Create release 1.0.2 #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Create release" | |
| run-name: Create release ${{ inputs.name }} | |
| env: | |
| IMAGE_REPO: europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker | |
| KYMA_ENVIRONMENT_BROKER_REPO: ${{ github.repository_owner }}/kyma-environment-broker | |
| GIT_EMAIL: [email protected] | |
| GIT_NAME: kyma-gopher-bot | |
| BRANCH_NAME: sec-scanners-config-${{ inputs.name }} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| name: | |
| description: 'Create release' | |
| default: "" | |
| required: true | |
| sec-scanners-config: | |
| type: boolean | |
| description: 'Create PR with sec-scanners-config bump' | |
| default: true | |
| k3s-versions: | |
| type: number | |
| description: 'Number of last k3s versions to be used for tests' | |
| jobs: | |
| validate-release: | |
| name: Validate release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check if tag already exists | |
| run: | | |
| if [ $(git tag -l ${{ inputs.name }}) ]; then | |
| echo "::error ::Tag ${{ inputs.name }} already exists" | |
| exit 1 | |
| fi | |
| - name: Check for existing artifacts from previous release runs | |
| run: "./scripts/check_artifacts_existence.sh ${{ inputs.name }}" | |
| - name: Setup python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.9' | |
| cache: 'pip' | |
| - name: Install requirements | |
| run: pip install -r scripts/python/requirements.txt | |
| - name: Validate labels | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPOSITORY: ${{ env.KYMA_ENVIRONMENT_BROKER_REPO }} | |
| NAME: ${{ inputs.name }} | |
| run: python3 scripts/python/release_label_validator.py | |
| bump-sec-scanners-config: | |
| name: Bump sec-scanners-config | |
| needs: validate-release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - run: git pull | |
| - name: Update sec-scanners-config.yaml | |
| if: ${{ inputs.sec-scanners-config }} | |
| run: scripts/create_scan_config.sh "sec-scanners-config.yaml" ${{ inputs.name }} | |
| - name: Create PR if anything changed | |
| if: ${{ inputs.sec-scanners-config }} | |
| env: | |
| GH_TOKEN: ${{ secrets.BOT_TOKEN }} | |
| run: | | |
| prs=$(gh pr list -A ${{ env.GIT_NAME }} --state open --json headRefName | jq -r '.[] | .headRefName') | |
| if echo $prs | tr " " '\n' | grep -F -q -x ${{ env.BRANCH_NAME }}; then | |
| echo "PR already exists, no need to create a new one" | |
| echo "PR_NUMBER=$(gh pr list --search "base:main head:${{ env.BRANCH_NAME }}" --json number | jq -r '.[] | .number')" >> $GITHUB_ENV | |
| elif [ -z "$(git status --porcelain)" ]; then | |
| echo "Nothing changed, no need to create PR" | |
| echo "PR_NUMBER=-1" >> $GITHUB_ENV | |
| else | |
| PR_STATUS=$(scripts/create_sec_scanner_bump_pr.sh ${{ inputs.name }}) | |
| echo "PR_NUMBER=$(echo "$PR_STATUS" | tail -n 1)" >> $GITHUB_ENV | |
| fi | |
| - name: Await PR merge | |
| if: ${{ inputs.sec-scanners-config }} | |
| timeout-minutes: 45 | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| if [ "$PR_NUMBER" -gt 0 ]; then | |
| scripts/await_pr_merge.sh | |
| else | |
| echo "Step skipped" | |
| fi | |
| - name: Save latest commit ref | |
| id: pull-ref | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| git checkout main | |
| git stash | |
| git pull | |
| LATEST_COMMIT=$(git rev-parse HEAD) | |
| echo "latest_commit=$LATEST_COMMIT" >> $GITHUB_OUTPUT | |
| echo "Latest commit ref $LATEST_COMMIT" | |
| outputs: | |
| latest_commit: ${{ steps.pull-ref.outputs.latest_commit }} | |
| run-unit-tests: | |
| name: Unit tests, go mod tidy | |
| needs: validate-release | |
| uses: "./.github/workflows/run-unit-tests-reusable.yaml" | |
| run-keb-chart-tests: | |
| name: Validate KEB chart | |
| needs: validate-release | |
| uses: "./.github/workflows/run-keb-chart-tests-reusable.yaml" | |
| secrets: inherit | |
| with: | |
| last-k3s-versions: ${{ github.event.inputs.k3s-versions || vars.LAST_K3S_VERSIONS }} | |
| create-draft: | |
| name: Create draft release | |
| needs: [bump-sec-scanners-config,validate-release] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ needs.bump-sec-scanners-config.outputs.latest_commit}} | |
| - name: Create draft release | |
| id: create-draft | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPOSITORY: ${{ github.repository_owner }}/kyma-environment-broker | |
| run: | | |
| RELEASE_ID=$(./scripts/create_draft_release.sh ${{ github.event.inputs.name }}) | |
| echo "release_id=$RELEASE_ID" >> $GITHUB_OUTPUT | |
| - name: Create lightweight tag | |
| run: | | |
| git tag ${{ github.event.inputs.name }} | |
| git push origin ${{ github.event.inputs.name }} | |
| outputs: | |
| release_id: ${{ steps.create-draft.outputs.release_id }} | |
| wait-for-prow-jobs: | |
| name: Wait for prow jobs | |
| needs: [create-draft, bump-sec-scanners-config] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Wait for post-keb-release-build status | |
| uses: autotelic/action-wait-for-status-check@6556cf50c8fb6608412945382eae73581f56cbb4 | |
| id: wait-for-post-keb-release-build | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| statusName: "post-keb-release-build" | |
| timeoutSeconds: "300" | |
| ref: ${{ needs.bump-sec-scanners-config.outputs.latest_commit}} | |
| - name: Check if post-keb-release-build status is not success | |
| if: steps.wait-for-post-keb-release-build.outputs.state != 'success' | |
| run: | | |
| echo 'post-keb-release-build failed.' | |
| exit 1 | |
| - name: Wait for post-keb-runtime-reconciler-job-release-build status | |
| uses: autotelic/action-wait-for-status-check@6556cf50c8fb6608412945382eae73581f56cbb4 | |
| id: wait-for-post-keb-runtime-reconciler-job-release-build | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| statusName: "post-keb-runtime-reconciler-job-release-build" | |
| timeoutSeconds: "300" | |
| ref: ${{ needs.bump-sec-scanners-config.outputs.latest_commit}} | |
| - name: Check if post-keb-runtime-reconciler-job-release-build status is not success | |
| if: steps.wait-for-post-keb-runtime-reconciler-job-release-build.outputs.state != 'success' | |
| run: | | |
| echo 'post-keb-runtime-reconciler-job-release-build failed.' | |
| exit 1 | |
| - name: Wait for post-keb-subaccount-cleanup-job-release-build status | |
| uses: autotelic/action-wait-for-status-check@6556cf50c8fb6608412945382eae73581f56cbb4 | |
| id: wait-for-post-keb-subaccount-cleanup-job-release-build | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| statusName: "post-keb-subaccount-cleanup-job-release-build" | |
| timeoutSeconds: "300" | |
| ref: ${{ needs.bump-sec-scanners-config.outputs.latest_commit}} | |
| - name: Check if post-keb-subaccount-cleanup-job-release-build status is not success | |
| if: steps.wait-for-post-keb-subaccount-cleanup-job-release-build.outputs.state != 'success' | |
| run: | | |
| echo 'post-keb-subaccount-cleanup-job-release-build failed.' | |
| exit 1 | |
| - name: Wait for post-keb-trial-cleanup-job-release-build status | |
| uses: autotelic/action-wait-for-status-check@6556cf50c8fb6608412945382eae73581f56cbb4 | |
| id: wait-for-post-keb-trial-cleanup-job-release-build | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| statusName: "post-keb-trial-cleanup-job-release-build" | |
| timeoutSeconds: "300" | |
| ref: ${{ needs.bump-sec-scanners-config.outputs.latest_commit}} | |
| - name: Check if post-keb-trial-cleanup-job-release-build status is not success | |
| if: steps.wait-for-post-keb-trial-cleanup-job-release-build.outputs.state != 'success' | |
| run: | | |
| echo 'wait-for-post-keb-trial-cleanup-job-release-build failed.' | |
| exit 1 | |
| - name: Wait for post-keb-cleanup-job-release-build status | |
| uses: autotelic/action-wait-for-status-check@6556cf50c8fb6608412945382eae73581f56cbb4 | |
| id: wait-for-post-keb-cleanup-job-release-build | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| statusName: "post-keb-cleanup-job-release-build" | |
| timeoutSeconds: "300" | |
| ref: ${{ needs.bump-sec-scanners-config.outputs.latest_commit}} | |
| - name: Check if post-keb-cleanup-job-release-build status is not success | |
| if: steps.wait-for-post-keb-cleanup-job-release-build.outputs.state != 'success' | |
| run: | | |
| echo 'post-keb-cleanup-job-release-build failed.' | |
| exit 1 | |
| - name: Wait for post-keb-deprovision-retrigger-job-release-build status | |
| uses: autotelic/action-wait-for-status-check@6556cf50c8fb6608412945382eae73581f56cbb4 | |
| id: wait-for-post-keb-deprovision-retrigger-job-release-build | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| statusName: "post-keb-deprovision-retrigger-job-release-build" | |
| timeoutSeconds: "300" | |
| ref: ${{ needs.bump-sec-scanners-config.outputs.latest_commit}} | |
| - name: Check if post-keb-deprovision-retrigger-job-release-build status is not success | |
| if: steps.wait-for-post-keb-deprovision-retrigger-job-release-build.outputs.state != 'success' | |
| run: | | |
| echo 'post-keb-deprovision-retrigger-job-release-build failed.' | |
| exit 1 | |
| publish-release: | |
| name: Publish release | |
| needs: [create-draft, wait-for-prow-jobs, run-unit-tests, run-keb-chart-tests] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Publish release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/publish_release.sh ${{ needs.create-draft.outputs.release_id }} |