mirror of
https://github.com/saltstack/salt-bootstrap.git
synced 2025-04-10 06:41:41 +00:00
446 lines
16 KiB
YAML
446 lines
16 KiB
YAML
name: Cut Release
|
|
|
|
on: workflow_dispatch
|
|
|
|
jobs:
|
|
|
|
check-requirements:
|
|
name: Check Requirements
|
|
runs-on: ubuntu-latest
|
|
environment: release-check
|
|
steps:
|
|
- name: Check For Admin Permission
|
|
uses: actions-cool/check-user-permission@v2
|
|
with:
|
|
require: admin
|
|
username: ${{ github.triggering_actor }}
|
|
|
|
- name: Check Repository
|
|
run: |
|
|
if [ "${{ vars.RUN_RELEASE_BUILDS }}" = "1" ]; then
|
|
MSG="Running workflow because RUN_RELEASE_BUILDS=1"
|
|
echo "${MSG}"
|
|
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
|
|
exit 0
|
|
fi
|
|
echo "Trying to run the release workflow from repository ${{ github.repository }}"
|
|
if [ "${{ github.repository }}" != "saltstack/salt-bootstrap" ]; then
|
|
MSG="Running the release workflow from the ${{ github.repository }} repository is not allowed"
|
|
echo "${MSG}"
|
|
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
|
|
MSG="Allowed repository: saltstack/salt-bootstrap"
|
|
echo "${MSG}"
|
|
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
|
|
exit 1
|
|
else
|
|
MSG="Allowed to release from repository ${{ github.repository }}"
|
|
echo "${MSG}"
|
|
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
|
|
fi
|
|
|
|
- name: Check Branch
|
|
run: |
|
|
echo "Trying to run the release workflow from branch ${{ github.ref_name }}"
|
|
if [ "${{ github.ref_name }}" != "develop" ]; then
|
|
echo "Running the release workflow from the ${{ github.ref_name }} branch is not allowed"
|
|
echo "Allowed branches: develop"
|
|
exit 1
|
|
else
|
|
echo "Allowed to release from branch ${{ github.ref_name }}"
|
|
fi
|
|
|
|
update-develop:
|
|
name: Update CHANGELOG.md and bootstrap-salt.sh
|
|
runs-on:
|
|
- self-hosted
|
|
- linux
|
|
- repo-release
|
|
permissions:
|
|
contents: write # To be able to publish the release
|
|
environment: release
|
|
needs:
|
|
- check-requirements
|
|
outputs:
|
|
release-version: ${{ steps.update-repo.outputs.release-version }}
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
with:
|
|
ref: develop
|
|
repository: ${{ github.repository }}
|
|
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
|
|
|
|
- name: Install Requirements
|
|
run: |
|
|
python3 -m pip install -r requirements/release.txt
|
|
pre-commit install --install-hooks
|
|
|
|
- name: Setup GnuPG
|
|
run: |
|
|
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
|
|
GNUPGHOME="$(mktemp -d -p /run/gpg)"
|
|
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
|
|
cat <<EOF > "${GNUPGHOME}/gpg.conf"
|
|
batch
|
|
no-tty
|
|
pinentry-mode loopback
|
|
EOF
|
|
|
|
- name: Get Secrets
|
|
id: get-secrets
|
|
env:
|
|
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
|
|
run: |
|
|
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
|
|
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
|
|
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
|
|
--query SecretString --output text | jq .default_key -r | base64 -d \
|
|
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
|
|
| gpg --import -
|
|
sync
|
|
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
|
|
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
|
|
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
|
|
sync
|
|
rm "$SECRETS_KEY_FILE"
|
|
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
|
|
|
|
- name: Configure Git
|
|
shell: bash
|
|
run: |
|
|
git config --global --add safe.directory "$(pwd)"
|
|
git config --global user.name "Salt Project Packaging"
|
|
git config --global user.email saltproject-packaging@vmware.com
|
|
git config --global user.signingkey 64CBBC8173D76B3F
|
|
git config --global commit.gpgsign true
|
|
|
|
- name: Update Repository
|
|
id: update-repo
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
python3 .github/workflows/scripts/cut-release.py --repo ${{ github.repository }}
|
|
|
|
- name: Show Changes
|
|
run: |
|
|
git status
|
|
git diff
|
|
|
|
- name: Commit Changes
|
|
run: |
|
|
git commit -am "Update develop branch for the ${{ steps.update-repo.outputs.release-version }} release" || \
|
|
git commit -am "Update develop branch for the ${{ steps.update-repo.outputs.release-version }} release"
|
|
|
|
- name: Push Changes
|
|
uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839
|
|
with:
|
|
ssh: true
|
|
atomic: true
|
|
branch: develop
|
|
repository: ${{ github.repository }}
|
|
|
|
- name: Upload Release Details
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: release-details
|
|
path: |
|
|
.cut_release_version
|
|
.cut_release_changes
|
|
|
|
merge-develop-into-stable:
|
|
name: Merge develop into stable
|
|
runs-on:
|
|
- self-hosted
|
|
- linux
|
|
- repo-release
|
|
needs:
|
|
- update-develop
|
|
environment: release
|
|
permissions:
|
|
contents: write # To be able to publish the release
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
with:
|
|
ref: stable
|
|
repository: ${{ github.repository }}
|
|
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
|
|
fetch-depth: 0
|
|
|
|
- name: Setup GnuPG
|
|
run: |
|
|
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
|
|
GNUPGHOME="$(mktemp -d -p /run/gpg)"
|
|
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
|
|
cat <<EOF > "${GNUPGHOME}/gpg.conf"
|
|
batch
|
|
no-tty
|
|
pinentry-mode loopback
|
|
EOF
|
|
|
|
- name: Get Secrets
|
|
id: get-secrets
|
|
env:
|
|
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
|
|
run: |
|
|
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
|
|
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
|
|
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
|
|
--query SecretString --output text | jq .default_key -r | base64 -d \
|
|
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
|
|
| gpg --import -
|
|
sync
|
|
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
|
|
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
|
|
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
|
|
sync
|
|
rm "$SECRETS_KEY_FILE"
|
|
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
|
|
|
|
- name: Configure Git
|
|
shell: bash
|
|
run: |
|
|
git config --global --add safe.directory "$(pwd)"
|
|
git config --global user.name "Salt Project Packaging"
|
|
git config --global user.email saltproject-packaging@vmware.com
|
|
git config --global user.signingkey 64CBBC8173D76B3F
|
|
git config --global commit.gpgsign true
|
|
|
|
- name: Download Release Details
|
|
uses: actions/download-artifact@v3
|
|
with:
|
|
name: release-details
|
|
|
|
- name: Merge develop into stable
|
|
run: |
|
|
git merge --no-ff -m "Merge develop into stable for ${{ needs.update-develop.outputs.release-version }} release" origin/develop || touch .git-conflicts
|
|
if [ -f .git-conflicts ]
|
|
then
|
|
git diff
|
|
for f in $(git status | grep 'both modified' | awk '{ print $3 }')
|
|
do
|
|
git checkout --theirs "$f"
|
|
pre-commit run -av --files "$f"
|
|
git add "$f"
|
|
done
|
|
git commit -a -m "Merge develop into stable for ${{ needs.update-develop.outputs.release-version }} release(auto resolving conflicts to the develop version)"
|
|
fi
|
|
|
|
- name: Tag The ${{ needs.update-develop.outputs.release-version }} Release
|
|
run: |
|
|
git tag -m "Release ${{ needs.update-develop.outputs.release-version }}" -as ${{ needs.update-develop.outputs.release-version }}
|
|
|
|
- name: Update bootstrap-salt.sh sha256sum's
|
|
run: |
|
|
sha256sum bootstrap-salt.sh | awk '{ print $1 }' > bootstrap-salt.sh.sha256
|
|
sha256sum bootstrap-salt.ps1 | awk '{ print $1 }' > bootstrap-salt.ps1.sha256
|
|
git commit -a -m "Update sha256 checksums" || git commit -a -m "Update sha256 checksums"
|
|
|
|
- name: Push Changes
|
|
uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839
|
|
with:
|
|
ssh: true
|
|
tags: true
|
|
atomic: true
|
|
branch: stable
|
|
repository: ${{ github.repository }}
|
|
|
|
publish-release:
|
|
name: Create GitHub Release
|
|
runs-on:
|
|
- self-hosted
|
|
- linux
|
|
needs:
|
|
- merge-develop-into-stable
|
|
environment: release
|
|
permissions:
|
|
contents: write # To be able to publish the release
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
with:
|
|
ref: stable
|
|
repository: ${{ github.repository }}
|
|
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
|
|
- name: Download Release Details
|
|
uses: actions/download-artifact@v3
|
|
with:
|
|
name: release-details
|
|
|
|
- name: Update Environment
|
|
run: |
|
|
CUT_RELEASE_VERSION=$(cat .cut_release_version)
|
|
echo "CUT_RELEASE_VERSION=${CUT_RELEASE_VERSION}" >> "$GITHUB_ENV"
|
|
|
|
- name: Create Github Release
|
|
uses: softprops/action-gh-release@v1
|
|
with:
|
|
name: ${{ env.CUT_RELEASE_VERSION }}
|
|
tag_name: ${{ env.CUT_RELEASE_VERSION }}
|
|
body_path: .cut_release_changes
|
|
target_commitish: stable
|
|
draft: false
|
|
prerelease: false
|
|
generate_release_notes: false
|
|
files: |
|
|
bootstrap-salt.sh
|
|
bootstrap-salt.sh.sha256
|
|
bootstrap-salt.ps1
|
|
bootstrap-salt.ps1.sha256
|
|
LICENSE
|
|
|
|
- name: Delete Release Details Artifact
|
|
uses: geekyeggo/delete-artifact@v2
|
|
with:
|
|
name: release-details
|
|
failOnError: false
|
|
|
|
update-s3-bucket:
|
|
name: Update S3 Bucket
|
|
runs-on:
|
|
- self-hosted
|
|
- linux
|
|
- repo-release
|
|
needs:
|
|
- publish-release
|
|
environment: release
|
|
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
with:
|
|
ref: stable
|
|
repository: ${{ github.repository }}
|
|
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
|
|
|
|
- name: Get Salt Project GitHub Actions Bot Environment
|
|
run: |
|
|
TOKEN=$(curl -sS -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30")
|
|
SPB_ENVIRONMENT=$(curl -sS -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance/spb:environment)
|
|
echo "SPB_ENVIRONMENT=$SPB_ENVIRONMENT" >> "$GITHUB_ENV"
|
|
|
|
- name: Setup GnuPG
|
|
run: |
|
|
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
|
|
GNUPGHOME="$(mktemp -d -p /run/gpg)"
|
|
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
|
|
cat <<EOF > "${GNUPGHOME}/gpg.conf"
|
|
batch
|
|
no-tty
|
|
pinentry-mode loopback
|
|
EOF
|
|
|
|
- name: Get Secrets
|
|
id: get-secrets
|
|
env:
|
|
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
|
|
run: |
|
|
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
|
|
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
|
|
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
|
|
--query SecretString --output text | jq .default_key -r | base64 -d \
|
|
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
|
|
| gpg --import -
|
|
sync
|
|
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
|
|
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
|
|
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
|
|
sync
|
|
rm "$SECRETS_KEY_FILE"
|
|
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
|
|
|
|
- name: Install Requirements
|
|
run: |
|
|
python3 -m pip install -r requirements/release.txt
|
|
|
|
- name: Upload Stable Release to S3
|
|
run: |
|
|
tools release s3-publish --key-id 64CBBC8173D76B3F stable
|
|
|
|
update-develop-checksums:
|
|
name: Update Release Checksums on Develop
|
|
runs-on:
|
|
- self-hosted
|
|
- linux
|
|
- repo-release
|
|
needs:
|
|
- publish-release
|
|
environment: release
|
|
permissions:
|
|
contents: write # For action peter-evans/create-pull-request
|
|
pull-requests: write # For action peter-evans/create-pull-request
|
|
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
with:
|
|
ref: stable
|
|
repository: ${{ github.repository }}
|
|
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
|
|
|
|
- name: Get bootstrap-salt.sh on stable branch sha256sum
|
|
run: |
|
|
echo "SH=$(sha256sum bootstrap-salt.sh | awk '{ print $1 }')" >> "$GITHUB_ENV"
|
|
echo "BS_VERSION=$(sh bootstrap-salt.sh -v | awk '{ print $4 }')" >> "$GITHUB_ENV"
|
|
|
|
- uses: actions/checkout@v3
|
|
with:
|
|
ref: develop
|
|
repository: ${{ github.repository }}
|
|
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
|
|
|
|
- name: Setup GnuPG
|
|
run: |
|
|
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
|
|
GNUPGHOME="$(mktemp -d -p /run/gpg)"
|
|
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
|
|
cat <<EOF > "${GNUPGHOME}/gpg.conf"
|
|
batch
|
|
no-tty
|
|
pinentry-mode loopback
|
|
EOF
|
|
|
|
- name: Get Secrets
|
|
id: get-secrets
|
|
env:
|
|
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
|
|
run: |
|
|
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
|
|
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
|
|
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
|
|
--query SecretString --output text | jq .default_key -r | base64 -d \
|
|
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
|
|
| gpg --import -
|
|
sync
|
|
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
|
|
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
|
|
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
|
|
sync
|
|
rm "$SECRETS_KEY_FILE"
|
|
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
|
|
|
|
- name: Configure Git
|
|
shell: bash
|
|
run: |
|
|
git config --global --add safe.directory "$(pwd)"
|
|
git config --global user.name "Salt Project Packaging"
|
|
git config --global user.email saltproject-packaging@vmware.com
|
|
git config --global user.signingkey 64CBBC8173D76B3F
|
|
git config --global commit.gpgsign true
|
|
|
|
- name: Update Latest Release on README
|
|
run: |
|
|
python3 .github/workflows/scripts/update-release-shasum.py ${{ env.BS_VERSION }} ${{ env.SH }}
|
|
|
|
- name: Show Changes
|
|
run: |
|
|
git status
|
|
git diff
|
|
|
|
- name: Commit Changes
|
|
run: |
|
|
git commit -am "Update README.rst with ${{ env.BS_VERSION }} release sha256sum" || \
|
|
git commit -am "Update README.rst with ${{ env.BS_VERSION }} release sha256sum"
|
|
|
|
- name: Push Changes
|
|
uses: ad-m/github-push-action@b87afee92c6e70ea888be6203a3e9426fda49839
|
|
with:
|
|
ssh: true
|
|
atomic: true
|
|
branch: develop
|
|
repository: ${{ github.repository }}
|