Skip to content

release

release #88

Workflow file for this run

name: release
on:
workflow_dispatch:
inputs:
version:
description: Version to release (e.g. v1.2.3)
required: true
kind:
description: Release kind
type: choice
options: [minor, patch]
required: true
default: minor
overwrite_published_release:
description: Tick this box if you want to overwrite a published release and have a good reason for doing so.
type: boolean
required: false
default: false
env:
container_registry: ghcr.io/edgelesssys
azure_resource_group: contrast-ci
concurrency:
group: ${{ github.ref }}
cancel-in-progress: true
jobs:
process-inputs:
name: Process inputs
runs-on: ubuntu-22.04
permissions:
contents: write
env:
FULL_VERSION: ${{ inputs.version }}
outputs:
WITHOUT_V: ${{ steps.version-info.outputs.WITHOUT_V }}
PART_MAJOR: ${{ steps.version-info.outputs.PART_MAJOR }}
PART_MINOR: ${{ steps.version-info.outputs.PART_MINOR }}
PART_PATCH: ${{ steps.version-info.outputs.PART_PATCH }}
MAJOR: ${{ steps.version-info.outputs.MAJOR }}
MAJOR_MINOR: ${{ steps.version-info.outputs.MAJOR_MINOR }}
MAJOR_MINOR_PATCH: ${{ steps.version-info.outputs.MAJOR_MINOR_PATCH }}
RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
NEXT_MINOR: ${{ steps.version-info.outputs.NEXT_MINOR }}
NEXT_MINOR_PRE_WITHOUT_V: ${{ steps.version-info.outputs.NEXT_MINOR_PRE_WITHOUT_V }}
NEXT_PATCH_PRE_WITHOUT_V: ${{ steps.version-info.outputs.NEXT_PATCH_PRE_WITHOUT_V }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Working branch
run: |
echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
- name: Verify minor version bump
if: ${{ inputs.kind == 'minor' }}
run: |
if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Version must be in the form of vX.Y.Z"
exit 1
fi
- name: Verify patch version bump
if: ${{ inputs.kind == 'patch' }}
run: |
if [[ ! "${FULL_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[1-9]+$ ]]; then
echo "Version must be in the form of vX.Y.Z, where Z > 0"
exit 1
fi
- name: Verify temporary branch for minor release
run: |
if [[ ! "${WORKING_BRANCH}" =~ ^tmp/v[0-9]+\.[0-9]+\.[0-9] ]]; then
echo "Workflow can only be triggered from a temporary branch in the form of tmp/vX.Y.Z"
exit 1
fi
- name: Extract version info
id: version-info
run: |
WITHOUT_V=${FULL_VERSION#v}
PART_MAJOR=${WITHOUT_V%%.*}
PART_MINOR=${WITHOUT_V#*.}
PART_MINOR=${PART_MINOR%%.*}
PART_PATCH=${WITHOUT_V##*.}
RELEASE_BRANCH=release/v${PART_MAJOR}.${PART_MINOR}
NEXT_MINOR=${PART_MAJOR}.$((PART_MINOR + 1)).0
NEXT_MINOR_PRE_WITHOUT_V=${PART_MAJOR}.$((PART_MINOR + 1)).0-pre
NEXT_PATCH_PRE_WITHOUT_V=${PART_MAJOR}.${PART_MINOR}.$((PART_PATCH + 1))-pre
{
echo "WITHOUT_V=${WITHOUT_V}"
echo "PART_MAJOR=${PART_MAJOR}"
echo "PART_MINOR=${PART_MINOR}"
echo "PART_PATCH=${PART_PATCH}"
echo "MAJOR=${PART_MAJOR}"
echo "MAJOR_MINOR=${PART_MAJOR}.${PART_MINOR}"
echo "MAJOR_MINOR_PATCH=${PART_MAJOR}.${PART_MINOR}.${PART_PATCH}"
echo "RELEASE_BRANCH=${RELEASE_BRANCH}"
echo "WORKING_BRANCH=${WORKING_BRANCH}"
echo "NEXT_MINOR=${NEXT_MINOR}"
echo "NEXT_MINOR_PRE_WITHOUT_V=${NEXT_MINOR_PRE_WITHOUT_V}"
echo "NEXT_PATCH_PRE_WITHOUT_V=${NEXT_PATCH_PRE_WITHOUT_V}"
} | tee -a "$GITHUB_OUTPUT"
echo "RELEASE_BRANCH=${RELEASE_BRANCH}" | tee -a "$GITHUB_ENV"
- name: Don't overwrite published releases
if: (! inputs.overwrite_published_release)
env:
GH_TOKEN: ${{ github.token }}
run: |
is_draft=$(gh release view ${{ inputs.version }} --json isDraft -q .isDraft)
# If the release is not yet published, is_draft will either be "true" or empty.
if [[ "${is_draft}" == "false" ]]; then
echo "::error::Release ${{ inputs.version }} is already published."
exit 1
fi
update-main:
name: Update main branch
if: ${{ inputs.kind == 'minor' }}
runs-on: ubuntu-22.04
needs: process-inputs
permissions:
contents: write
env:
RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }}
WORKING_BRANCH: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
steps:
- name: Checkout working branch
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
path: contrast-working
- name: Checkout main
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: main
path: contrast-main
- uses: ./contrast-working/.github/actions/setup_nix
with:
githubToken: ${{ secrets.GITHUB_TOKEN }}
cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
- name: Configure git
run: |
git config --global user.name "edgelessci"
git config --global user.email "[email protected]"
- name: Create docs release
working-directory: contrast-main/docs
run: |
nix run .#yarn install
nix run .#yarn docusaurus docs:version ${{ needs.process-inputs.outputs.MAJOR_MINOR }}
git add .
git commit -am "docs: release ${{ needs.process-inputs.outputs.MAJOR_MINOR }}"
# Clean up auxiliary files, so next steps run on a clean tree
git clean -fx :/
- name: Bump flake version to post release patch pre-version
id: bump
uses: ./contrast-working/.github/actions/bump_version # Run action from working branch!
with:
version: ${{ needs.process-inputs.outputs.NEXT_MINOR_PRE_WITHOUT_V }}
working-directory: contrast-main
commit: false
- name: Create PR
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
with:
title: Post ${{ needs.process-inputs.outputs.WITHOUT_V }} release updates to main
body: |
Updating main as part of the ${{ needs.process-inputs.outputs.WITHOUT_V }} release.
Only merge after the release is published.
commit-message: ${{ steps.bump.outputs.commit-msg }}
base: main
draft: false
labels: "no changelog"
branch: automated/update-main-after-${{ needs.process-inputs.outputs.WORKING_BRANCH }}
committer: edgelessci <[email protected]>
author: edgelessci <[email protected]>
token: ${{ secrets.NUNKI_CI_COMMIT_PUSH_PR }}
path: ./contrast-main
release:
name: Build and push artifacts, create release
runs-on: ubuntu-22.04
needs: process-inputs
permissions:
contents: write
packages: write
env:
RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }}
WORKING_BRANCH: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
steps:
- name: Checkout
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
- uses: ./.github/actions/setup_nix
with:
githubToken: ${{ secrets.GITHUB_TOKEN }}
cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
- name: Log in to ghcr.io Container registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Bump flake version temporarily to release version
uses: ./.github/actions/bump_version
with:
version: ${{ needs.process-inputs.outputs.WITHOUT_V }}
commit: false
- name: Push containers with release tag
run: |
coordinatorImg=$(nix run .#containers.push-coordinator -- "$container_registry/contrast/coordinator")
nodeInstallerImg=$(nix run .#containers.push-node-installer -- "$container_registry/contrast/node-installer")
initializerImg=$(nix run .#containers.push-initializer -- "$container_registry/contrast/initializer")
echo "coordinatorImg=$coordinatorImg" | tee -a "$GITHUB_ENV"
echo "nodeInstallerImg=$nodeInstallerImg" | tee -a "$GITHUB_ENV"
echo "initializerImg=$initializerImg" | tee -a "$GITHUB_ENV"
- name: Add tag to Coordinator image
run: |
tag() {
front=${1%@*}
back=${1#*@}
printf "%s:%s@%s" "$front" "${{ inputs.version }}" "$back"
}
echo "coordinatorImgTagged=$(tag "$coordinatorImg")" | tee -a "$GITHUB_ENV"
echo "nodeInstallerImgTagged=$(tag "$nodeInstallerImg")" | tee -a "$GITHUB_ENV"
echo "initializerImgTagged=$(tag "$initializerImg")" | tee -a "$GITHUB_ENV"
- name: Create file with image replacements
run: |
echo "ghcr.io/edgelesssys/contrast/coordinator:latest=$coordinatorImgTagged" > image-replacements.txt
echo "ghcr.io/edgelesssys/contrast/initializer:latest=$initializerImgTagged" >> image-replacements.txt
echo "ghcr.io/edgelesssys/contrast/node-installer:latest=$nodeInstallerImgTagged" >> image-replacements.txt
- name: Create portable coordinator resource definitions
run: |
mkdir -p workspace deployment
nix run .#scripts.write-coordinator-yaml -- "${coordinatorImgTagged}" > workspace/coordinator.yml
nix shell .#contrast --command resourcegen --namespace kube-system --image-replacements ./image-replacements.txt runtime > workspace/runtime.yml
nix shell .#contrast --command resourcegen --image-replacements ./image-replacements.txt --add-load-balancers emojivoto > deployment/emojivoto-demo.yml
zip -r workspace/emojivoto-demo.zip deployment/emojivoto-demo.yml
- name: Update coordinator policy hash
run: |
yq < workspace/coordinator.yml \
'select(.kind == "Deployment") | .spec.template.metadata.annotations["io.katacontainers.config.agent.policy"]' |
base64 -d | sha256sum | cut -d " " -f1 > cli/cmd/assets/coordinator-policy-hash
git config --global user.name "edgelessci"
git config --global user.email "[email protected]"
git add cli/cmd/assets/coordinator-policy-hash
git diff --staged --quiet || git commit -m "release: update coordinator policy hash"
- name: Build CLI
run: |
nix build -L .#cli-release
- name: Create draft release
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with:
draft: true
generate_release_notes: true
tag_name: ${{ inputs.version }}
target_commitish: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
files: |
result-cli/bin/contrast
workspace/coordinator.yml
workspace/runtime.yml
workspace/emojivoto-demo.zip
- name: Reset temporary changes
run: |
git reset --hard ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
- name: Bump flake version to post release patch pre-version
uses: ./.github/actions/bump_version
with:
version: ${{ needs.process-inputs.outputs.NEXT_PATCH_PRE_WITHOUT_V }}
commit: true
test:
runs-on: ubuntu-22.04
permissions:
# Job needs content:write to see draft releases.
contents: write
packages: read
needs: release
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: ./.github/actions/setup_nix
with:
githubToken: ${{ secrets.GITHUB_TOKEN }}
cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
- name: Log in to ghcr.io Container registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Azure
uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
with:
creds: ${{ secrets.CONTRAST_CI_INFRA_AZURE }}
- uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
- name: Create justfile.env
run: |
cat <<EOF > justfile.env
container_registry=${{ env.container_registry }}
azure_resource_group=${{ env.azure_resource_group }}
EOF
- name: Get credentials for CI cluster
run: |
just get-credentials
- name: E2E Test
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
nix shell .#contrast.e2e --command release.test -test.v --tag ${{ inputs.version }}
create-github-stuff:
name: Create backport label and milestone
if: ${{ inputs.kind == 'minor' }}
needs: process-inputs
runs-on: ubuntu-22.04
permissions:
issues: write
contents: read
env:
RELEASE_BRANCH: ${{ needs.process-inputs.outputs.RELEASE_BRANCH }}
NEXT_MINOR: ${{ needs.process-inputs.outputs.NEXT_MINOR }}
GH_TOKEN: ${{ github.token }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
- name: Create backport label
run: |
gh label create "backport ${RELEASE_BRANCH}" --color 576F61 --force
- name: Create milestone
run: |
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/edgelesssys/contrast/milestones |
jq -r '.[] | .title' | \
grep -xqF "${NEXT_MINOR}" && exit 0
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/edgelesssys/contrast/milestones \
-f title="${NEXT_MINOR}" \
-f state='open'