release: chore - add new release workflow using magefiles

This commit updates the platform actual version in all dependent files, add a new release process with two new files and one refactor and the usage of magefile project https://magefile.org/. In the magefile part added some privates commands in deployments/mage and imported some from horusec-devkit mageutils pkg New files are release-beta.yml and release-rc.yml and refactor was made to new-release.yml now named release-new.yml to match the standards to be named only release.yml in a tested future. Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br>
ZupIT · Nov 30, 2021 · d75e355 · d75e355
1 parent a36784d
commit d75e355
Show file tree

Hide file tree

Showing 9 changed files with 1,280 additions and 46 deletions.
diff --git a/.github/workflows/new-release.yml b/.github/workflows/new-release.yml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: New-Release
+name: release-new
 
 on:
   workflow_dispatch:
@@ -28,58 +28,73 @@ jobs:
       contents: write
       packages: write
     env:
-      COSIGN_KEY_LOCATION: "/tmp/cosign.key"
+      COSIGN_KEY_LOCATION: /tmp/cosign.key
+      COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
     runs-on: ubuntu-latest
+
     steps:
+      - name: Set up nodejs
+        uses: actions/setup-node@v2
+        with:
+          node-version: 12
       - name: Checkout
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
-          token: ${{ secrets.HORUSEC_PUSH_TOKEN }}
 
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
           go-version: 1.17
-      - name: Set up nodejs
-        uses: actions/setup-node@v2
-        with:
-          node-version: 12
-      - name: "Login to DockerHub"
+
+      - name: Docker Login
         uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Cosign Installer
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.0'
+
+      - name: Install Mage
+        run: |
+          cd deployments/mage/ && go run mage.go -compile ../../mage
+
+      - name: Git config
+        run: ./mage -v defaultGitConfig
+
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@v4
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.PASSPHRASE }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
           git_user_signingkey: true
           git_commit_gpgsign: true
 
+      - name: Install cosign private key
+        run: ./mage -v writeCosignKeyToFile
+        env:
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+
       - name: Version increment
         id: updated-version
         run: |
-          curl https://raw.githubusercontent.com/ZupIT/horusec-devkit/main/scripts/semver.sh -o /tmp/semver.sh
-          chmod +x /tmp/semver.sh
-          /tmp/semver.sh -${{ github.event.inputs.releaseType }} ${{ github.event.repository.full_name }}
-      - uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v1.2.0'
-      - name: install cosign private key
-        run: 'echo "$COSIGN_KEY" > $COSIGN_KEY_LOCATION'
-        shell: bash
+          ./mage -v upVersions ${{ github.event.inputs.releaseType }}
         env:
-          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+          HORUSEC_REPOSITORY_ORG: ${{ github.repository_owner }}
+          HORUSEC_REPOSITORY_NAME: ${{ github.event.repository.name }}
+
+      - name: Checkout release candidate branch
+        run: ./mage -v checkoutReleaseBranch ${{ steps.updated-version.outputs.nextReleaseBranchName }}
       - name: Update versions on package.json
-        run: |
-          npm install -g json
-          json -I -f ./manager/package.json -e 'this.version="${{ steps.updated-version.outputs.strippedVersion }}"'
+        run: ./mage -v updatePackageJson ${{ steps.updated-version.outputs.nextReleaseVersionStripped }}
+
       - name: Update versions on rest of the project
         run: |
-          find . -type f -not -path "./.git/*" -not -path "./Makefile" -not -path "./manager/cypress/*" -not -path "./manager/cypress/*" -not -name "*.sum" -not -name "*.mod"|
-          xargs sed -i "s/${{ steps.updated-version.outputs.actualVersion }}/${{ steps.updated-version.outputs.version }}/g"
+          find . -type f -not -path "./.git/*" -not -path "./manager/cypress/*" -not -name "*.sum" -not -name "*.mod"|
+          xargs sed -i "s/${{ steps.updated-version.outputs.actualReleaseVersion }}/${{ steps.updated-version.outputs.nextReleaseVersion }}/g"
+
       - name: Commit changes
         uses: EndBug/add-and-commit@v7.4.0
         with:
@@ -89,10 +104,11 @@ jobs:
           author_email: horusec@zup.com.br
           committer_name: Horusec
           committer_email: horusec@zup.com.br
-      - name: Create tag
-        run: |
-          git tag ${{ steps.updated-version.outputs.version }}
-          sleep 5
+          branch: ${{ steps.updated-version.outputs.nextReleaseBranchName }}
+
+      - name: Create local tag
+        run: ./mage -v createLocalTag ${{ steps.updated-version.outputs.nextReleaseVersion }}
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
@@ -103,13 +119,13 @@ jobs:
           COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
-          GORELEASER_CURRENT_TAG: ${{ steps.updated-version.outputs.version }}
+          GORELEASER_CURRENT_TAG: ${{ steps.updated-version.outputs.nextReleaseVersion }}
 
       - name: "Docker meta"
         uses: docker/metadata-action@v3
         id: meta
         env:
-          RELEASE_VERSION: ${{ steps.updated-version.outputs.version }}
+          RELEASE_VERSION: ${{ steps.updated-version.outputs.nextReleaseVersion }}
         with:
           images: |
             horuszup/horusec-manager
@@ -132,11 +148,27 @@ jobs:
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }}
 
-      - name: Push tag
+
+      - name: Push updates
         run: |
-          git push origin ${{ steps.updated-version.outputs.version }}
-      - name: Create release branch
-        if: github.event.inputs.releaseType != 'p'
+          ./mage -v gitPushAll
+      # This step gets the sha of last commit made, witch is the updating versioning files commit, after that creates a
+      # branch from the origin main and cherry pick this commit on it. This process need to occur only when the release
+      # workflow is started from a branch that isn't the main branch, for example a release branch.
+      # When the workflow it's triggered to run on main, the commit it's going to be made directly to the main branch.
+      - name: Cherry pick
+        id: cherry-pick
         run: |
-          git branch ${{ steps.updated-version.outputs.releaseBranchName }}
-          git push origin ${{ steps.updated-version.outputs.releaseBranchName }}
+          ./mage CherryPick
+      # This step utilizes an action to create a pull request with the branch that was cherry picked on the last step
+      # into the main branch. As the last commit, this also needs to run only when the release workflow is started from a
+      # branch that isn't the main branch. Others workflows should be skipped cause of the skip ci in the pull request title.
+      - name: Create Pull Request
+        uses: repo-sync/pull-request@v2
+        with:
+          source_branch: "${{ steps.cherry-pick.outputs.cherryPickBranchName }}"
+          destination_branch: "main"
+          pr_title: "versioning:release - [skip ci] automatic pull request updating versioning files"
+          pr_body: "This is a automatic pull request that contains changes to files that need to be updated with the new release version. Where the commit ${{ steps.cherry-pick.outputs.commitShaToPick }} was cherry picked from the release branch, which already contains all the necessary changes."
+          github_token: ${{ secrets.HORUSEC_PUSH_TOKEN }}
+
diff --git a/.github/workflows/release-beta.yml b/.github/workflows/release-beta.yml
@@ -0,0 +1,174 @@
+# Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: release-beta
+
+on:
+  workflow_dispatch:
+    inputs:
+      releaseType:
+        description: 'Release type: M (Major); m (Minor); p (Path)'
+        required: true
+
+permissions: read-all
+jobs:
+  beta:
+    permissions:
+      contents: write
+      packages: write
+    env:
+      COSIGN_KEY_LOCATION: /tmp/cosign.key
+      COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Set up nodejs
+        uses: actions/setup-node@v2
+        with:
+          node-version: 12
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+
+      - name: Docker Login
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Cosign Installer
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.0'
+
+      - name: Install Mage
+        run: |
+          cd deployments/mage/ && go run mage.go -compile ../../mage
+
+      - name: Git config
+        run: |
+          ./mage -v defaultGitConfig
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v4
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+
+      - name: Install cosign private key
+        run: |
+          ./mage -v writeCosignKeyToFile
+        env:
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+
+      - name: Version increment
+        id: updated-version
+        run: |
+          ./mage -v upVersions ${{ github.event.inputs.releaseType }}
+        env:
+          HORUSEC_REPOSITORY_ORG: ${{ github.repository_owner }}
+          HORUSEC_REPOSITORY_NAME: ${{ github.event.repository.name }}
+
+      - name: Checkout release candidate branch
+        run: |
+          ./mage -v checkoutReleaseBranch ${{ steps.updated-version.outputs.nextReleaseBranchName }}
+
+      - name: Create local tag
+        run: |
+          ./mage -v createLocalTag ${{ steps.updated-version.outputs.nextBetaVersion }}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist --skip-publish
+        env:
+          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
+          GORELEASER_CURRENT_TAG: ${{ steps.updated-version.outputs.nextBetaVersion }}
+
+      - name: Push go projects to dockerhub
+        run: |
+          ./mage -v dockerPushPlatformGoProjects ${{ steps.updated-version.outputs.nextBetaVersion }}
+
+      - name: Sign go projects in dockerhub
+        env:
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }}
+        run: |
+          ./mage -v dockerSignPlatformGoProjects ${{ steps.updated-version.outputs.nextBetaVersion }}
+
+      - name: "Docker meta"
+        uses: docker/metadata-action@v3
+        id: meta
+        env:
+          RELEASE_VERSION: ${{ steps.updated-version.outputs.nextBetaVersion }}
+        with:
+          images: |
+            horuszup/horusec-manager
+          tags: |
+            type=semver,prefix=v,pattern={{version}},value=${{ env.RELEASE_VERSION }}
+            type=semver,prefix=v,pattern={{major}}.{{minor}},value=${{ env.RELEASE_VERSION }}
+            type=semver,prefix=v,pattern={{major}},value=${{ env.RELEASE_VERSION }}
+
+      - name: "Build and push manager"
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          context: ./manager
+          file: ./manager/deployments/dockerfiles/Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Sign image
+        run: |
+          cosign sign -key $COSIGN_KEY_LOCATION horuszup/horusec-manager:${{ steps.updated-version.outputs.nextBetaVersion }}
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }}
+
+      - name: Push updates
+        run: |
+          ./mage -v gitPushAll
+
+      - name: Update release
+        uses: meeDamian/github-release@2.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ steps.updated-version.outputs.nextBetaVersion }}
+          name: ${{ steps.updated-version.outputs.nextBetaVersion }}
+          draft: true
+          prerelease: false
+          commitish: ${{ github.sha }}
+          gzip: false
+          allow_override: false
+          body: |
+            ## Docker images
+            - `docker pull horuszup/horusec-analytic:${{ steps.updated-version.outputs.nextBetaVersion }}`
+            - `docker pull horuszup/horusec-api:${{ steps.updated-version.outputs.nextBetaVersion }}`
+            - `docker pull horuszup/horusec-auth:${{ steps.updated-version.outputs.nextBetaVersion }}`
+            - `docker pull horuszup/horusec-core:${{ steps.updated-version.outputs.nextBetaVersion }}`
+            - `docker pull horuszup/horusec-manager:${{ steps.updated-version.outputs.nextBetaVersion }}`
+            - `docker pull horuszup/horusec-messages:${{ steps.updated-version.outputs.nextBetaVersion }}`
+            - `docker pull horuszup/horusec-migrations:${{ steps.updated-version.outputs.nextBetaVersion }}`
+            - `docker pull horuszup/horusec-vulnerability:${{ steps.updated-version.outputs.nextBetaVersion }}`
+            - `docker pull horuszup/horusec-webhook:${{ steps.updated-version.outputs.nextBetaVersion }}`