name: Cut Release on: workflow_dispatch jobs: check-requirements: name: Check Requirements runs-on: ubuntu-latest environment: release-check steps: - name: Check For Admin Permission uses: actions-cool/check-user-permission@v2 with: require: admin username: ${{ github.triggering_actor }} - name: Check Repository run: | if [ "${{ vars.RUN_RELEASE_BUILDS }}" = "1" ]; then MSG="Running workflow because RUN_RELEASE_BUILDS=1" echo "${MSG}" echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}" exit 0 fi echo "Trying to run the release workflow from repository ${{ github.repository }}" if [ "${{ github.repository }}" != "saltstack/salt-bootstrap" ]; then MSG="Running the release workflow from the ${{ github.repository }} repository is not allowed" echo "${MSG}" echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}" MSG="Allowed repository: saltstack/salt-bootstrap" echo "${MSG}" echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}" exit 1 else MSG="Allowed to release from repository ${{ github.repository }}" echo "${MSG}" echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}" fi - name: Check Branch run: | echo "Trying to run the release workflow from branch ${{ github.ref_name }}" if [ "${{ github.ref_name }}" != "develop" ]; then echo "Running the release workflow from the ${{ github.ref_name }} branch is not allowed" echo "Allowed branches: develop" exit 1 else echo "Allowed to release from branch ${{ github.ref_name }}" fi update-develop: name: Update CHANGELOG.md and bootstrap-salt.sh runs-on: - self-hosted - linux - repo-release permissions: contents: write # To be able to publish the release environment: release needs: - check-requirements outputs: release-version: ${{ steps.update-repo.outputs.release-version }} steps: - uses: actions/checkout@v3 with: ref: develop repository: ${{ github.repository }} ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} - name: Install Requirements run: | python3 -m pip install -r requirements/release.txt pre-commit install --install-hooks - name: Setup GnuPG run: | sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg GNUPGHOME="$(mktemp -d -p /run/gpg)" echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" cat < "${GNUPGHOME}/gpg.conf" batch no-tty pinentry-mode loopback EOF - name: Get Secrets id: get-secrets env: SECRETS_KEY: ${{ secrets.SECRETS_KEY }} run: | SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" - name: Configure Git shell: bash run: | git config --global --add safe.directory "$(pwd)" git config --global user.name "Salt Project Packaging" git config --global user.email saltproject-packaging@vmware.com git config --global user.signingkey 64CBBC8173D76B3F git config --global commit.gpgsign true - name: Update Repository id: update-repo env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | python3 .github/workflows/scripts/cut-release.py --repo ${{ github.repository }} - name: Show Changes run: | git status git diff - name: Commit Changes run: | git commit -am "Update develop branch for the ${{ steps.update-repo.outputs.release-version }} release" || \ git commit -am "Update develop branch for the ${{ steps.update-repo.outputs.release-version }} release" - name: Push Changes uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839 with: ssh: true atomic: true branch: develop repository: ${{ github.repository }} - name: Upload Release Details uses: actions/upload-artifact@v3 with: name: release-details path: | .cut_release_version .cut_release_changes merge-develop-into-stable: name: Merge develop into stable runs-on: - self-hosted - linux - repo-release needs: - update-develop environment: release permissions: contents: write # To be able to publish the release steps: - uses: actions/checkout@v3 with: ref: stable repository: ${{ github.repository }} ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} fetch-depth: 0 - name: Setup GnuPG run: | sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg GNUPGHOME="$(mktemp -d -p /run/gpg)" echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" cat < "${GNUPGHOME}/gpg.conf" batch no-tty pinentry-mode loopback EOF - name: Get Secrets id: get-secrets env: SECRETS_KEY: ${{ secrets.SECRETS_KEY }} run: | SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" - name: Configure Git shell: bash run: | git config --global --add safe.directory "$(pwd)" git config --global user.name "Salt Project Packaging" git config --global user.email saltproject-packaging@vmware.com git config --global user.signingkey 64CBBC8173D76B3F git config --global commit.gpgsign true - name: Download Release Details uses: actions/download-artifact@v3 with: name: release-details - name: Merge develop into stable run: | git merge --no-ff -m "Merge develop into stable for ${{ needs.update-develop.outputs.release-version }} release" origin/develop || touch .git-conflicts if [ -f .git-conflicts ] then git diff for f in $(git status | grep 'both modified' | awk '{ print $3 }') do git checkout --theirs "$f" pre-commit run -av --files "$f" git add "$f" done git commit -a -m "Merge develop into stable for ${{ needs.update-develop.outputs.release-version }} release(auto resolving conflicts to the develop version)" fi - name: Tag The ${{ needs.update-develop.outputs.release-version }} Release run: | git tag -m "Release ${{ needs.update-develop.outputs.release-version }}" -as ${{ needs.update-develop.outputs.release-version }} - name: Update bootstrap-salt.sh sha256sum's run: | sha256sum bootstrap-salt.sh | awk '{ print $1 }' > bootstrap-salt.sh.sha256 sha256sum bootstrap-salt.ps1 | awk '{ print $1 }' > bootstrap-salt.ps1.sha256 git commit -a -m "Update sha256 checksums" || git commit -a -m "Update sha256 checksums" - name: Push Changes uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839 with: ssh: true tags: true atomic: true branch: stable repository: ${{ github.repository }} publish-release: name: Create GitHub Release runs-on: - self-hosted - linux needs: - merge-develop-into-stable environment: release permissions: contents: write # To be able to publish the release steps: - uses: actions/checkout@v3 with: ref: stable repository: ${{ github.repository }} ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} - name: Download Release Details uses: actions/download-artifact@v3 with: name: release-details - name: Update Environment run: | CUT_RELEASE_VERSION=$(cat .cut_release_version) echo "CUT_RELEASE_VERSION=${CUT_RELEASE_VERSION}" >> "$GITHUB_ENV" - name: Create Github Release uses: softprops/action-gh-release@v1 with: name: ${{ env.CUT_RELEASE_VERSION }} tag_name: ${{ env.CUT_RELEASE_VERSION }} body_path: .cut_release_changes target_commitish: stable draft: false prerelease: false generate_release_notes: false files: | bootstrap-salt.sh bootstrap-salt.sh.sha256 bootstrap-salt.ps1 bootstrap-salt.ps1.sha256 LICENSE - name: Delete Release Details Artifact uses: geekyeggo/delete-artifact@v2 with: name: release-details failOnError: false update-s3-bucket: name: Update S3 Bucket runs-on: - self-hosted - linux - repo-release needs: - publish-release environment: release steps: - uses: actions/checkout@v3 with: ref: stable repository: ${{ github.repository }} ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} - name: Get Salt Project GitHub Actions Bot Environment run: | TOKEN=$(curl -sS -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30") SPB_ENVIRONMENT=$(curl -sS -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance/spb:environment) echo "SPB_ENVIRONMENT=$SPB_ENVIRONMENT" >> "$GITHUB_ENV" - name: Setup GnuPG run: | sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg GNUPGHOME="$(mktemp -d -p /run/gpg)" echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" cat < "${GNUPGHOME}/gpg.conf" batch no-tty pinentry-mode loopback EOF - name: Get Secrets id: get-secrets env: SECRETS_KEY: ${{ secrets.SECRETS_KEY }} run: | SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" - name: Install Requirements run: | python3 -m pip install -r requirements/release.txt - name: Upload Stable Release to S3 run: | tools release s3-publish --key-id 64CBBC8173D76B3F stable update-develop-checksums: name: Update Release Checksums on Develop runs-on: - self-hosted - linux - repo-release needs: - publish-release environment: release permissions: contents: write # For action peter-evans/create-pull-request pull-requests: write # For action peter-evans/create-pull-request steps: - uses: actions/checkout@v3 with: ref: stable repository: ${{ github.repository }} ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} - name: Get bootstrap-salt.sh on stable branch sha256sum run: | echo "SH=$(sha256sum bootstrap-salt.sh | awk '{ print $1 }')" >> "$GITHUB_ENV" echo "BS_VERSION=$(sh bootstrap-salt.sh -v | awk '{ print $4 }')" >> "$GITHUB_ENV" - uses: actions/checkout@v3 with: ref: develop repository: ${{ github.repository }} ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} - name: Setup GnuPG run: | sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg GNUPGHOME="$(mktemp -d -p /run/gpg)" echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" cat < "${GNUPGHOME}/gpg.conf" batch no-tty pinentry-mode loopback EOF - name: Get Secrets id: get-secrets env: SECRETS_KEY: ${{ secrets.SECRETS_KEY }} run: | SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" - name: Configure Git shell: bash run: | git config --global --add safe.directory "$(pwd)" git config --global user.name "Salt Project Packaging" git config --global user.email saltproject-packaging@vmware.com git config --global user.signingkey 64CBBC8173D76B3F git config --global commit.gpgsign true - name: Update Latest Release on README run: | python3 .github/workflows/scripts/update-release-shasum.py ${{ env.BS_VERSION }} ${{ env.SH }} - name: Show Changes run: | git status git diff - name: Commit Changes run: | git commit -am "Update README.rst with ${{ env.BS_VERSION }} release sha256sum" || \ git commit -am "Update README.rst with ${{ env.BS_VERSION }} release sha256sum" - name: Push Changes uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839 with: ssh: true atomic: true branch: develop repository: ${{ github.repository }}