Skip to content

chore(ci): add trdl release process #129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Fral738 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore(ci): add trdl release process #129

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 0 additions & 59 deletions .github/workflows/release_publish-binary.yml
View file
Open in desktop

This file was deleted.

143 changes: 143 additions & 0 deletions .github/workflows/release_trdl-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
name: release:trdl-publish
on:
push:
branches:
- main
paths:
- trdl_channels.yaml
repository_dispatch:
types: ["release:trdl-publish"]
workflow_dispatch:
inputs:
force:
description: "Force publish all images"
required: false
default: "false"
defaults:
run:
shell: bash

jobs:
publish:
name: Publish release channels using trdl server
runs-on: ubuntu-22.04
steps:
- name: Notify
uses: mattermost/action-mattermost-notify@master
with:
MATTERMOST_WEBHOOK_URL: ${{ secrets.LOOP_NOTIFICATION_WEBHOOK }}
MATTERMOST_CHANNEL: ${{ secrets.LOOP_NOTIFICATION_CHANNEL }}
TEXT: |
${{ secrets.LOOP_NOTIFICATION_GROUP }} [${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) task sign pls

- name: Publish with retry
uses: werf/trdl-vault-actions/publish@main
with:
vault-addr: ${{ secrets.TRDL_VAULT_ADDR }}
project-name: delivery-kit
vault-auth-method: approle
vault-role-id: ${{ secrets.TRDL_VAULT_ROLE_ID }}
vault-secret-id: ${{ secrets.TRDL_VAULT_SECRET_ID }}

update_release:
runs-on: ubuntu-22.04
needs:
- publish
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
fetch-tags: true
- name: Update GitHub releases based on trdl_channels.yaml
env:
GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }}
run: |
check_release_exists() {
local version=$1
gh release view "v$version" >/dev/null 2>&1
return $?
}

get_release_name() {
local tag=$1
gh release view "$tag" --json name | jq -r '.name'
}

process_releases() {
echo "Processing releases based on trdl_channels.yaml..."

declare -A VERSION_CHANNELS
declare -A GROUP_VERSIONS

current_group=""
while IFS= read -r line; do
if [[ $line =~ name:\ \"([^\"]+)\" ]]; then
current_group="${BASH_REMATCH[1]}"
elif [[ $line =~ name:\ ([a-z-]+) ]]; then
current_channel="${BASH_REMATCH[1]}"
elif [[ $line =~ version:\ ([0-9a-zA-Z.+-]+) ]]; then
version="${BASH_REMATCH[1]#v}"
key="${current_group}:${version}"
if [[ -z "${VERSION_CHANNELS[$key]}" ]]; then
VERSION_CHANNELS["$key"]="$current_channel"
GROUP_VERSIONS["$version"]="$current_group"
else
VERSION_CHANNELS["$key"]="${VERSION_CHANNELS[$key]},$current_channel"
fi
fi
done < trdl_channels.yaml

for key in "${!VERSION_CHANNELS[@]}"; do
version="${key#*:}"
group="${key%:*}"
tag="v$version"

if check_release_exists "$version"; then
channels="${VERSION_CHANNELS[$key]}"
expected_title="$tag [$channels]"
current_title=$(get_release_name "$tag")

if [[ "$current_title" != "$expected_title" ]]; then
if [[ $group == "2" && $channels == *stable* ]]; then
echo "Updating $tag (group $group): stable, latest"
gh release edit "$tag" --title "$expected_title" --latest --prerelease=false || true
elif [[ $channels == *rock-solid* ]]; then
echo "Updating $tag (group $group): rock-solid, just title"
gh release edit "$tag" --title "$expected_title" --prerelease=false || true
else
echo "Updating $tag (group $group): prerelease, channels=$channels"
gh release edit "$tag" --title "$expected_title" --prerelease || true
fi
else
echo "$tag (group $group) already has correct title: $current_title"
fi
else
echo "Release $tag (group $group) not found, skipping..."
fi
done

echo "Checking for releases with outdated channel markers..."
while read -r full_name; do
tag="${full_name%% *}"
version="${tag#v}"

[[ -n "${GROUP_VERSIONS[$version]}" ]] && continue

echo "Resetting $tag to plain version title (no channels in config)"
gh release edit "$tag" --title "$tag" --prerelease=false || true
done < <(gh release list --json name | jq -r '.[] | select(.name | test("\\[[a-zA-Z,-]+\\]")) | .name')
}

process_releases

notify:
if: always()
needs:
- publish
- update_release
uses: werf/common-ci/.github/workflows/notification.yml@main
secrets:
loopNotificationGroup: ${{ secrets.LOOP_NOTIFICATION_GROUP }}
webhook: ${{ secrets.LOOP_NOTIFICATION_WEBHOOK }}
notificationChannel: ${{ secrets.LOOP_NOTIFICATION_CHANNEL }}
87 changes: 87 additions & 0 deletions .github/workflows/release_trdl-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
name: release:trdl-release
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+-dk*"
repository_dispatch:
types: ["release:trdl-release"]
workflow_dispatch:

jobs:
release:
name: Perform delivery-kit release using trdl server
runs-on: ubuntu-22.04
steps:
- name: Notify
uses: mattermost/action-mattermost-notify@master
with:
MATTERMOST_WEBHOOK_URL: ${{ secrets.LOOP_NOTIFICATION_WEBHOOK }}
MATTERMOST_CHANNEL: ${{ secrets.LOOP_NOTIFICATION_CHANNEL }}
TEXT: |
${{ secrets.LOOP_NOTIFICATION_GROUP }} [${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) task sign pls

- name: Release with retry
uses: werf/trdl-vault-actions/release@main
with:
vault-addr: ${{ secrets.TRDL_VAULT_ADDR }}
project-name: delivery-kit
git-tag: ${{ github.ref_name }}
vault-auth-method: approle
vault-role-id: ${{ secrets.TRDL_VAULT_ROLE_ID }}
vault-secret-id: ${{ secrets.TRDL_VAULT_SECRET_ID }}

- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
fetch-tags: true
- name: Get version from tag
id: get_version
run: |
VERSION="${{ github.ref_name }}"
VERSION="${VERSION#v}"
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Generate notes.md
id: notes
run: |
VERSION="${{ steps.get_version.outputs.version }}"
echo "## Changelog" > notes.md
awk -v version="$VERSION" '
$0 ~ "^#+ \\[" version "\\]" {capture=1; next}
capture && $0 ~ "^#+ \\[" && $0 !~ "^#+ \\[" version "\\]" {exit}
capture {print}
' CHANGELOG.md >> notes.md

cat <<EOF >> notes.md
## Installation

Alternatively, you can download \`delivery-kit\` binaries from here:
* [Linux amd64](https://tuf.delivery-kit.io/targets/releases/$VERSION/linux-amd64/bin/delivery-kit) ([PGP signature](https://tuf.delivery-kit.io/targets/signatures/$VERSION/linux-amd64/bin/delivery-kit.sig))
* [Linux arm64](https://tuf.delivery-kit.io/targets/releases/$VERSION/linux-arm64/bin/delivery-kit) ([PGP signature](https://tuf.delivery-kit.io/targets/signatures/$VERSION/linux-arm64/bin/delivery-kit.sig))
* [macOS amd64](https://tuf.delivery-kit.io/targets/releases/$VERSION/darwin-amd64/bin/delivery-kit) ([PGP signature](https://tuf.delivery-kit.io/targets/signatures/$VERSION/darwin-amd64/bin/delivery-kit.sig))
* [macOS arm64](https://tuf.delivery-kit.io/targets/releases/$VERSION/darwin-arm64/bin/delivery-kit) ([PGP signature](https://tuf.delivery-kit.io/targets/signatures/$VERSION/darwin-arm64/bin/delivery-kit.sig))
* [Windows amd64](https://tuf.delivery-kit.io/targets/releases/$VERSION/windows-amd64/bin/delivery-kit.exe) ([PGP signature](https://tuf.delivery-kit.io/targets/signatures/$VERSION/windows-amd64/bin/delivery-kit.exe.sig))

These binaries were signed with PGP. For example, \`delivery-kit\` binary can be downloaded and verified with \`gpg\` on Linux with these commands:
\`\`\`shell
curl -sSLO "https://tuf.delivery-kit.io/targets/releases/$VERSION/linux-amd64/bin/delivery-kit" -O "https://tuf.delivery-kit.io/targets/signatures/$VERSION/linux-amd64/bin/delivery-kit.sig"
gpg --verify delivery-kit.sig delivery-kit
\`\`\`
EOF
- name: Create release
env:
GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }}
run: |
gh release create "${{ github.ref_name }}" \
--title "${{ github.ref_name }}" \
--prerelease \
--notes-file notes.md

notify:
if: always()
needs: release
uses: werf/common-ci/.github/workflows/notification.yml@main
secrets:
loopNotificationGroup: ${{ secrets.LOOP_NOTIFICATION_GROUP }}
webhook: ${{ secrets.LOOP_NOTIFICATION_WEBHOOK }}
notificationChannel: ${{ secrets.LOOP_NOTIFICATION_CHANNEL }}
53 changes: 53 additions & 0 deletions .github/workflows/tag_auto-create.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: tag:auto-create

on:
push:
branches:
- main
paths:
- CHANGELOG.md
repository_dispatch:
types: ["tag:auto-create"]
workflow_dispatch:

jobs:
release:
name: Create release tag
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
fetch-tags: true

- name: Relabel closed release PR
env:
GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }}
run: |
PR_NUMBER=$(gh pr list --state closed --label "autorelease: pending" --limit 1 --json number -q '.[0].number')
gh pr edit $PR_NUMBER --remove-label "autorelease: pending"
gh pr edit $PR_NUMBER --add-label "autorelease: tagged"

- name: Get version from CHANGELOG.md
id: get_version
run: |
VERSION=$(grep -m1 '^#\+ \[[0-9]\+\.[0-9]\+\.[0-9]\+\]' CHANGELOG.md | sed -E 's/^#+ \[([0-9]+\.[0-9]+\.[0-9]+)\].*/\1/')
echo "version=$VERSION" >> $GITHUB_OUTPUT

- name: Create tag via GitHub API
env:
GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }}
run: |
TAG="v${{ steps.get_version.outputs.version }}"

if gh api repos/${{ github.repository }}/git/ref/tags/$TAG &>/dev/null; then
echo "Tag $TAG already exists. Skipping..."
exit 0
fi

COMMIT_SHA=$(git rev-parse HEAD)

gh api repos/${{ github.repository }}/git/refs \
-f ref="refs/tags/$TAG" \
-f sha="$COMMIT_SHA"
16 changes: 13 additions & 3 deletions trdl.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
docker_image: registry.werf.io/werf/builder:35ad2cadf1f03810f4382c74104fc92a43b25ed0@sha256:9db600d31a876ccabce99ee933c489b8cd321b66b418e16e9f9cf8904cbbec02
dockerImage: registry.deckhouse.io/base_images@sha256:4aaf81659fa6ea3cbbb0f241d739dda485bce79ec98b0fd5014ef4f4210e1cd5 # from: golang:1.25.8-bookworm
commands:
- TASK_X_REMOTE_TASKFILES=1 task --yes -o group -p build:dist:all version={{ .Tag }}
- TASK_X_REMOTE_TASKFILES=1 task --yes -p verify:binaries:dist:all version={{ .Tag }}
- export TASK_VERSION=v3.41.0
- export TASK_SHA256=0a2595f7fa3c15a62f8d0c244121a4977018b3bfdec7c1542ac2a8cf079978b8
- export TASK_X_REMOTE_TASKFILES=1
- apt-get update && apt-get install -y libbtrfs-dev apt-utils libelf-dev libssl-dev libuv1-dev libzstd-dev file git gcc dnsutils
- ln -fs "$(dpkg -L libuv1-dev | grep -F '/libuv_a.a')" /usr/local/lib/libuv.a
- curl -LO https://github.com/go-task/task/releases/download/$TASK_VERSION/task_linux_amd64.tar.gz
- echo "$TASK_SHA256 task_linux_amd64.tar.gz" | sha256sum -c
- tar -xf task_linux_amd64.tar.gz
- rm -rf task_linux_amd64.tar.gz
- mv task /usr/local/bin/
- task --yes build:dist:linux:amd64 version={{ .Tag }}
- file dist/{{ .Tag }}/linux-amd64/bin/werf | grep -Eq "x86-64.*statically linked.*Linux"
- cp -a ./dist/{{ .Tag }}/* /result
Loading
Loading