Build and release to kumahq/kuma (branch: master) #260
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Build and release to kumahq/kuma' | |
| run-name: | | |
| Build and release to kumahq/kuma (branch: ${{ github.event.workflow_run.head_branch || inputs.branch }}) | |
| # **Note 1**: You can merge a pull request into a release branch of the form | |
| # “release-$MAJOR.$MINOR” (e.g. “release-2.1”) in order to create the GUI | |
| # update PR in the matching release branch of the host repository. For this to | |
| # work, the name of this repository’s release branch must match that of the | |
| # host repository exactly. | |
| # **Note 2**: Since this workflow can be triggered using the `workflow_run` | |
| # event type, one needs to pay special attention to the context in which runs | |
| # will be executed based on this workflow. Most importantly, runs will be using | |
| # the workflow file found **in the project’s default branch**. This means that | |
| # context variables like `github.ref` and `github.ref_name` will refer to the | |
| # default branch **and not the branch that caused the workflow_run event to | |
| # trigger**. Also, it likely means that to change the behavior of the workflow | |
| # in a release branch, one will actually have to update the workflow file in | |
| # the default branch, too. | |
| on: | |
| # Allows running the workflow manually. | |
| workflow_dispatch: | |
| inputs: | |
| branch: | |
| required: true | |
| type: string | |
| description: The base branch for which to create a release PR (default or release branch) | |
| sha: | |
| required: true | |
| type: string | |
| description: The commit hash for which to create a release PR | |
| workflow_run: | |
| workflows: ['Tests'] | |
| types: [completed] | |
| # See “Filter pattern cheat sheet” | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet | |
| branches: | |
| - master | |
| - release-[0-9]+.[0-9]+ | |
| permissions: | |
| contents: read # for checking out the repository (e.g. actions/checkout) | |
| # Ensures that we only run one workflow per branch at a time. | |
| # Already running workflows will be cancelled. | |
| concurrency: | |
| cancel-in-progress: true | |
| group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || inputs.branch }} | |
| jobs: | |
| # Creates a pull request in the main application to update its GUI i.e. a GUI release | |
| create-release-pr: | |
| # Only runs this job when the triggering workflow run was a success (i.e. the "Tests" workflow passes). | |
| if: ${{ github.event_name == 'workflow_dispatch' || | |
| (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') | |
| }} | |
| # | |
| timeout-minutes: 10 | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./packages/kuma-gui | |
| env: | |
| SHA: ${{ github.event.workflow_run.head_sha || inputs.sha }} | |
| BRANCH: ${{ github.event.workflow_run.head_branch || inputs.branch }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: ${{ env.BRANCH }} | |
| - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
| with: | |
| node-version-file: '.nvmrc' | |
| # Syft, used to generate the SBOM, struggles with npm projects when: | |
| # - Two packages, in the same repository, are separate npm workloads | |
| # which share a common `package-lock.json`. | |
| # - One package (e.g., `packages/config`) defines peerDependencies and | |
| # is referenced as a devDependency in another package | |
| # (e.g., `packages/kuma-gui`). | |
| # [...] | |
| # More information in ./packages/kuma-gui/mk/release.mk | |
| - run: | | |
| make release/prune | |
| - uses: Kong/public-shared-actions/security-actions/sca@0ccacffed804d85da3f938a1b78c12831935f992 | |
| id: sbom | |
| env: | |
| SYFT_SOURCE_NAME: ${{ github.repository }} | |
| SYFT_SOURCE_VERSION: "${{ env.BRANCH }}@${{ env.SHA }}" | |
| with: | |
| asset_prefix: kuma-gui | |
| dir: '.' | |
| config: .syft.yaml | |
| fail_build: 'true' # Fail job if critical vulnerabilities are detected | |
| - run: | | |
| make install/sync | |
| make build/sync | |
| - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 | |
| id: github-app-token | |
| with: | |
| app-id: ${{ secrets.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| # Access to kuma needs to be explicitly included here so that a pull request can be opened in that repository. | |
| owner: ${{ github.repository_owner }} | |
| repositories: "kuma-gui,kuma" | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| # This needs to be a token that grants read access to `HOST_REPOSITORY`. If that repository is private, it needs general access to the `repo` scope which grants access to read private repositories. Otherwise, you will run into an error telling you that the checkout actions can’t determine the repository’s default branch. This is on account of a lack of access not because it can’t determine the default branch. | |
| token: ${{ steps.github-app-token.outputs.token }} | |
| repository: ${{ vars.HOST_REPOSITORY }} | |
| ref: ${{ env.BRANCH }} | |
| path: ./packages/kuma-gui/main-application | |
| - run: | | |
| cd main-application | |
| echo 'Copying Grype and SBOM reports ...' | |
| mkdir -p ${{ vars.HOST_REPORTS_DIRECTORY }} | |
| rm -f ${{ vars.HOST_REPORTS_DIRECTORY }}/{${{ steps.sbom.outputs.grype-json-report }},${{ steps.sbom.outputs.grype-sarif-report }},${{ steps.sbom.outputs.sbom-spdx-report }},${{ steps.sbom.outputs.sbom-cyclonedx-report }}} | |
| mv \ | |
| ../../../${{ steps.sbom.outputs.grype-json-report }} \ | |
| ../../../${{ steps.sbom.outputs.grype-sarif-report }} \ | |
| ../../../${{ steps.sbom.outputs.sbom-spdx-report }} \ | |
| ../../../${{ steps.sbom.outputs.sbom-cyclonedx-report }} \ | |
| ${{ vars.HOST_REPORTS_DIRECTORY }} | |
| echo 'Replacing GUI dist files ...' | |
| rm -rf ${{ vars.HOST_DIST_DIRECTORY }} | |
| cp -r ../${{ vars.DIST_DIRECTORY }}/ ${{ vars.HOST_DIST_DIRECTORY }} | |
| # https://github.com/peter-evans/create-pull-request | |
| - uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6 | |
| with: | |
| # Note: This token can be a GITHUB_TOKEN if the created PR doesn’t need to trigger workflows `on: push` or `on: pull_request`. However, we definitely need to trigger workflows (e.g. to run test workflows on the PR). Instead, we should use a personal access token (PAT). See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs for a more detailed explanation. | |
| token: ${{ steps.github-app-token.outputs.token }} | |
| path: ./packages/kuma-gui/main-application | |
| base: ${{ env.BRANCH }} | |
| commit-message: | | |
| chore(deps): bump ${{ github.repository }} to ${{ env.SHA }} | |
| Bumps ${{ github.repository }} to version [${{ env.BRANCH }}@${{ env.SHA }}](https://github.com/${{ github.repository }}/tree/${{ env.SHA }}) | |
| committer: GitHub <[email protected]> | |
| author: github-actions[bot] <github-actions[bot]@users.noreply.github.com> | |
| team-reviewers: kuma-maintainers | |
| signoff: true | |
| branch: chore/update-gui-in-${{ env.BRANCH }} | |
| delete-branch: true | |
| title: 'chore(deps): bump ${{ github.repository }} to ${{ env.SHA }}' | |
| labels: ci/skip-e2e-test,${{ env.BRANCH }},ci/auto-merge | |
| body: | | |
| Bumps ${{ github.repository }} to version [${{ env.BRANCH }}@${{ env.SHA }}](https://github.com/${{ github.repository }}/tree/${{ env.SHA }}) | |
| > Changelog: chore(deps): use latest ${{ github.repository }} | |
| draft: false |