forked from greenbone/openvas-scanner
-
Notifications
You must be signed in to change notification settings - Fork 1
207 lines (201 loc) · 9.14 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
name: "release"
on:
pull_request:
types: [closed]
workflow_dispatch:
inputs:
release:
description: "Use 'major' for incompatible changes, 'minor' for new features, and 'patch' for fixes."
type: choice
options:
- "major"
- "minor"
- "patch"
required: true
default: "patch"
# This job first determines the target branch of the closed pull request. If the target branch is "main",
# then the latest release tag is used. If no release tag exists, it is set to 0.1.0. If it is a release
# branch (e.g. v22), then the latest tag within that major version is used.
#
# For a patch release, the latest tag is enhanced with 0.0.1, leaving the major and minor versions as
# they are.
#
# For a minor release, the latest tag is enhanced with 0.1.0, and the patch version is set to 0.
#
# For a major release, a branch is created for the latest major release found by tag, and the version
# is enhanced with $latest_tag + 1.0.0, increasing the major version by 1 and setting the minor and
# patch versions to 0.
#
# Major version releases are only valid on the "main" branch.
#
# Once the version is found and enhanced, each CMakeLists file is updated to the new
# version, and a commit is created in the found branch.
jobs:
calculate_version:
runs-on: "ubuntu-latest"
if: |
github.event_name == 'workflow_dispatch' ||
(
github.event.pull_request.merged == true &&
contains(github.event.pull_request.labels.*.name, 'major_release') ||
contains(github.event.pull_request.labels.*.name, 'minor_release') ||
contains(github.event.pull_request.labels.*.name, 'patch_release')
)
outputs:
new_version: ${{ steps.version.outputs.new_version }}
latest_version: ${{ steps.version.outputs.latest_version }}
release_kind: ${{ steps.version.outputs.release_kind }}
release_ref: ${{ steps.version.outputs.release_ref }}
project: ${{ steps.version.outputs.project}}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GREENBONE_BOT_TOKEN }}
fetch-depth: '0'
- name: set RELEASE_KIND = ${{ github.event.inputs.release }}
if: ${{ github.event_name == 'workflow_dispatch' }}
run: |
echo "RELEASE_KIND=${{ github.event.inputs.release }}" >> $GITHUB_ENV
- name: set RELEASE_KIND = major
if: ${{ (contains(github.event.pull_request.labels.*.name, 'major_release')) }}
run: |
echo "RELEASE_KIND=major" >> $GITHUB_ENV
- name: set RELEASE_KIND = minor
if: ${{ (contains(github.event.pull_request.labels.*.name, 'minor_release')) }}
run: |
echo "RELEASE_KIND=minor" >> $GITHUB_ENV
- name: set RELEASE_KIND = patch
if: ${{ (contains(github.event.pull_request.labels.*.name, 'patch_release')) }}
run: |
echo "RELEASE_KIND=patch" >> $GITHUB_ENV
- name: set RELEASE_REF
run: |
if [[ "${{ github.event_name }}" = "workflow_dispatch" ]]; then
echo "RELEASE_REF=${{ github.ref_name }}" >> $GITHUB_ENV
else
echo "RELEASE_REF=${{ github.base_ref }}" >> $GITHUB_ENV
fi
- name: "LATEST_VERSION"
run: |
if [[ "${{ env.RELEASE_REF }}" = "main" ]]; then
echo "LATEST_VERSION=$(git tag | grep "^v" | sed 's/^v//' | sort --version-sort | tail -n 1)" >> $GITHUB_ENV
else
echo "LATEST_VERSION=$(git tag | grep "^v${{ env.RELEASE_REF }}" | sed 's/^v//' | sort --version-sort | tail -n 1)" >> $GITHUB_ENV
fi
- name: "default LATEST_VERSION"
run: |
# default to 0.1.0 when there is no previous tag and on main branch
if ([[ -z "${{ env.LATEST_VERSION }}" ]] && [[ "${{ env.RELEASE_REF }}" = "main" ]]); then
echo "LATEST_VERSION=0.1.0" >> $GITHUB_ENV
fi
# safeguard
- name: RELEASE_REF != NULL
run: ([ -n "${{ env.RELEASE_REF }}" ])
- name: LATEST_VERSION != NULL
run: ([ -n "${{ env.LATEST_VERSION }}" ])
- name: RELEASE_KIND != NULL
run: ([ -n "${{ env.RELEASE_KIND }}" ])
- name: "NEW_VERSION"
run: |
echo "NEW_VERSION=$(sh .github/enhance_version.sh ${{ env.LATEST_VERSION }} ${{ env.RELEASE_KIND }})" >> $GITHUB_ENV
- name: NEW_VERSION != NULL
run: ([ -n "${{ env.NEW_VERSION }}" ])
- name: set output
id: version
run: |
echo "latest_version=$LATEST_VERSION" >> "$GITHUB_OUTPUT"
echo "new_version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
echo "release_kind=$RELEASE_KIND" >> "$GITHUB_OUTPUT"
echo "release_ref=$RELEASE_REF" >> "$GITHUB_OUTPUT"
echo "project=$(echo "${{ github.repository }}" | sed 's/.*\///' )" >> "$GITHUB_OUTPUT"
build-binaries:
needs: calculate_version
uses: ./.github/workflows/build-rust.yml
release:
name: release
needs:
- build-binaries
- calculate_version
runs-on: "ubuntu-latest"
env:
RELEASE_KIND: ${{needs.calculate_version.outputs.release_kind}}
RELEASE_REF: ${{needs.calculate_version.outputs.release_ref}}
LATEST_VERSION: ${{needs.calculate_version.outputs.latest_version}}
NEW_VERSION: ${{needs.calculate_version.outputs.new_version}}
PROJECT: ${{needs.calculate_version.outputs.project}}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GREENBONE_BOT_TOKEN }}
fetch-depth: '0'
- name: set git credentials
run: |
git config --global user.email "${{ secrets.GREENBONE_BOT_MAIL }}"
git config --global user.name "${{ secrets.GREENBONE_BOT }}"
- name: "create working branch for previous major release (${{ env.LATEST_VERSION }})"
if: ( env.RELEASE_KIND == 'major' )
run: |
# save a branch so that we can easily create PR for that version when we want to fix something
git checkout "v${{ env.LATEST_VERSION }}"
export BRANCH_NAME=$(echo "${{ env.LATEST_VERSION }}" | sed 's/^\([0-9]*\).*/v\1/')
git checkout -b "$BRANCH_NAME"
git push origin "$BRANCH_NAME"
# create branch of version
- name: prepare project version ${{ env.RELEASE_REF }} ${{ env.LATEST_VERSION }} -> ${{ env.NEW_VERSION }}
run: |
# jump back for the case that we switched to a tag
git checkout "${{ env.RELEASE_REF }}"
# change version
python3 -m pip install pontos
# ignore failure on setting version
pontos-version update ${{ env.NEW_VERSION }} || true
# set app version on chart
awk '{sub(/appVersion: "[0-9]+\.[0-9]+\.[0-9]+"/,"appVersion: \"${{ env.NEW_VERSION }}\""); print}' charts/openvasd/Chart.yaml | tee /tmp/Chart.yaml
mv /tmp/Chart.yaml charts/openvasd/Chart.yaml
# as soon as pontos-version release is available and it supports cargo do
# cd rust
# pontos-version update ${{ env.NEW_VERSION }}
# but since we don't upload cargo modules to registry the version doesn't matter as of now.
if git diff --exit-code --quiet; then
echo "There are no modified files, skipping."
else
git add CMakeLists.txt
git add charts/openvasd/Chart.yaml
git commit -m "Automated commit: change version from ${{ env.LATEST_VERSION }} -> ${{ env.NEW_VERSION }}"
git push origin ${{ env.RELEASE_REF }}
fi
- uses: actions/download-artifact@v3
with:
name: rs-binaries
path: assets
- uses: greenbone/actions/setup-pontos@v3
- name: release ${{ env.PROJECT }} ${{ env.LATEST_VERSION }} -> ${{ env.NEW_VERSION }}
run: |
pontos-changelog \
--current-version ${{ env.LATEST_VERSION }} \
--next-version ${{ env.NEW_VERSION }} \
--config changelog.toml \
--project $PROJECT \
--versioning-scheme semver \
-o /tmp/changelog.md || true
# we would rather have empty release notes than no release
if [ ! -f "/tmp/changelog.md" ]; then
touch /tmp/changelog.md
fi
echo "${{ secrets.GREENBONE_BOT_TOKEN }}" | gh auth login --with-token
# lets see how smart it is
export nrn="v${{ env.NEW_VERSION }}"
gh release create "$nrn" -F /tmp/changelog.md
- name: "sign ${{ env.PROJECT }}"
run: |
mkdir -p assets
ls -las assets/
export nrn="v${{ env.NEW_VERSION }}"
export filename="$PROJECT-$nrn"
curl -sfSL --retry 3 --retry-connrefused --retry-delay 2 -o assets/$filename.zip https://github.com/${{ github.repository }}/archive/refs/tags/$nrn.zip
curl -sfSL --retry 3 --retry-connrefused --retry-delay 2 -o assets/$filename.tar.gz https://github.com/${{ github.repository }}/archive/refs/tags/$nrn.tar.gz
echo -e "${{ secrets.GPG_KEY }}" > private.pgp
echo ${{ secrets.GPG_PASSPHRASE }} | bash .github/sign-assets.sh private.pgp
rm assets/$filename.zip
rm assets/$filename.tar.gz
gh release upload $nrn assets/*