-
Notifications
You must be signed in to change notification settings - Fork 22
159 lines (141 loc) · 7.68 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: 'Build and release to kumahq/kuma'
run-name: |
Build and release to kumahq/kuma (branch: ${{ github.event.workflow_run.head_branch || inputs.branch }})
# **Note 1**: You can merge a pull request into a release branch of the form
# “release-$MAJOR.$MINOR” (e.g. “release-2.1”) in order to create the GUI
# update PR in the matching release branch of the host repository. For this to
# work, the name of this repository’s release branch must match that of the
# host repository exactly.
# **Note 2**: Since this workflow can be triggered using the `workflow_run`
# event type, one needs to pay special attention to the context in which runs
# will be executed based on this workflow. Most importantly, runs will be using
# the workflow file found **in the project’s default branch**. This means that
# context variables like `github.ref` and `github.ref_name` will refer to the
# default branch **and not the branch that caused the workflow_run event to
# trigger**. Also, it likely means that to change the behavior of the workflow
# in a release branch, one will actually have to update the workflow file in
# the default branch, too.
on:
# Allows running the workflow manually.
workflow_dispatch:
inputs:
branch:
required: true
type: string
description: The base branch for which to create a release PR (default or release branch)
sha:
required: true
type: string
description: The commit hash for which to create a release PR
workflow_run:
workflows: ['Tests']
types: [completed]
# See “Filter pattern cheat sheet”
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
branches:
- master
- release-[0-9]+.[0-9]+
permissions:
contents: read # for checking out the repository (e.g. actions/checkout)
# Ensures that we only run one workflow per branch at a time.
# Already running workflows will be cancelled.
concurrency:
cancel-in-progress: true
group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || inputs.branch }}
jobs:
# Creates a pull request in the main application to update its GUI i.e. a GUI release
create-release-pr:
# Only runs this job when the triggering workflow run was a success (i.e. the "Tests" workflow passes).
if: ${{ github.event_name == 'workflow_dispatch' ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
}}
#
timeout-minutes: 10
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./packages/kuma-gui
env:
SHA: ${{ github.event.workflow_run.head_sha || inputs.sha }}
BRANCH: ${{ github.event.workflow_run.head_branch || inputs.branch }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ env.BRANCH }}
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version-file: '.nvmrc'
# Syft, used to generate the SBOM, struggles with npm projects when:
# - Two packages, in the same repository, are separate npm workloads
# which share a common `package-lock.json`.
# - One package (e.g., `packages/config`) defines peerDependencies and
# is referenced as a devDependency in another package
# (e.g., `packages/kuma-gui`).
# [...]
# More information in ./packages/kuma-gui/mk/release.mk
- run: |
make release/prune
- uses: Kong/public-shared-actions/security-actions/sca@0ccacffed804d85da3f938a1b78c12831935f992
id: sbom
env:
SYFT_SOURCE_NAME: ${{ github.repository }}
SYFT_SOURCE_VERSION: "${{ env.BRANCH }}@${{ env.SHA }}"
with:
asset_prefix: kuma-gui
dir: '.'
config: .syft.yaml
fail_build: 'true' # Fail job if critical vulnerabilities are detected
- run: |
make install/sync
make build/sync
- uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
id: github-app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
# Access to kuma needs to be explicitly included here so that a pull request can be opened in that repository.
owner: ${{ github.repository_owner }}
repositories: "kuma-gui,kuma"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# This needs to be a token that grants read access to `HOST_REPOSITORY`. If that repository is private, it needs general access to the `repo` scope which grants access to read private repositories. Otherwise, you will run into an error telling you that the checkout actions can’t determine the repository’s default branch. This is on account of a lack of access not because it can’t determine the default branch.
token: ${{ steps.github-app-token.outputs.token }}
repository: ${{ vars.HOST_REPOSITORY }}
ref: ${{ env.BRANCH }}
path: ./packages/kuma-gui/main-application
- run: |
cd main-application
echo 'Copying Grype and SBOM reports ...'
mkdir -p ${{ vars.HOST_REPORTS_DIRECTORY }}
rm -f ${{ vars.HOST_REPORTS_DIRECTORY }}/{${{ steps.sbom.outputs.grype-json-report }},${{ steps.sbom.outputs.grype-sarif-report }},${{ steps.sbom.outputs.sbom-spdx-report }},${{ steps.sbom.outputs.sbom-cyclonedx-report }}}
mv \
../../../${{ steps.sbom.outputs.grype-json-report }} \
../../../${{ steps.sbom.outputs.grype-sarif-report }} \
../../../${{ steps.sbom.outputs.sbom-spdx-report }} \
../../../${{ steps.sbom.outputs.sbom-cyclonedx-report }} \
${{ vars.HOST_REPORTS_DIRECTORY }}
echo 'Replacing GUI dist files ...'
rm -rf ${{ vars.HOST_DIST_DIRECTORY }}
cp -r ../${{ vars.DIST_DIRECTORY }}/ ${{ vars.HOST_DIST_DIRECTORY }}
# https://github.com/peter-evans/create-pull-request
- uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
with:
# Note: This token can be a GITHUB_TOKEN if the created PR doesn’t need to trigger workflows `on: push` or `on: pull_request`. However, we definitely need to trigger workflows (e.g. to run test workflows on the PR). Instead, we should use a personal access token (PAT). See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs for a more detailed explanation.
token: ${{ steps.github-app-token.outputs.token }}
path: ./packages/kuma-gui/main-application
base: ${{ env.BRANCH }}
commit-message: |
chore(deps): bump ${{ github.repository }} to ${{ env.SHA }}
Bumps ${{ github.repository }} to version [${{ env.BRANCH }}@${{ env.SHA }}](https://github.com/${{ github.repository }}/tree/${{ env.SHA }})
committer: GitHub <[email protected]>
author: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
team-reviewers: kuma-maintainers
signoff: true
branch: chore/update-gui-in-${{ env.BRANCH }}
delete-branch: true
title: 'chore(deps): bump ${{ github.repository }} to ${{ env.SHA }}'
labels: ci/skip-e2e-test,${{ env.BRANCH }},ci/auto-merge
body: |
Bumps ${{ github.repository }} to version [${{ env.BRANCH }}@${{ env.SHA }}](https://github.com/${{ github.repository }}/tree/${{ env.SHA }})
> Changelog: chore(deps): use latest ${{ github.repository }}
draft: false