diff --git a/.github/workflows/release_publish-binary.yml b/.github/workflows/release_publish-binary.yml deleted file mode 100644 index f783a9d756..0000000000 --- a/.github/workflows/release_publish-binary.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: release:publish-binary - -on: - push: - tags: - - "v[0-9].[0-9].[0-9]*" - workflow_dispatch: - inputs: - tag: - description: "Tag to build and publish (e.g. v2.72.1-dk)" - required: true - -env: - DEBIAN_FRONTEND: "noninteractive" - TASK_X_REMOTE_TASKFILES: 1 - LD_LIBRARY_PATH: "/usr/local/lib/libgost" - -jobs: - publish: - name: Build and publish binary - runs-on: [self-hosted, regular] - permissions: - contents: write - steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - fetch-depth: 0 - fetch-tags: true - - - name: Set up Go - uses: actions/setup-go@v6 - with: - cache: false - go-version-file: go.mod - - - name: Set version - run: echo "VERSION=${{ inputs.tag || github.ref_name }}" >> "$GITHUB_ENV" - - - name: Build binary (linux/amd64) - run: | - task --yes build:dist:linux:amd64 version="$VERSION" - file dist/$VERSION/linux-amd64/bin/werf | grep -Eq "x86-64.*statically linked.*Linux" - - - name: Upload binary to GitHub Release - uses: softprops/action-gh-release@v3 - with: - token: ${{ secrets.RELEASE_PLEASE_TOKEN }} - tag_name: ${{ env.VERSION }} - files: dist/${{ env.VERSION }}/linux-amd64/bin/werf - - notify: - if: always() - needs: publish - uses: werf/common-ci/.github/workflows/notification.yml@main - secrets: - loopNotificationGroup: ${{ secrets.LOOP_NOTIFICATION_GROUP }} - webhook: ${{ secrets.LOOP_NOTIFICATION_WEBHOOK }} - notificationChannel: ${{ secrets.LOOP_NOTIFICATION_CHANNEL }} diff --git a/.github/workflows/release_trdl-publish.yml b/.github/workflows/release_trdl-publish.yml new file mode 100644 index 0000000000..e5ca2c112d --- /dev/null +++ b/.github/workflows/release_trdl-publish.yml @@ -0,0 +1,143 @@ +name: release:trdl-publish +on: + push: + branches: + - main + paths: + - trdl_channels.yaml + repository_dispatch: + types: ["release:trdl-publish"] + workflow_dispatch: + inputs: + force: + description: "Force publish all images" + required: false + default: "false" +defaults: + run: + shell: bash + +jobs: + publish: + name: Publish release channels using trdl server + runs-on: ubuntu-22.04 + steps: + - name: Notify + uses: mattermost/action-mattermost-notify@master + with: + MATTERMOST_WEBHOOK_URL: ${{ secrets.LOOP_NOTIFICATION_WEBHOOK }} + MATTERMOST_CHANNEL: ${{ secrets.LOOP_NOTIFICATION_CHANNEL }} + TEXT: | + ${{ secrets.LOOP_NOTIFICATION_GROUP }} [${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) task sign pls + + - name: Publish with retry + uses: werf/trdl-vault-actions/publish@main + with: + vault-addr: ${{ secrets.TRDL_VAULT_ADDR }} + project-name: delivery-kit + vault-auth-method: approle + vault-role-id: ${{ secrets.TRDL_VAULT_ROLE_ID }} + vault-secret-id: ${{ secrets.TRDL_VAULT_SECRET_ID }} + + update_release: + runs-on: ubuntu-22.04 + needs: + - publish + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + fetch-tags: true + - name: Update GitHub releases based on trdl_channels.yaml + env: + GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }} + run: | + check_release_exists() { + local version=$1 + gh release view "v$version" >/dev/null 2>&1 + return $? + } + + get_release_name() { + local tag=$1 + gh release view "$tag" --json name | jq -r '.name' + } + + process_releases() { + echo "Processing releases based on trdl_channels.yaml..." + + declare -A VERSION_CHANNELS + declare -A GROUP_VERSIONS + + current_group="" + while IFS= read -r line; do + if [[ $line =~ name:\ \"([^\"]+)\" ]]; then + current_group="${BASH_REMATCH[1]}" + elif [[ $line =~ name:\ ([a-z-]+) ]]; then + current_channel="${BASH_REMATCH[1]}" + elif [[ $line =~ version:\ ([0-9a-zA-Z.+-]+) ]]; then + version="${BASH_REMATCH[1]#v}" + key="${current_group}:${version}" + if [[ -z "${VERSION_CHANNELS[$key]}" ]]; then + VERSION_CHANNELS["$key"]="$current_channel" + GROUP_VERSIONS["$version"]="$current_group" + else + VERSION_CHANNELS["$key"]="${VERSION_CHANNELS[$key]},$current_channel" + fi + fi + done < trdl_channels.yaml + + for key in "${!VERSION_CHANNELS[@]}"; do + version="${key#*:}" + group="${key%:*}" + tag="v$version" + + if check_release_exists "$version"; then + channels="${VERSION_CHANNELS[$key]}" + expected_title="$tag [$channels]" + current_title=$(get_release_name "$tag") + + if [[ "$current_title" != "$expected_title" ]]; then + if [[ $group == "2" && $channels == *stable* ]]; then + echo "Updating $tag (group $group): stable, latest" + gh release edit "$tag" --title "$expected_title" --latest --prerelease=false || true + elif [[ $channels == *rock-solid* ]]; then + echo "Updating $tag (group $group): rock-solid, just title" + gh release edit "$tag" --title "$expected_title" --prerelease=false || true + else + echo "Updating $tag (group $group): prerelease, channels=$channels" + gh release edit "$tag" --title "$expected_title" --prerelease || true + fi + else + echo "$tag (group $group) already has correct title: $current_title" + fi + else + echo "Release $tag (group $group) not found, skipping..." + fi + done + + echo "Checking for releases with outdated channel markers..." + while read -r full_name; do + tag="${full_name%% *}" + version="${tag#v}" + + [[ -n "${GROUP_VERSIONS[$version]}" ]] && continue + + echo "Resetting $tag to plain version title (no channels in config)" + gh release edit "$tag" --title "$tag" --prerelease=false || true + done < <(gh release list --json name | jq -r '.[] | select(.name | test("\\[[a-zA-Z,-]+\\]")) | .name') + } + + process_releases + + notify: + if: always() + needs: + - publish + - update_release + uses: werf/common-ci/.github/workflows/notification.yml@main + secrets: + loopNotificationGroup: ${{ secrets.LOOP_NOTIFICATION_GROUP }} + webhook: ${{ secrets.LOOP_NOTIFICATION_WEBHOOK }} + notificationChannel: ${{ secrets.LOOP_NOTIFICATION_CHANNEL }} diff --git a/.github/workflows/release_trdl-release.yml b/.github/workflows/release_trdl-release.yml new file mode 100644 index 0000000000..b156815ee5 --- /dev/null +++ b/.github/workflows/release_trdl-release.yml @@ -0,0 +1,87 @@ +name: release:trdl-release +on: + push: + tags: + - "v[0-9]+.[0-9]+.[0-9]+-dk*" + repository_dispatch: + types: ["release:trdl-release"] + workflow_dispatch: + +jobs: + release: + name: Perform delivery-kit release using trdl server + runs-on: ubuntu-22.04 + steps: + - name: Notify + uses: mattermost/action-mattermost-notify@master + with: + MATTERMOST_WEBHOOK_URL: ${{ secrets.LOOP_NOTIFICATION_WEBHOOK }} + MATTERMOST_CHANNEL: ${{ secrets.LOOP_NOTIFICATION_CHANNEL }} + TEXT: | + ${{ secrets.LOOP_NOTIFICATION_GROUP }} [${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) task sign pls + + - name: Release with retry + uses: werf/trdl-vault-actions/release@main + with: + vault-addr: ${{ secrets.TRDL_VAULT_ADDR }} + project-name: delivery-kit + git-tag: ${{ github.ref_name }} + vault-auth-method: approle + vault-role-id: ${{ secrets.TRDL_VAULT_ROLE_ID }} + vault-secret-id: ${{ secrets.TRDL_VAULT_SECRET_ID }} + + - name: Checkout code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + fetch-tags: true + - name: Get version from tag + id: get_version + run: | + VERSION="${{ github.ref_name }}" + VERSION="${VERSION#v}" + echo "version=$VERSION" >> $GITHUB_OUTPUT + - name: Generate notes.md + id: notes + run: | + VERSION="${{ steps.get_version.outputs.version }}" + echo "## Changelog" > notes.md + awk -v version="$VERSION" ' + $0 ~ "^#+ \\[" version "\\]" {capture=1; next} + capture && $0 ~ "^#+ \\[" && $0 !~ "^#+ \\[" version "\\]" {exit} + capture {print} + ' CHANGELOG.md >> notes.md + + cat <> notes.md + ## Installation + + Alternatively, you can download \`delivery-kit\` binaries from here: + * [Linux amd64](https://tuf.delivery-kit.io/targets/releases/$VERSION/linux-amd64/bin/delivery-kit) ([PGP signature](https://tuf.delivery-kit.io/targets/signatures/$VERSION/linux-amd64/bin/delivery-kit.sig)) + * [Linux arm64](https://tuf.delivery-kit.io/targets/releases/$VERSION/linux-arm64/bin/delivery-kit) ([PGP signature](https://tuf.delivery-kit.io/targets/signatures/$VERSION/linux-arm64/bin/delivery-kit.sig)) + * [macOS amd64](https://tuf.delivery-kit.io/targets/releases/$VERSION/darwin-amd64/bin/delivery-kit) ([PGP signature](https://tuf.delivery-kit.io/targets/signatures/$VERSION/darwin-amd64/bin/delivery-kit.sig)) + * [macOS arm64](https://tuf.delivery-kit.io/targets/releases/$VERSION/darwin-arm64/bin/delivery-kit) ([PGP signature](https://tuf.delivery-kit.io/targets/signatures/$VERSION/darwin-arm64/bin/delivery-kit.sig)) + * [Windows amd64](https://tuf.delivery-kit.io/targets/releases/$VERSION/windows-amd64/bin/delivery-kit.exe) ([PGP signature](https://tuf.delivery-kit.io/targets/signatures/$VERSION/windows-amd64/bin/delivery-kit.exe.sig)) + + These binaries were signed with PGP. For example, \`delivery-kit\` binary can be downloaded and verified with \`gpg\` on Linux with these commands: + \`\`\`shell + curl -sSLO "https://tuf.delivery-kit.io/targets/releases/$VERSION/linux-amd64/bin/delivery-kit" -O "https://tuf.delivery-kit.io/targets/signatures/$VERSION/linux-amd64/bin/delivery-kit.sig" + gpg --verify delivery-kit.sig delivery-kit + \`\`\` + EOF + - name: Create release + env: + GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }} + run: | + gh release create "${{ github.ref_name }}" \ + --title "${{ github.ref_name }}" \ + --prerelease \ + --notes-file notes.md + + notify: + if: always() + needs: release + uses: werf/common-ci/.github/workflows/notification.yml@main + secrets: + loopNotificationGroup: ${{ secrets.LOOP_NOTIFICATION_GROUP }} + webhook: ${{ secrets.LOOP_NOTIFICATION_WEBHOOK }} + notificationChannel: ${{ secrets.LOOP_NOTIFICATION_CHANNEL }} diff --git a/.github/workflows/tag_auto-create.yml b/.github/workflows/tag_auto-create.yml new file mode 100644 index 0000000000..3fe488c35d --- /dev/null +++ b/.github/workflows/tag_auto-create.yml @@ -0,0 +1,53 @@ +name: tag:auto-create + +on: + push: + branches: + - main + paths: + - CHANGELOG.md + repository_dispatch: + types: ["tag:auto-create"] + workflow_dispatch: + +jobs: + release: + name: Create release tag + runs-on: ubuntu-22.04 + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + fetch-tags: true + + - name: Relabel closed release PR + env: + GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }} + run: | + PR_NUMBER=$(gh pr list --state closed --label "autorelease: pending" --limit 1 --json number -q '.[0].number') + gh pr edit $PR_NUMBER --remove-label "autorelease: pending" + gh pr edit $PR_NUMBER --add-label "autorelease: tagged" + + - name: Get version from CHANGELOG.md + id: get_version + run: | + VERSION=$(grep -m1 '^#\+ \[[0-9]\+\.[0-9]\+\.[0-9]\+\]' CHANGELOG.md | sed -E 's/^#+ \[([0-9]+\.[0-9]+\.[0-9]+)\].*/\1/') + echo "version=$VERSION" >> $GITHUB_OUTPUT + + - name: Create tag via GitHub API + env: + GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }} + run: | + TAG="v${{ steps.get_version.outputs.version }}" + + if gh api repos/${{ github.repository }}/git/ref/tags/$TAG &>/dev/null; then + echo "Tag $TAG already exists. Skipping..." + exit 0 + fi + + COMMIT_SHA=$(git rev-parse HEAD) + + gh api repos/${{ github.repository }}/git/refs \ + -f ref="refs/tags/$TAG" \ + -f sha="$COMMIT_SHA" diff --git a/trdl.yaml b/trdl.yaml index c88ba875e0..be4eeb788f 100644 --- a/trdl.yaml +++ b/trdl.yaml @@ -1,5 +1,15 @@ -docker_image: registry.werf.io/werf/builder:35ad2cadf1f03810f4382c74104fc92a43b25ed0@sha256:9db600d31a876ccabce99ee933c489b8cd321b66b418e16e9f9cf8904cbbec02 +dockerImage: registry.deckhouse.io/base_images@sha256:4aaf81659fa6ea3cbbb0f241d739dda485bce79ec98b0fd5014ef4f4210e1cd5 # from: golang:1.25.8-bookworm commands: - - TASK_X_REMOTE_TASKFILES=1 task --yes -o group -p build:dist:all version={{ .Tag }} - - TASK_X_REMOTE_TASKFILES=1 task --yes -p verify:binaries:dist:all version={{ .Tag }} + - export TASK_VERSION=v3.41.0 + - export TASK_SHA256=0a2595f7fa3c15a62f8d0c244121a4977018b3bfdec7c1542ac2a8cf079978b8 + - export TASK_X_REMOTE_TASKFILES=1 + - apt-get update && apt-get install -y libbtrfs-dev apt-utils libelf-dev libssl-dev libuv1-dev libzstd-dev file git gcc dnsutils + - ln -fs "$(dpkg -L libuv1-dev | grep -F '/libuv_a.a')" /usr/local/lib/libuv.a + - curl -LO https://github.com/go-task/task/releases/download/$TASK_VERSION/task_linux_amd64.tar.gz + - echo "$TASK_SHA256 task_linux_amd64.tar.gz" | sha256sum -c + - tar -xf task_linux_amd64.tar.gz + - rm -rf task_linux_amd64.tar.gz + - mv task /usr/local/bin/ + - task --yes build:dist:linux:amd64 version={{ .Tag }} + - file dist/{{ .Tag }}/linux-amd64/bin/werf | grep -Eq "x86-64.*statically linked.*Linux" - cp -a ./dist/{{ .Tag }}/* /result diff --git a/trdl_channels.yaml b/trdl_channels.yaml index 9595524c70..5507f50e3c 100644 --- a/trdl_channels.yaml +++ b/trdl_channels.yaml @@ -1,49 +1,13 @@ groups: - - name: "1.0" - channels: - - name: alpha - version: 1.0.13+fix9 - - name: beta - version: 1.0.13+fix9 - - name: ea - version: 1.0.13+fix9 - - name: stable - version: 1.0.13+fix9 - - name: rock-solid - version: 1.0.13+fix9 - - name: "1.1" - channels: - - name: alpha - version: 1.1.36 - - name: beta - version: 1.1.36 - - name: ea - version: 1.1.36 - - name: stable - version: 1.1.36 - - name: rock-solid - version: 1.1.36 - - name: "1.2" - channels: - - name: alpha - version: 1.2.339 - - name: beta - version: 1.2.339 - - name: ea - version: 1.2.339 - - name: stable - version: 1.2.339 - - name: rock-solid - version: 1.2.339 - name: "2" channels: - name: alpha - version: 2.72.2 + version: v2.72.1-dk - name: beta - version: 2.72.1 + version: v2.72.1-dk - name: ea - version: 2.71.0 + version: v2.72.1-dk - name: stable - version: 2.70.0 + version: v2.72.1-dk - name: rock-solid - version: 2.70.0 + version: v2.72.1-dk