Release #482
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| schedule: | |
| - cron: '0 2 * * *' # run at 2 AM UTC | |
| workflow_dispatch: | |
| jobs: | |
| goreleaser: | |
| runs-on: ubuntu-latest-32 | |
| permissions: | |
| id-token: write | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| variant: | |
| - connect-ai | |
| - connect-cgo | |
| - connect-cloud | |
| - connect-fips | |
| - connect-lambda | |
| - connect | |
| steps: | |
| - name: Check Out Repo | |
| uses: actions/checkout@v6 | |
| - name: Configure AWS credentials for access to AWS Secrets Manager | |
| uses: aws-actions/configure-aws-credentials@v6 | |
| with: | |
| aws-region: ${{ vars.RP_AWS_CRED_REGION }} | |
| role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} | |
| - name: Get secrets from AWS Secrets Manager | |
| uses: aws-actions/aws-secretsmanager-get-secrets@v3 | |
| with: | |
| secret-ids: | | |
| ,sdlc/prod/github/cloudsmith | |
| ,sdlc/prod/github/dockerhub | |
| parse-json-secrets: true | |
| - name: Configure AWS credentials for access to Amazon ECR Public | |
| uses: aws-actions/configure-aws-credentials@v6 | |
| with: | |
| aws-region: us-east-1 | |
| role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} | |
| - name: Login to Amazon ECR Public | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| registry-type: public | |
| - name: Install Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Install system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y libzmq3-dev patchelf | |
| - name: Install Microsoft Go | |
| if: ${{ matrix.variant == 'connect-fips' }} | |
| run: | | |
| GO_VERSION=$(go version | cut -d' ' -f3 | cut -d'.' -f1,2) | |
| curl -sSLf -o "$RUNNER_TEMP/msgo.tgz" https://aka.ms/golang/release/latest/${GO_VERSION}.linux-amd64.tar.gz | |
| [[ -d "$RUNNER_TEMP/bin" ]] || install -d -m 0755 "$RUNNER_TEMP/bin" | |
| [[ -d "$RUNNER_TEMP/microsoft" ]] || install -d -m 0755 "$RUNNER_TEMP/microsoft" | |
| tar -C "$RUNNER_TEMP/microsoft" -xf "$RUNNER_TEMP/msgo.tgz" | |
| echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH" | |
| - name: Release Notes | |
| run: ./resources/scripts/release_notes.sh > ./release_notes.md | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.12' | |
| - name: Authenticate to GCP | |
| if: ${{ github.event_name == 'push' }} | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: projects/606234194099/locations/global/workloadIdentityPools/rp-cicd/providers/gh-connect | |
| service_account: gh-connect@devprod-cicd-infra.iam.gserviceaccount.com | |
| - name: Set up gcloud CLI | |
| if: ${{ github.event_name == 'push' }} | |
| uses: google-github-actions/setup-gcloud@v3 | |
| - name: Exclude GCP credentials from git state | |
| if: ${{ github.event_name == 'push' }} | |
| run: echo 'gha-creds-*.json' >> .git/info/exclude | |
| - name: Install cloudsmith CLI (for publishing Linux packages) | |
| run: pip install cloudsmith-cli | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v4 | |
| with: | |
| username: ${{ env.DOCKERHUB_USER }} | |
| password: ${{ env.DOCKERHUB_TOKEN }} | |
| - name: Setup Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Setup Task | |
| uses: ./.github/actions/setup-task | |
| - name: Initialize Docker buildx with docker-container driver | |
| run: task docker:init | |
| - name: Write telemetry private key | |
| env: | |
| CONNECT_TELEMETRY_PRIV_KEY: ${{ secrets.TELEMETRY_PRIVATE_KEY }} | |
| run: | | |
| git update-index --skip-worktree ./internal/telemetry/key.pem | |
| echo "$CONNECT_TELEMETRY_PRIV_KEY" > ./internal/telemetry/key.pem | |
| - name: GoReleaser Release | |
| if: ${{ github.event_name == 'push' }} | |
| uses: goreleaser/goreleaser-action@v7 | |
| with: | |
| args: release --release-notes=./release_notes.md --timeout 120m --config ./.goreleaser/${{ matrix.variant }}.yaml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| CLOUDSMITH_API_KEY: ${{ env.CLOUDSMITH_API_KEY }} | |
| - name: Upload rpk connect plugin to S3 | |
| if: ${{ github.event_name == 'push' && (matrix.variant == 'connect' || matrix.variant == 'connect-fips') }} | |
| uses: ./.github/actions/upload_managed_plugin | |
| with: | |
| aws_region: "us-west-2" | |
| aws_s3_bucket: "rpk-plugins-repo" | |
| project_root_dir: ${{ github.workspace }} | |
| artifacts_file: ${{ github.workspace }}/target/dist/artifacts.json | |
| metadata_file: ${{ github.workspace }}/target/dist/metadata.json | |
| plugin_name: ${{ matrix.variant }} | |
| goos: ${{ matrix.variant == 'connect' && 'linux,darwin' || 'linux' }} | |
| goarch: ${{ matrix.variant == 'connect' && 'amd64,arm64' || 'amd64' }} | |
| repo_hostname: rpk-plugins.redpanda.com | |
| dry_run: false | |
| - name: Disable checksums for Edge build | |
| if: ${{ github.event_name == 'schedule' }} | |
| run: | | |
| yq eval '.checksum.disable = true' -i .goreleaser/${{ matrix.variant }}.yaml | |
| - name: GoReleaser Edge | |
| if: ${{ github.event_name == 'schedule' }} | |
| uses: goreleaser/goreleaser-action@v7 | |
| with: | |
| args: release --timeout 120m --snapshot --skip archive,nfpm --config ./.goreleaser/${{ matrix.variant }}.yaml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| CLOUDSMITH_API_KEY: ${{ env.CLOUDSMITH_API_KEY }} | |
| - name: GoReleaser Edge push docker | |
| if: ${{ github.event_name == 'schedule' && (matrix.variant == 'connect' || matrix.variant == 'connect-ai' || matrix.variant == 'connect-cloud') }} | |
| run: | | |
| IMAGE_BASE=${{ fromJSON('{"connect":"redpandadata/connect:edge","connect-ai":"redpandadata/connect:edge-ai","connect-cloud":"redpandadata/connect:edge-cloud"}')[matrix.variant] }} | |
| docker push ${IMAGE_BASE}-amd64 | |
| docker push ${IMAGE_BASE}-arm64 | |
| docker buildx imagetools create -t ${IMAGE_BASE} ${IMAGE_BASE}-amd64 ${IMAGE_BASE}-arm64 | |
| - name: GoReleaser Test | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| uses: goreleaser/goreleaser-action@v7 | |
| with: | |
| args: release --timeout 120m --snapshot --skip publish --config ./.goreleaser/${{ matrix.variant }}.yaml | |
| - name: Scan docker images for vulnerabilities | |
| if: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && (matrix.variant == 'connect' || matrix.variant == 'connect-cloud') }} | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ fromJSON('{"connect":"redpandadata/connect:edge","connect-ai":"redpandadata/connect:edge-ai","connect-cloud":"redpandadata/connect:edge-cloud"}')[matrix.variant] }} | |
| format: table | |
| ignore-unfixed: true | |
| exit-code: 1 | |
| update-bundles: | |
| runs-on: ubuntu-latest | |
| needs: goreleaser | |
| if: github.event_name == 'push' && !contains(github.ref_name, '-rc') | |
| concurrency: | |
| group: release-update-bundles-${{ github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| outputs: | |
| pr_url: ${{ steps.pr.outputs.url }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Update bundles and create PR | |
| id: pr | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| ./resources/scripts/update_bundles.sh | |
| if git diff --quiet; then | |
| echo "No bundle changes detected" | |
| echo ":package: No bundle changes detected for ${{ github.ref_name }}." >> "$GITHUB_STEP_SUMMARY" | |
| exit 0 | |
| fi | |
| BRANCH="update-bundles-${{ github.ref_name }}" | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git checkout -B "${BRANCH}" | |
| git add -A | |
| git commit -m "chore: update bundle dependencies for ${{ github.ref_name }}" | |
| git push --force-with-lease origin "HEAD:refs/heads/${BRANCH}" | |
| PR_URL=$(gh pr create \ | |
| --title "chore: update bundle dependencies for ${{ github.ref_name }}" \ | |
| --body "Automated bundle dependency update for release ${{ github.ref_name }}.") | |
| gh pr merge --auto --rebase "${PR_URL}" | |
| echo "url=${PR_URL}" >> "$GITHUB_OUTPUT" | |
| echo ":package: Update Bundles PR: [${PR_URL##*/}](${PR_URL})" >> "$GITHUB_STEP_SUMMARY" | |
| update-downstream: | |
| runs-on: ubuntu-latest | |
| needs: goreleaser | |
| if: github.event_name == 'push' && !contains(github.ref_name, '-') | |
| permissions: | |
| id-token: write | |
| contents: read | |
| outputs: | |
| helm_pr_url: ${{ steps.helm.outputs.url }} | |
| steps: | |
| - uses: aws-actions/configure-aws-credentials@v6 | |
| with: | |
| aws-region: ${{ vars.RP_AWS_CRED_REGION }} | |
| role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} | |
| - uses: aws-actions/aws-secretsmanager-get-secrets@v3 | |
| with: | |
| secret-ids: | | |
| ,sdlc/prod/github/actions_bot_token | |
| parse-json-secrets: true | |
| - name: Trigger docs updates | |
| env: | |
| GH_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} | |
| run: | | |
| gh api repos/redpanda-data/docs-ui/dispatches -f event_type=update-go-mod | |
| gh api repos/redpanda-data/rp-connect-docs/dispatches -f event_type=generate-rpcn-docs | |
| gh api repos/redpanda-data/rp-connect-docs/dispatches -f event_type=test-cookbook-examples | |
| - name: Update helm chart and create PR | |
| id: helm | |
| env: | |
| GH_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} | |
| run: | | |
| VERSION="${GITHUB_REF_NAME#v}" | |
| BRANCH="auto/bump-connect" | |
| git clone --depth 1 "https://x-access-token:${ACTIONS_BOT_TOKEN}@github.com/redpanda-data/helm-charts.git" helm-charts | |
| cd helm-charts | |
| CHART="charts/connect/Chart.yaml" | |
| CURRENT=$(yq '.version' "$CHART") | |
| CHART_VERSION="${CURRENT%.*}.$((${CURRENT##*.} + 1))" | |
| yq -i ".version = \"$CHART_VERSION\" | .appVersion = \"$VERSION\"" "$CHART" | |
| sed -Ei "s|connect:[0-9]+\.[0-9]+\.[0-9]+|connect:${VERSION}|" "$CHART" | |
| sed -Ei \ | |
| -e "s|Version-[0-9]+\.[0-9]+\.[0-9]+|Version-${CHART_VERSION}|g" \ | |
| -e "s|Version: [0-9]+\.[0-9]+\.[0-9]+|Version: ${CHART_VERSION}|g" \ | |
| -e "s|AppVersion-[0-9]+\.[0-9]+\.[0-9]+|AppVersion-${VERSION}|g" \ | |
| -e "s|AppVersion: [0-9]+\.[0-9]+\.[0-9]+|AppVersion: ${VERSION}|g" \ | |
| charts/connect/README.md | |
| git config user.name "vbotbuildovich" | |
| git config user.email "62446873+vbotbuildovich@users.noreply.github.com" | |
| git checkout -B "$BRANCH" | |
| git add charts/connect/ | |
| git commit -m "connect: bump version to $VERSION" | |
| git push -f origin "$BRANCH" | |
| BODY=$(printf 'Automated bump of Redpanda Connect to %s.\n\nUpdates:\n- `appVersion` → `%s`\n- Chart `version` → `%s`\n- ArtifactHub image tag → `connect:%s`\n' \ | |
| "$VERSION" "$VERSION" "$CHART_VERSION" "$VERSION") | |
| EXISTING_PR=$(gh pr list --repo redpanda-data/helm-charts --head "$BRANCH" --json number,url -q '.[0]') | |
| if [ -n "$EXISTING_PR" ]; then | |
| PR_NUMBER=$(echo "$EXISTING_PR" | jq -r '.number') | |
| PR_URL=$(echo "$EXISTING_PR" | jq -r '.url') | |
| gh pr edit "$PR_NUMBER" --repo redpanda-data/helm-charts \ | |
| --title "connect: bump version to $VERSION" \ | |
| --body "$BODY" | |
| else | |
| PR_URL=$(gh pr create --repo redpanda-data/helm-charts \ | |
| --title "connect: bump version to $VERSION" \ | |
| --body "$BODY" \ | |
| --base main \ | |
| --head "$BRANCH") | |
| fi | |
| echo "url=${PR_URL}" >> "$GITHUB_OUTPUT" | |
| echo ":helm: Update Helm Chart PR: [${PR_URL##*/}](${PR_URL})" >> "$GITHUB_STEP_SUMMARY" | |
| notify-slack: | |
| runs-on: ubuntu-latest | |
| needs: [goreleaser, update-bundles, update-downstream] | |
| # always() is required because update-bundles/update-downstream may be skipped | |
| # (pre-release/RC), and by default a skipped dependency skips this job too. | |
| if: always() && github.event_name == 'push' && endsWith(github.ref_name, '.0') && !contains(github.ref_name, '-rc') | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Get release info | |
| id: release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| BUNDLE_PR: ${{ needs.update-bundles.outputs.pr_url }} | |
| HELM_PR: ${{ needs.update-downstream.outputs.helm_pr_url }} | |
| GORELEASER_RESULT: ${{ needs.goreleaser.result }} | |
| BUNDLES_RESULT: ${{ needs.update-bundles.result }} | |
| DOWNSTREAM_RESULT: ${{ needs.update-downstream.result }} | |
| run: | | |
| # Build follow-up PR links and failure notices | |
| LINKS="" | |
| FAILURES="" | |
| if [ -n "$BUNDLE_PR" ]; then | |
| LINKS="${LINKS}:package: <${BUNDLE_PR}|Bundles PR> " | |
| fi | |
| if [ -n "$HELM_PR" ]; then | |
| LINKS="${LINKS}:helm: <${HELM_PR}|Helm Chart PR> " | |
| fi | |
| if [ "$GORELEASER_RESULT" = "failure" ]; then | |
| FAILURES="${FAILURES}:red_circle: goreleaser failed " | |
| fi | |
| if [ "$BUNDLES_RESULT" = "failure" ]; then | |
| FAILURES="${FAILURES}:red_circle: update-bundles failed " | |
| fi | |
| if [ "$DOWNSTREAM_RESULT" = "failure" ]; then | |
| FAILURES="${FAILURES}:red_circle: update-downstream failed " | |
| fi | |
| HEADER_ICON=":green_alert:" | |
| if [ -n "$FAILURES" ]; then | |
| HEADER_ICON=":red_circle:" | |
| fi | |
| RELEASE_URL="" | |
| BODY="" | |
| if RELEASE_JSON=$(gh api repos/${{ github.repository }}/releases/tags/${{ github.ref_name }} 2>/dev/null); then | |
| RELEASE_URL=$(echo "$RELEASE_JSON" | jq -r '.html_url') | |
| echo "$RELEASE_JSON" | jq -r '.body' | tr -d '\r' > "$RUNNER_TEMP/release_body.md" | |
| sed -i -E \ | |
| -e 's/^### (.*)$/*\1*/' \ | |
| -e 's/\[([^]]*)\]\(([^)]*)\)/<\2|\1>/g' \ | |
| -e 's/^(- )([^:]+):/\1*\2*:/' \ | |
| "$RUNNER_TEMP/release_body.md" | |
| BODY=$(cat "$RUNNER_TEMP/release_body.md") | |
| fi | |
| VERSION="${{ github.ref_name }}" | |
| COMPARE_URL="${{ github.server_url }}/${{ github.repository }}/compare/${{ github.ref_name }}" | |
| STATUS="${FAILURES}${LINKS}" | |
| jq -n \ | |
| --arg body "$BODY" \ | |
| --arg release_url "$RELEASE_URL" \ | |
| --arg version "$VERSION" \ | |
| --arg compare_url "$COMPARE_URL" \ | |
| --arg header_icon "$HEADER_ICON" \ | |
| --arg status "$STATUS" \ | |
| '{ | |
| text: ("New Redpanda Connect release: " + $version), | |
| unfurl_links: false, | |
| unfurl_media: false, | |
| blocks: [ | |
| {type: "header", text: {type: "plain_text", text: ($header_icon + " Redpanda Connect " + $version), emoji: true}}, | |
| {type: "section", text: {type: "mrkdwn", text: ("*Release:* <" + $release_url + "|" + $version + ">")}}, | |
| {type: "divider"}, | |
| {type: "section", text: {type: "mrkdwn", text: $body}}, | |
| {type: "section", text: {type: "mrkdwn", text: $status}}, | |
| {type: "actions", elements: [ | |
| {type: "button", text: {type: "plain_text", text: ":github: View Release", emoji: true}, url: $release_url}, | |
| {type: "button", text: {type: "plain_text", text: ":page_facing_up: Full Changelog", emoji: true}, url: $compare_url} | |
| ]} | |
| ] | |
| }' > "$RUNNER_TEMP/slack_payload.json" | |
| - name: Post changelog to Slack | |
| uses: slackapi/slack-github-action@v3.0.1 | |
| with: | |
| webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| webhook-type: incoming-webhook | |
| payload-file-path: ${{ runner.temp }}/slack_payload.json |