-
Notifications
You must be signed in to change notification settings - Fork 263
136 lines (131 loc) · 5.53 KB
/
manual-rc-release.yml
File metadata and controls
136 lines (131 loc) · 5.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Manually Create RC Release
on:
workflow_dispatch:
inputs:
branch:
description: 'The branch where the sha exists.'
required: true
sha:
description: 'The commit SHA to create the tag from, defaults to HEAD of the selected branch.'
required: false
tag:
description: 'The rc tag to create, e.g. v1.2.3-rc.1'
required: true
permissions:
contents: write
id-token: write
issues: write
pull-requests: write
actions: read
jobs:
rc-release:
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script/commits/main
id: check-user-in-maintainers
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
script: |
const isMaintainer = ${{ vars.TERRAFORM_MAINTAINERS }}.includes(context.actor);
return isMaintainer;
- run: |
# if the tag doesn't contain "rc" we should not be in this workflow
if grep -q "rc" <<< "${{ inputs.tag }}"; then
echo "Tag contains 'rc', continuing with RC release"
else
echo "Tag doesn't contain 'rc', please use the manual-release workflow"
exit 1
fi
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 https://github.com/actions/checkout
with:
fetch-depth: 0
- name: Create and Push RC Tag with Git
id: create-push-rc-tag
env:
TAG: ${{ inputs.tag }}
SHA: ${{ inputs.sha }}
run: |
git config user.name "${{ github.actor }}"
git config user.email "${{ github.actor }}@users.noreply.github.com"
if [ -n "$SHA" ]; then
git tag "$TAG" -m "Release Candidate $TAG" "$SHA"
else
git tag "$TAG" -m "Release Candidate $TAG"
fi
git push origin "$TAG"
- name: Check out new tag into a new directory
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 https://github.com/actions/checkout
with:
ref: ${{ inputs.tag }}
path: ${{ github.workspace }}/tags/${{ inputs.tag }}
- run: |
# remove any tags that are not the one specified (to avoid goreleaser confusion)
DIR="$(pwd)"
cd "${{ github.workspace }}/tags/${{ inputs.tag }}"
git tag | grep -v -e "^${{ inputs.tag }}$" | xargs git tag -d
# check for terraform-registry-manifest.json presence and create if missing
if [ ! -f "terraform-registry-manifest.json" ]; then
echo "terraform-registry-manifest.json not found, creating a default one."
cat <<EOF > terraform-registry-manifest.json
{
"version": 1,
"metadata": {
"protocol_versions": ["4.0", "5.0", "6.0"]
}
}
EOF
fi
cd "$DIR"
- name: retrieve GPG Credentials
id: retrieve-gpg-credentials
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ;
secret/data/github/repo/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID ;
secret/data/github/repo/${{ github.repository }}/signing/gpg privateKey | GPG_KEY
- name: import_gpg_key
id: import-gpg-key
env:
GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
GPG_KEY: ${{ env.GPG_KEY }}
run: |
cleanup() {
# clear history just in case
history -c
}
trap cleanup EXIT TERM
# sanitize variables
if [ -z "${GPG_PASSPHRASE}" ]; then echo "gpg passphrase empty"; exit 1; fi
if [ -z "${GPG_KEY_ID}" ]; then echo "key id empty"; exit 1; fi
if [ -z "${GPG_KEY}" ]; then echo "key contents empty"; exit 1; fi
echo "Importing gpg key"
echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; }
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 https://github.com/actions/setup-go
with:
go-version-file: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.mod
cache-dependency-path: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.sum
cache: true
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
with:
args: release --clean --skip=validate --config ../../.goreleaser_rc.yml
workdir: ${{ github.workspace }}/tags/${{ inputs.tag }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
- name: 'Find Issues and Create Comments'
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script
env:
TAG: ${{ inputs.tag }}
BRANCH: ${{ inputs.branch }}
OWNER: ${{ github.repository_owner }}
REPO: ${{ github.event.repository.name }}
with:
script: |
const scriptPath = `${{ github.workspace }}/.github/workflows/scripts/rc-notify.js`;
const { default: script } = await import(scriptPath);
await script({github, process});