-
Notifications
You must be signed in to change notification settings - Fork 243
203 lines (184 loc) · 7.43 KB
/
promote-downstreams.yml
File metadata and controls
203 lines (184 loc) · 7.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
name: Promote Downstream Releases
on:
# may be triggered manually on a release tag that represents a prerelease to promote it to a release in the downstream package repositories and Docker Hub
workflow_dispatch:
# GitHub release is marked stable, i.e., isPrerelease: false
release:
types: [released] # this release event activity type excludes prereleases
# cancel older, redundant runs of same workflow on same branch
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
cancel-in-progress: true
jobs:
wait_for_release:
name: Wait for Release Builds to Succeed
runs-on: ubuntu-24.04
steps:
- name: Debug action
uses: hmarr/debug-action@v3
- name: Wait for all checks on this rev
uses: lewagon/wait-on-check-action@v1.4.1
with:
ref: ${{ github.ref_name }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
# seconds between polling the checks api for job statuses
wait-interval: 30
# confusingly, this means "pause this step until all jobs from all workflows in same run have completed"
running-workflow-name: Wait for Release Builds to Succeed
# comma-separated list of check names (job.<id>.name) to ignore
ignore-checks: SDK Terminator Validation,Fablab HA Smoketest,POST Webhook,Release Quickstart Job
- name: Git Checkout
if: failure()
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Diagnose Failed "Wait for Release Builds to Succeed"
if: failure()
shell: bash
run: |
set -o pipefail
set -o xtrace
COMMIT_SHA=$(git rev-parse ${GITHUB_REF_NAME}^{commit})
for STATUS in cancelled failure
do
gh run list --repo "${GITHUB_REPOSITORY}" --status "${STATUS}" --commit "${COMMIT_SHA}"
done
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# the purpose of this job is to enforce that the Git ref promoted is a semver eligible for stable release, i.e., not having a semver pre-release suffix; the extracted version without the leading 'v' is passed to the docker job as the container image tag
parse_version:
needs: wait_for_release
name: Parse Tag Regex
runs-on: ubuntu-24.04
outputs:
version: ${{ steps.validate.outputs.version }}
highest: ${{ steps.compare.outputs.highest }}
steps:
- name: Validate the Release Tag is a Stable Release Ref
id: validate
shell: bash
run: |
if [[ "${GITHUB_REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "version=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_OUTPUT
else
echo "${GITHUB_REF_NAME} is not a semver stable release ref" >&2
exit 1
fi
- name: Git Checkout
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Compare with Highest Version
id: compare
shell: bash
run: |
set -o pipefail
set -o xtrace
HIGHEST_VERSION=$(git tag -l 'v*.*.*' | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -n1)
CURRENT_VERSION="${GITHUB_REF_NAME}"
if [[ "$CURRENT_VERSION" == "$HIGHEST_VERSION" ]]; then
echo "highest=true" | tee -a $GITHUB_OUTPUT
else
echo "highest=false" | tee -a $GITHUB_OUTPUT
fi
promote_docker:
name: Tag Container Image ${{ matrix.image.repo }}:latest
needs: parse_version
runs-on: ubuntu-24.04
strategy:
fail-fast: true
matrix:
image:
- repo: ${{ vars.ZITI_CLI_IMAGE || 'docker.io/openziti/ziti-cli' }}
- repo: ${{ vars.ZITI_CONTROLLER_IMAGE || 'docker.io/openziti/ziti-controller' }}
- repo: ${{ vars.ZITI_ROUTER_IMAGE || 'docker.io/openziti/ziti-router' }}
- repo: ${{ vars.ZITI_TUNNEL_IMAGE || 'docker.io/openziti/ziti-tunnel' }}
steps:
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_HUB_API_USER || secrets.DOCKER_HUB_API_USER }}
password: ${{ secrets.DOCKER_HUB_API_TOKEN }}
- name: Tag Latest
if: needs.parse_version.outputs.highest == 'true'
shell: bash
run: >
docker buildx imagetools create --tag
${{ matrix.image.repo }}:latest
${{ matrix.image.repo }}:${{ needs.parse_version.outputs.version }}
promote_artifactory:
name: Promote ${{ matrix.package_name }}-${{ matrix.arch.rpm }}.${{ matrix.packager }}
needs: parse_version
strategy:
fail-fast: true
matrix:
package_name:
- openziti
- openziti-controller
- openziti-router
arch:
- deb: amd64
rpm: x86_64
- deb: arm64
rpm: aarch64
- deb: armhf
rpm: armv7hl
packager:
- rpm
- deb
runs-on: ubuntu-24.04
env:
ZITI_DEB_TEST_REPO: ${{ vars.ZITI_DEB_TEST_REPO || 'zitipax-openziti-deb-test' }}
ZITI_RPM_TEST_REPO: ${{ vars.ZITI_RPM_TEST_REPO || 'zitipax-openziti-rpm-test' }}
ZITI_DEB_PROD_REPO: ${{ vars.ZITI_DEB_PROD_REPO || 'zitipax-openziti-deb-stable' }}
ZITI_RPM_PROD_REPO: ${{ vars.ZITI_RPM_PROD_REPO || 'zitipax-openziti-rpm-stable' }}
steps:
- name: Configure jFrog CLI
uses: jfrog/setup-jfrog-cli@v4
env:
JF_ENV_1: ${{ secrets.ZITI_ARTIFACTORY_CLI_CONFIG_PACKAGE_UPLOAD }}
- name: Copy RPM from test repo to stable repo with jFrog CLI
if: matrix.packager == 'rpm'
shell: bash
run: >
jf rt copy
--recursive=false
--flat=true
--fail-no-op=true
${{ env.ZITI_RPM_TEST_REPO }}/redhat/${{ matrix.arch.rpm }}/${{ matrix.package_name }}-${{ needs.parse_version.outputs.version }}-1.${{ matrix.arch.rpm }}.rpm
${{ env.ZITI_RPM_PROD_REPO }}/redhat/${{ matrix.arch.rpm }}/
- name: Copy DEB from test repo to stable repo with jFrog CLI
if: matrix.packager == 'deb'
shell: bash
run: >
jf rt copy
--recursive=false
--flat=true
--fail-no-op=true
${{ env.ZITI_DEB_TEST_REPO }}/pool/${{ matrix.package_name }}/${{ matrix.arch.deb }}/${{ matrix.package_name }}_${{ needs.parse_version.outputs.version }}_${{ matrix.arch.deb }}.deb
${{ env.ZITI_DEB_PROD_REPO }}/pool/${{ matrix.package_name }}/${{ matrix.arch.deb }}/
repository-dispatch:
if: github.repository_owner == 'openziti'
needs:
- parse_version
- promote_docker
name: Repository Dispatch Event
runs-on: ubuntu-24.04
steps:
- name: Send repository_dispatch event
env:
# this token has fine-grained permission to send repository_dispatch events to the downstream private repo
GH_TOKEN: ${{ secrets.GH_FGPAT_NF_REPO_DISPATCH }}
shell: bash
run: |
set -o pipefail
set -o xtrace
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/netfoundry/ziti-fips/dispatches \
-f "event_type=ziti_promote_stable" \
-F "client_payload[version]=${{ needs.parse_version.outputs.version }}" \
-F "client_payload[run_id]=${{ github.run_id }}" \
-F "client_payload[repo]=${{ github.repository }}"