GH action release workflow (#166)

* GH action release workflow * GH action release workflow * GH action release workflow - permissions
kyma-project · Jan 4, 2024 · c9bab4d · c9bab4d
1 parent bea9261
commit c9bab4d
Show file tree

Hide file tree

Showing 7 changed files with 266 additions and 10 deletions.
diff --git a/.github/scripts/publish_release.sh b/.github/scripts/publish_release.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# This script publishes a draft release
+
+# standard bash error handling
+set -o nounset  # treat unset variables as an error and exit immediately.
+set -o errexit  # exit immediately when a command fails.
+set -E          # needs to be set if we want the ERR trap
+set -o pipefail # prevents errors in a pipeline from being masked
+
+RELEASE_ID=$1
+
+REPOSITORY=${REPOSITORY:-kyma-project/warden}
+GITHUB_URL=https://api.github.com/repos/${REPOSITORY}
+GITHUB_AUTH_HEADER="Authorization: Bearer ${GITHUB_TOKEN}"
+
+CURL_RESPONSE=$(curl -L \
+  -X POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "${GITHUB_AUTH_HEADER}" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  ${GITHUB_URL}/releases/${RELEASE_ID} \
+  -d '{"draft":false}')
diff --git a/.github/scripts/release-assets.sh b/.github/scripts/release-assets.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+
+# standard bash error handling
+set -o nounset  # treat unset variables as an error and exit immediately.
+set -o errexit  # exit immediately when a command fails.
+set -E          # needs to be set if we want the ERR trap
+set -o pipefail # prevents errors in a pipeline from being masked
+
+# Expected variables:
+PULL_BASE_REF=${PULL_BASE_REF?"Define PULL_BASE_REF env"} # name of the tag
+GITHUB_TOKEN=${GITHUB_TOKEN?"Define GITHUB_TOKEN env"} # github token used to upload the template yaml
+
+uploadFile() {
+  filePath=${1}
+  ghAsset=${2}
+
+  echo "Uploading ${filePath} as ${ghAsset}"
+  response=$(curl -s -o output.txt -w "%{http_code}" \
+                  --request POST --data-binary @"$filePath" \
+                  -H "Authorization: token $GITHUB_TOKEN" \
+                  -H "Content-Type: text/yaml" \
+                   $ghAsset)
+  if [[ "$response" != "201" ]]; then
+    echo "Unable to upload the asset ($filePath): "
+    echo "HTTP Status: $response"
+    cat output.txt
+    exit 1
+  else
+    echo "$filePath uploaded"
+  fi
+}
+
+echo "Fetching releases"
+CURL_RESPONSE=$(curl -w "%{http_code}" -sL \
+                -H "Accept: application/vnd.github+json" \
+                -H "Authorization: Bearer $GITHUB_TOKEN"\
+                https://api.github.com/repos/kyma-project/warden/releases)
+JSON_RESPONSE=$(sed '$ d' <<< "${CURL_RESPONSE}")
+HTTP_CODE=$(tail -n1 <<< "${CURL_RESPONSE}")
+if [[ "${HTTP_CODE}" != "200" ]]; then
+  echo "${CURL_RESPONSE}"
+  exit 1
+fi
+
+echo "Finding release id for: ${PULL_BASE_REF}"
+RELEASE_ID=$(jq <<< ${JSON_RESPONSE} --arg tag "${PULL_BASE_REF}" '.[] | select(.tag_name == $ARGS.named.tag) | .id')
+
+echo "Got '${RELEASE_ID}' release id"
+if [ -z "${RELEASE_ID}" ]
+then
+  echo "No release with tag = ${PULL_BASE_REF}"
+  exit 1
+fi
+
+echo "Updating github release with assets"
+UPLOAD_URL="https://uploads.github.com/repos/kyma-project/warden/releases/${RELEASE_ID}/assets"
+
+
+
+( cd charts ; tar czf "warden-${RELEASE_ID}.tgz" warden)
+
+uploadFile "warden-${RELEASE_ID}.tgz" "${UPLOAD_URL}?name=warden-chart.tgz"
+
+
+
+
diff --git a/.github/scripts/release-draft.sh b/.github/scripts/release-draft.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# This script returns the id of the draft release
+
+# standard bash error handling
+set -o nounset  # treat unset variables as an error and exit immediately.
+set -o errexit  # exit immediately when a command fails.
+set -E          # needs to be set if we want the ERR trap
+set -o pipefail # prevents errors in a pipeline from being masked
+
+RELEASE_TAG=$1
+
+REPOSITORY=${REPOSITORY:-kyma-project/warden}
+GITHUB_URL=https://api.github.com/repos/${REPOSITORY}
+GITHUB_AUTH_HEADER="Authorization: Bearer ${GITHUB_TOKEN}"
+# CHANGELOG_FILE=$(cat CHANGELOG.md)
+
+JSON_PAYLOAD=$(jq -n \
+  --arg tag_name "$RELEASE_TAG" \
+  --arg name "$RELEASE_TAG" \
+  '{
+    "tag_name": $tag_name,
+    "name": $name,
+    "draft": true
+  }')
+
+CURL_RESPONSE=$(curl -L \
+  -X POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "${GITHUB_AUTH_HEADER}" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  ${GITHUB_URL}/releases \
+  -d "$JSON_PAYLOAD")
+
+echo "$(echo $CURL_RESPONSE | jq -r ".id")"
diff --git a/.github/scripts/verify-actions-status.sh b/.github/scripts/verify-actions-status.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+echo "Checking status of github actions for warden"
+
+REF_NAME="${1:-"main"}"
+RAW_EXPECTED_SHA=$(git log "${REF_NAME}" --max-count 1 --format=format:%H)
+REPOSITORY_ID="570927906"
+
+STATUS_URL="https://api.github.com/repositories/${REPOSITORY_ID}/actions/workflows/warden-verify.yaml/runs?head_sha=${RAW_EXPECTED_SHA}"
+GET_STATUS_JQ_QUERY=".workflow_runs[0] | \"\(.status)-\(.conclusion)\""
+GET_COUNT_JQ_QUERY=".total_count"
+
+response=`curl -s ${STATUS_URL}`
+
+count=`echo $response | jq -r "${GET_COUNT_JQ_QUERY}"`
+if [[ "$count" == "0" ]]; then
+  echo "No actions to verify"
+else
+  fullstatus=`echo $response |  jq -r "${GET_STATUS_JQ_QUERY}"`
+  if [[ "$fullstatus" == "completed-success" ]]; then
+    echo "All actions succeeded"
+  else
+    echo "Actions failed or pending - Check github actions status"
+    exit 1
+  fi
+fi
diff --git a/.github/scripts/verify-release-builds.sh b/.github/scripts/verify-release-builds.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+### Verify post-submit prow jobs status
+#
+# Optional input args:
+#   - REF_NAME - branch/tag/commit
+# Return status:
+#   - return 0 - if status is "success"
+#   - return 1 - if status is "failure" or after timeout (~25min)
+
+# wait until Prow trigger pipelines
+sleep 10
+
+echo "Checking status of tag build jobs for warden"
+
+REF_NAME="${1:-"main"}"
+STATUS_URL="https://api.github.com/repos/kyma-project/warden/commits/${REF_NAME}/status"
+
+function verify_github_jobs_status () {
+	local number=1
+	while [[ $number -le 100 ]] ; do
+		echo ">--> checking warden build job status #$number"
+		local STATUS=`curl -L -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" ${STATUS_URL} | jq -r .state `
+		echo "jobs status: ${STATUS:='UNKNOWN'}"
+		[[ "$STATUS" == "success" ]] && return 0
+		[[ "$STATUS" == "failure" ]] && return 1
+		sleep 15
+        	((number = number + 1))
+	done
+
+	exit 1
+}
+
+verify_github_jobs_status
diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml
@@ -0,0 +1,78 @@
+name: "Create release"
+
+on:
+  workflow_dispatch:
+    inputs:
+      name:
+        description: 'Release name ( e.g. "2.1.3" )'
+        default: ""
+        required: true
+
+jobs:
+  verify-head-status:
+    name: Verify HEAD
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Verify github actions
+        run: ./.github/scripts/verify-actions-status.sh ${{ github.ref_name }}
+
+  create-draft:
+    name: Create draft release
+    needs: verify-head-status
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.ref_name }}
+
+      - name: Create draft release
+        id: create-draft
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          RELEASE_ID=$(./.github/scripts/release-draft.sh ${{ github.event.inputs.name }})
+          echo "release_id=$RELEASE_ID" >> $GITHUB_OUTPUT
+
+      - name: Create lightweight tag
+        run: |
+          git tag ${{ github.event.inputs.name }}
+          git push origin ${{ github.event.inputs.name }}
+
+      - name: Create release assets
+        id: create-assets
+        env:
+          PULL_BASE_REF: ${{ github.event.inputs.name }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./.github/scripts/release-assets.sh
+
+      - name: Verify prow release jobs
+        run: ./.github/scripts/verify-release-builds.sh ${{ github.ref_name }}
+
+    outputs:
+      release_id: ${{ steps.create-draft.outputs.release_id }}
+
+  publish-release:
+    name: Publish release
+    needs: create-draft
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.name }} 
+
+      - name: Publish release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./.github/scripts/publish_release.sh ${{ needs.create-draft.outputs.release_id }}
diff --git a/Makefile b/Makefile
@@ -107,18 +107,12 @@ docker-buildx: test ## Build and push docker image for the manager for cross-pla
 
 ##@ Module
 
-.PHONY: module-build
-module-build: helm ## renders warden-manifest.yaml
+.PHONY: render-manifest
+render-manifest: helm ## renders warden-manifest.yaml
 	${HELM} template --namespace kyma-system warden charts/warden --set admission.enabled=true > warden-manifest.yaml
 
 ##@ CI
 
-.PHONY: ci-module-build
-ci-module-build: configure-git-origin module-build
-	@echo "=======WARDEN MANIFEST======="
-	@cat warden-manifest.yaml
-	@echo "============================="
-
 .PHONY: configure-git-origin
 configure-git-origin:
 #	test-infra does not include origin remote in the .git directory.
@@ -139,11 +133,11 @@ create-k3d: ## Create k3d
 	kubectl create namespace kyma-system
 
 .PHONY: run-on-k3d
-run-on-k3d: kyma create-k3d configure-git-origin module-build 
+run-on-k3d: kyma create-k3d configure-git-origin render-manifest 
 	kubectl apply -f warden-manifest.yaml
 
 .PHONY: run-on-cluster
-run-on-cluster: configure-git-origin module-build 
+run-on-cluster: configure-git-origin render-manifest
 	kubectl create namespace kyma-system
 	kubectl apply -f warden-manifest.yaml