Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update release process #1908

Merged
merged 11 commits into from
Apr 13, 2023
Merged

Update release process #1908

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
359a8e8
Add actionlint to pre-commit
s0undt3ch Apr 11, 2023
b51840e
Use our runners to publish a release. Update S3 bucket in the process.
s0undt3ch Apr 11, 2023
c981eae
Sign release scripts. Nightly develop version of scripts upload.
s0undt3ch Apr 11, 2023
af25802
Some echo's so that we know what we're doing
s0undt3ch Apr 11, 2023
453812a
Switch to using `tools` when uploading to S3
s0undt3ch Apr 11, 2023
c07acc3
Respect the old directory layout
s0undt3ch Apr 12, 2023
0184635
Use the installed python on the runners
s0undt3ch Apr 12, 2023
2a4f2ad
Allow testing releases from forks
s0undt3ch Apr 12, 2023
3d3c7c7
Fix opening PR against the Salt repository
s0undt3ch Apr 12, 2023
6c6291b
Don't rely on GH runners during the release process once started.
s0undt3ch Apr 12, 2023
ce4a071
Bump to `geekyeggo/delete-artifact@v2`
s0undt3ch Apr 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/actionlint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
self-hosted-runner:
# Labels of self-hosted runner in array of string
labels:
- repo-release
101 changes: 101 additions & 0 deletions .github/workflows/nightly.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
name: Nightly S3 Update
run-name: "Nightly S3 (branch: ${{ github.ref_name }})"

on:
workflow_dispatch: {}
schedule:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onschedule
- cron: '0 1 * * *' # Every day at 1AM

jobs:

workflow-requirements:
name: Check Workflow Requirements
runs-on: ubuntu-latest
outputs:
requirements-met: ${{ steps.check-requirements.outputs.requirements-met }}
steps:
- name: Check For Admin Permission
if: ${{ github.event_name != 'schedule' }}
uses: actions-cool/check-user-permission@v2
with:
require: admin
username: ${{ github.triggering_actor }}

- name: Check Requirements
id: check-requirements
run: |
if [ "${{ vars.RUN_SCHEDULED_BUILDS }}" = "1" ]; then
MSG="Running workflow because RUN_SCHEDULED_BUILDS=1"
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
echo "requirements-met=true" >> "${GITHUB_OUTPUT}"
elif [ "${{ github.event.repository.fork }}" = "true" ]; then
MSG="Not running workflow because ${{ github.repository }} is a fork"
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
echo "requirements-met=false" >> "${GITHUB_OUTPUT}"
else
MSG="Running workflow because ${{ github.repository }} is not a fork"
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
echo "requirements-met=true" >> "${GITHUB_OUTPUT}"
fi

update-s3-bucket:
name: Update S3 Bucket
if: ${{ fromJSON(needs.workflow-requirements.outputs.requirements-met) }}
runs-on:
- self-hosted
- linux
- repo-release
needs:
- workflow-requirements
environment: release

steps:
- uses: actions/checkout@v3

- name: Get Salt Project GitHub Actions Bot Environment
run: |
TOKEN=$(curl -sS -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30")
SPB_ENVIRONMENT=$(curl -sS -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance/spb:environment)
echo "SPB_ENVIRONMENT=$SPB_ENVIRONMENT" >> "$GITHUB_ENV"

- name: Setup GnuPG
run: |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
GNUPGHOME="$(mktemp -d -p /run/gpg)"
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
cat <<EOF > "${GNUPGHOME}/gpg.conf"
batch
no-tty
pinentry-mode loopback
EOF

- name: Get Secrets
id: get-secrets
env:
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
run: |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text | jq .default_key -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
| gpg --import -
sync
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
sync
rm "$SECRETS_KEY_FILE"
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"

- name: Install Requirements
run: |
python3 -m pip install -r requirements/release.txt

- name: Upload Develop to S3
run: |
tools release s3-publish --key-id 64CBBC8173D76B3F develop
Loading