terraform-provider-rancher2/.github/workflows/manual-rc-release.yml at afc0a9fd7118f9ba3b7c30c7d0b78817a0d2599b · rancher/terraform-provider-rancher2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: Manually Create RC Release

on:
  workflow_dispatch:
    inputs:
      branch:
        description: 'The branch where the sha exists.'
        required: true
      sha:
        description: 'The commit SHA to create the tag from, defaults to HEAD of the selected branch.'
        required: false
      tag:
        description: 'The rc tag to create, e.g. v1.2.3-rc.1'
        required: true

permissions:
  contents: write
  id-token: write
  actions: read

jobs:
  rc-release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script/commits/main
        id: check-user-in-maintainers
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          script: |
            const isMaintainer = ${{ vars.TERRAFORM_MAINTAINERS }}.includes(context.actor);
            return isMaintainer;
      - run: |
          # if the tag doesn't contain "rc" we should not be in this workflow
          if grep -q "rc" <<< "${{ inputs.tag }}"; then
            echo "Tag contains 'rc', continuing with RC release"
          else
            echo "Tag doesn't contain 'rc', please use the manual-release workflow"
            exit 1
          fi
      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 https://github.com/actions/checkout
        with:
          ref: ${{ inputs.branch }}
          fetch-depth: 0
      - name: Create and Push RC Tag with Git
        id: create-push-rc-tag
        env:
          TAG: ${{ inputs.tag }}
          SHA: ${{ inputs.sha }}
        run: |
          git config user.name "${{ github.actor }}"
          git config user.email "${{ github.actor }}@users.noreply.github.com"
          if [ -n "$SHA" ]; then
            git tag "$TAG" -m "Release Candidate $TAG" "$SHA"
          else
            git tag "$TAG" -m "Release Candidate $TAG"
          fi
          git push origin "$TAG"
      - name: Check out new tag into a new directory
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 https://github.com/actions/checkout
        with:
          ref: ${{ inputs.tag }}
          path: ${{ github.workspace }}/tags/${{ inputs.tag }}
      - run: |
          # remove any tags that are not the one specified (to avoid goreleaser confusion)
          DIR="$(pwd)"
          cd "${{ github.workspace }}/tags/${{ inputs.tag }}"
          git tag | grep -v -e "^${{ inputs.tag }}$" | xargs git tag -d
          # check for terraform-registry-manifest.json presence and create if missing
          if [ ! -f "terraform-registry-manifest.json" ]; then
            echo "terraform-registry-manifest.json not found, creating a default one."
            cat <<EOF > terraform-registry-manifest.json
          {
              "version": 1,
              "metadata": {
                  "protocol_versions": ["4.0", "5.0", "6.0"]
              }
          }
          EOF
          fi
          cd "$DIR"
      - name: retrieve GPG Credentials
        id: retrieve-gpg-credentials
        uses: rancher-eio/read-vault-secrets@main
        with:
          secrets: |
            secret/data/github/repo/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ;
            secret/data/github/repo/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID ;
            secret/data/github/repo/${{ github.repository }}/signing/gpg privateKey | GPG_KEY
      - name: import_gpg_key
        id: import-gpg-key
        env:
          GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
          GPG_KEY: ${{ env.GPG_KEY }}
        run: |
          cleanup() {
            # clear history just in case
            history -c
          }
          trap cleanup EXIT TERM

          # sanitize variables
          if [ -z "${GPG_PASSPHRASE}" ]; then echo "gpg passphrase empty"; exit 1; fi
          if [ -z "${GPG_KEY_ID}" ]; then echo "key id empty"; exit 1; fi
          if [ -z "${GPG_KEY}" ]; then echo "key contents empty"; exit 1; fi

          echo "Importing gpg key"
          echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; }
      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 https://github.com/actions/setup-go
        with:
          go-version-file: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.mod
          cache-dependency-path: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.sum
          cache: true
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
        with:
          args: release --clean --skip=validate --config ../../.goreleaser_rc.yml
          workdir: ${{ github.workspace }}/tags/${{ inputs.tag }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
          GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}