:\n\n' "$PREV"
git log \
--no-merges \
--invert-grep \
--extended-regexp \
--grep='^chore\(release\): (OIL|Open Install Library Release) v[0-9]' \
--pretty=format:'- %s (%h)' \
"${PREV}..${TAG}"
printf '\n\n'
fi
printf 'Release: %s\n\n' "${RELEASE_URL}"
printf '[skip ci]\n'
} > /tmp/commit-msg.txt
echo "----- Commit message preview -----"
cat /tmp/commit-msg.txt
echo "----------------------------------"
git config user.name 'github-actions[bot]'
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
git commit --allow-empty -F /tmp/commit-msg.txt
# Retry once on race (someone else pushed to main between checkout and push).
if ! git push origin main; then
echo "push rejected; refetching and rebasing before retry"
git pull --rebase origin main
git push origin main
fi