-
Notifications
You must be signed in to change notification settings - Fork 15
375 lines (330 loc) · 15.6 KB
/
Copy pathpublish-new-release.yml
File metadata and controls
375 lines (330 loc) · 15.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
name: Publish New Release to GitHub
on:
pull_request:
branches:
- main
types:
- closed
env:
NODE_OPTIONS: '--no-warnings'
permissions:
contents: read
jobs:
get-release-inputs:
name: Get Release Inputs
runs-on: [self-hosted, Linux, X64]
permissions:
contents: read # to read repository contents
outputs:
trigger_source: ${{ steps.set-outputs.outputs.trigger_source }}
release_version: ${{ steps.extract-release-info.outputs.release_version }}
release_ticket_id: ${{ steps.extract-release-info.outputs.release_ticket_id }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Set outputs
id: set-outputs
env:
PR_HTML_URL: ${{ github.event.pull_request.html_url }}
PR_NUMBER: ${{ github.event.pull_request.number }}
SERVER_URL: ${{ github.server_url }}
ACTOR: ${{ github.actor }}
run: echo "trigger_source=PR <${PR_HTML_URL}|#${PR_NUMBER}> merged by <${SERVER_URL}/${ACTOR}|${ACTOR}>" >> $GITHUB_OUTPUT
- name: Extract release info from branch
id: extract-release-info
if: startsWith(github.event.pull_request.head.ref, 'release/') || startsWith(github.event.pull_request.head.ref, 'hotfix-release/')
env:
BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
run: |
branch_name="${BRANCH_NAME}"
echo "Branch name: $branch_name"
# Extract version and ticket from branch name (format: release/3.2.1-SDK-1234 or hotfix-release/3.2.2-SDK-5678)
version=$(echo "$branch_name" | sed -n 's|.*\/\([0-9]\+\.[0-9]\+\.[0-9]\+\)-.*|\1|p')
ticket=$(echo "$branch_name" | sed -n 's|.*-\([^-]*\)$|\1|p')
echo "Extracted version: $version"
echo "Extracted ticket: $ticket"
echo "release_version=$version" >> $GITHUB_OUTPUT
echo "release_ticket_id=$ticket" >> $GITHUB_OUTPUT
release:
name: Publish new release
needs: [get-release-inputs]
# For publishing GitHub release, we need to only use the GitHub hosted runners
runs-on: ubuntu-latest
permissions:
contents: read # to checkout repository code
# only merged pull requests must trigger this job
if: >
(startsWith(github.event.pull_request.head.ref, 'release/') ||
startsWith(github.event.pull_request.head.ref, 'hotfix-release/')) &&
github.event.pull_request.merged == true
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Generate GitHub App Token
id: generate-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ vars.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_PRIVATE_KEY }}
permission-contents: write # to create commits, tags, and releases
permission-pull-requests: write # to create and update PRs
- name: Extract version from branch name (for release branches)
id: extract-version
env:
BRANCH_NAME_REF: ${{ github.event.pull_request.head.ref }}
run: |
BRANCH_NAME="${BRANCH_NAME_REF}"
VERSION=${BRANCH_NAME#hotfix-}
VERSION=${VERSION#release/}
# Extract the ticket ID (case-insensitive match for -SDK-<ticket_number>)
RELEASE_TICKET_ID=$(echo "$BRANCH_NAME" | grep -oE '[sS][dD][kK]-[0-9]+')
echo "release_ticket_id=$RELEASE_TICKET_ID" >> $GITHUB_OUTPUT
# Remove the -SDK-<ticket_number> suffix case insensitively
VERSION=$(echo "$VERSION" | awk '{sub(/-[sS][dD][kK]-[0-9]+$/, ""); print}')
echo "release_version=$VERSION" >> $GITHUB_OUTPUT
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
ref: ${{ github.sha }}
token: ${{ steps.generate-token.outputs.token }}
# Annotated tag object (unsigned) + ref. GitHub's Git Data API for `POST /git/tags`
# does not accept a signature in its payload; producing a signed tag would require
# running `git tag -s` locally with a signing key provisioned as a workflow secret,
# which is out of scope. Accepted tradeoff: tag object shows "Unverified" while
# the target release-merge commit remains verified.
#
# Idempotence: if the tag already exists on origin, dereference it and only exit 0
# when it already points at the current COMMIT_SHA. If it points elsewhere, fail
# loudly — re-running this job after a partial failure should not silently leave
# a mispointed tag in place.
- name: Create monorepo release tag via API
id: create_monorepo_release
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
RELEASE_VERSION: ${{ steps.extract-version.outputs.release_version }}
REPO: ${{ github.repository }}
COMMIT_SHA: ${{ github.sha }}
run: |
encoded=$(printf '%s' "v${RELEASE_VERSION}" | jq -sRr @uri)
if existing_ref=$(gh api "repos/${REPO}/git/ref/tags/${encoded}" 2>/dev/null); then
existing_type=$(printf '%s' "$existing_ref" | jq -r '.object.type')
existing_obj=$(printf '%s' "$existing_ref" | jq -r '.object.sha')
if [ "$existing_type" = "tag" ]; then
existing_commit=$(gh api "repos/${REPO}/git/tags/${existing_obj}" --jq '.object.sha')
else
existing_commit="$existing_obj"
fi
if [ "$existing_commit" = "$COMMIT_SHA" ]; then
echo "Tag v${RELEASE_VERSION} already points at ${COMMIT_SHA}, nothing to do"
exit 0
fi
echo "::error::Tag v${RELEASE_VERSION} exists on origin but points at ${existing_commit} (expected ${COMMIT_SHA})"
exit 1
fi
tag_obj_sha=$(gh api --method POST "repos/${REPO}/git/tags" \
-f "tag=v${RELEASE_VERSION}" \
-f "message=chore(monorepo): release v${RELEASE_VERSION}" \
-f "object=${COMMIT_SHA}" \
-f "type=commit" \
--jq '.sha')
gh api --method POST "repos/${REPO}/git/refs" \
-f "ref=refs/tags/v${RELEASE_VERSION}" \
-f "sha=${tag_obj_sha}"
- name: Setup Node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version-file: '.nvmrc'
cache: 'npm'
- name: Setup workspace
env:
HUSKY: 0
run: |
npm run setup:deps
- name: Get the two latest versions
run: |
CURRENT_VERSION=$(git tag -l "v3*" --sort=-version:refname | head -n 1)
LAST_VERSION=$(git tag -l "v3*" --sort=-version:refname | head -n 2 | awk 'NR == 2 { print $1 }')
echo "Current version: $CURRENT_VERSION"
echo "Previous version: $LAST_VERSION"
echo "current_monorepo_version=$(echo $CURRENT_VERSION)" >> $GITHUB_ENV
echo "last_monorepo_version=$(echo $LAST_VERSION)" >> $GITHUB_ENV
echo "DATE=$(date)" >> $GITHUB_ENV
- name: Create GitHub releases
id: create_release
continue-on-error: true
env:
HUSKY: 0
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
# The default behavior of Nx is to consider changes to package-lock.json
# as impacting all the packages.
# Here is a work around to ignore package-lock.json and package.json
# files before publishing the releases.
# Ref: https://github.com/nrwl/nx/issues/15116#issuecomment-1535260119
echo package-lock.json >> .nxignore
echo package.json >> .nxignore
npm run release:github -- --base=${{ env.last_monorepo_version }} --head=${{ env.current_monorepo_version }}
# Restore working copy
git checkout -- .nxignore
- name: Mark analytics-js as latest release
id: mark_latest_release
continue-on-error: true
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
# Get the analytics-js package version from package.json
ANALYTICS_JS_VERSION=$(jq -r '.version' packages/analytics-js/package.json)
RELEASE_TAG="@rudderstack/analytics-js@${ANALYTICS_JS_VERSION}"
echo "Looking for release: $RELEASE_TAG"
# Wait for the release to be available and retry up to 10 times
for i in {1..10}; do
echo "Attempt $i: Checking if release $RELEASE_TAG exists..."
if gh release view "$RELEASE_TAG" > /dev/null 2>&1; then
echo "Release found! Marking $RELEASE_TAG as latest..."
if gh release edit "$RELEASE_TAG" --latest; then
echo "Successfully marked $RELEASE_TAG as the latest release"
exit 0
else
echo "Failed to mark release as latest, but release exists"
exit 1
fi
else
echo "Release $RELEASE_TAG not found yet, waiting 10 seconds..."
sleep 10
fi
done
echo "ERROR: Release $RELEASE_TAG was not found after 10 attempts"
- name: Create pull request into develop
if: always()
continue-on-error: true
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
pr_title="chore(release): merge main into develop after release v${{ steps.extract-version.outputs.release_version }} [${{ steps.extract-version.outputs.release_ticket_id }}]"
# Create PR body with proper formatting
cat > pr_body.md << EOF
:crown: **Automated Post-Release PR**
This pull request was created automatically by the GitHub Actions workflow. It merges changes from the \`main\` branch into the \`develop\` branch after a release has been completed.
This ensures that the \`develop\` branch stays up to date with all release-related changes from the \`main\` branch.
### Details
- **Monorepo Release Version**: v${{ steps.extract-version.outputs.release_version }}
- **Related Ticket**: [${{ steps.extract-version.outputs.release_ticket_id }}](https://linear.app/rudderstack/issue/${{ steps.extract-version.outputs.release_ticket_id }})
---
Please review and merge it before closing the release ticket. :rocket:
EOF
# Create the PR using GitHub CLI
gh pr create \
--base develop \
--head main \
--title "$pr_title" \
--body-file pr_body.md
- name: Get Job URL
id: get-job-url
continue-on-error: true
uses: ./.github/actions/get-job-url
- name: Send message to Slack channel
id: slack
if: always()
continue-on-error: true
uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
env:
PROJECT_NAME: 'JS SDK Monorepo'
TAG_COMPARE_URL: 'https://github.com/rudderlabs/rudder-sdk-js/compare/'
RELEASES_URL: 'https://github.com/rudderlabs/rudder-sdk-js/releases/tag/'
GITHUB_RUN_URL: ${{ steps.get-job-url.outputs.job_url }}
ACTOR_URL: ${{ format('{0}/{1}', github.server_url, github.actor) }}
ACTOR: ${{ github.actor }}
with:
method: chat.postMessage
payload-templated: true
retries: rapid
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
{
"channel": "${{ secrets.SLACK_RELEASE_CHANNEL_ID }}",
"text": "*:rocket: New Release - ${{ env.PROJECT_NAME }} - <${{ env.TAG_COMPARE_URL }}${{ env.last_monorepo_version }}...v${{ steps.extract-version.outputs.release_version }}|v${{ steps.extract-version.outputs.release_version }}>*\n${{ env.DATE }}\nCC: <!subteam^S0555JBV36D> <!subteam^S03SHJ20350>",
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": ":rocket: New Release - ${{ env.PROJECT_NAME }}"
}
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*<${{ env.TAG_COMPARE_URL }}${{ env.last_monorepo_version }}...v${{ steps.extract-version.outputs.release_version }}|v${{ steps.extract-version.outputs.release_version }}>*\n${{ env.DATE }}\nCC: <!subteam^S0555JBV36D> <!subteam^S03SW7DM8P3> <!subteam^S03SHJ20350>"
},
"accessory": {
"type": "image",
"image_url": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png",
"alt_text": "GitHub Icon"
}
},
{
"type": "context",
"elements": [
{
"type": "mrkdwn",
"text": ":boom: ${{ needs.get-release-inputs.outputs.trigger_source }}"
},
{
"type": "mrkdwn",
"text": ":gear: <${{ env.GITHUB_RUN_URL }}|View workflow run details>"
},
{
"type": "mrkdwn",
"text": "For more details, check the full release notes <${{ env.RELEASES_URL }}v${{ steps.extract-version.outputs.release_version }}|here>."
}
]
}
]
}
publish-npm-packages:
needs: [get-release-inputs, release]
name: Publish packages to NPM
permissions:
contents: read # to checkout repository code
id-token: write # to allow reusable workflow to request OIDC token for NPM provenance
uses: ./.github/workflows/deploy-npm.yml
with:
trigger_source: ${{ needs.get-release-inputs.outputs.trigger_source }}
monorepo_release_version: ${{ needs.get-release-inputs.outputs.release_version }}
release_ticket_id: ${{ needs.get-release-inputs.outputs.release_ticket_id }}
secrets:
RS_PROD_BUGSNAG_API_KEY: ${{ secrets.RS_PROD_BUGSNAG_API_KEY }}
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
SLACK_RELEASE_CHANNEL_ID: ${{ secrets.SLACK_RELEASE_CHANNEL_ID }}
deprecate-closed-pr-betas:
needs: [publish-npm-packages]
name: Deprecate Beta NPM Packages from Closed PRs
runs-on: [self-hosted, Linux, X64]
continue-on-error: true
permissions:
contents: read
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Run beta package deprecation
continue-on-error: true
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
run: |
chmod +x scripts/deprecate-beta-packages.sh
./scripts/deprecate-beta-packages.sh