-
Notifications
You must be signed in to change notification settings - Fork 14
335 lines (301 loc) · 12.4 KB
/
__release-workflow.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
name: Reusable release
run-name: "Release ${{ format('{0} (type: {1}) (branch: {2})', inputs.tag, inputs.release-type, inputs.base) }} "
on:
workflow_call:
secrets:
dockerhub-push-token:
required: true
description: "The token to push images to Docker Hub"
gpg-private-key:
required: true
description: "The GPG private key to sign the commits"
gpg-passphrase:
required: true
description: "The GPG passphrase to sign the commits"
gh-pat:
required: true
description: "The GitHub Personal Access Token to create the release PR"
konnect-pat:
required: true
description: "The Konnect PAT to use in the tests"
op-service-account-token:
required: false
description: "The 1Password service account token to fetch the Kong Enterprise License. If left empty, no license will be fetched"
inputs:
dockerhub-push-username:
description: "The username to push images to Docker Hub"
type: string
required: true
tag:
description: The version to release (e.g. v1.2.3)
type: string
required: true
base:
description: The base branch from which to release and against which to create a release PR.
type: string
default: 'main'
required: false
latest:
description: Whether to mark this release latest
type: boolean
default: false
release-type:
description: Whether to make a created release a pre-release
required: true
default: 'prerelease'
# Reusable workflows do not support choice type, so we use string instead.
# Allowed values: prerelease, release.
type: string
image-name:
description: "The name of the image to push to Docker Hub"
type: string
required: true
additional-build-contexts:
description: >
Additional build context to include in the build (format name=path),
it's used for EE build to additionaly include path to OSS repo.
required: false
type: string
verify-image-script:
description: Path to the script that will be used to verify the built image.
required: false
type: string
default: ./scripts/verify-version.sh
regenerate-bundle:
description: "Whether to regenerate the bundle before creating the release PR"
type: boolean
default: false
regenerate-manifests:
description: "Whether to regenerate the manifests before creating the release PR"
type: boolean
default: false
jobs:
semver:
outputs:
fullversion: ${{ steps.semver_parser.outputs.fullversion }}
major: ${{ steps.semver_parser.outputs.major }}
minor: ${{ steps.semver_parser.outputs.minor }}
patch: ${{ steps.semver_parser.outputs.patch }}
prerelease: ${{ steps.semver_parser.outputs.prerelease }}
runs-on: ubuntu-latest
steps:
- uses: mukunku/[email protected]
id: check-tag
name: Check if tag already exists
with:
tag: ${{ inputs.tag }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Fail if tag already exists
if: ${{ steps.check-tag.outputs.exists == 'true' }}
run: exit 1
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Parse semver string
id: semver_parser
uses: booxmedialtd/[email protected]
with:
input_string: ${{ inputs.tag }}
version_extractor_regex: 'v(.*)$'
build-push-images:
uses: ./.github/workflows/__build-workflow.yaml
secrets:
dockerhub-token: ${{ secrets.dockerhub-push-token }}
gh-pat: ${{ secrets.gh-pat }}
with:
registry: docker.io
username: ${{ inputs.dockerhub-push-username }}
image-name: ${{ inputs.image-name }}
additional-build-contexts: ${{ inputs.additional-build-contexts }}
push: true
latest: ${{ inputs.latest }}
tag: ${{ inputs.tag }}
verify-image-script: ${{ inputs.verify-image-script }}
test-integration-current-kubernetes:
runs-on: ubuntu-latest
strategy:
fail-fast: true
matrix:
webhook-enabled:
- "true"
- "false"
name: "test-integration-current-kubernetes (WEBHOOK_ENABLED=${{ matrix.webhook-enabled }})"
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure Git for private repositories (this is needed by repositories that include this workflow and have other private dependencies)
run: git config --global url."https://${{ secrets.gh-pat }}@github.com".insteadOf "https://github.com"
- name: Setup golang
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- uses: jdx/mise-action@v2
with:
install: false
# This step is required to check if the OP Service Account Token is available and export a boolean output
# to be used in the next step. It's because we cannot use a secret in a step's condition.
# See: https://github.com/actions/runner/issues/520
- name: Check OP Service Account Token available
id: check-op-service-account-token
run: |
# If secrets.op-service-account-token is set, return true.
if [ -n "${{ secrets.op-service-account-token }}" ]; then
echo "provided=true" >> "$GITHUB_OUTPUT"
fi
- name: Get Kong Enterprise License
if: steps.check-op-service-account-token.outputs.provided == 'true'
id: get-license
uses: Kong/kong-license@master
with:
# OP (1Password) token is used to fetch the Kong Enterprise License from 1Password.
op-token: ${{ secrets.op-service-account-token }}
- name: integration tests
run: make test.integration
env:
KONG_LICENSE_DATA: ${{ steps.get-license.outputs.license || '' }} # The license is optional for OSS tests.
WEBHOOK_ENABLED: ${{ matrix.webhook-enabled }}
KONG_TEST_KONNECT_ACCESS_TOKEN: ${{ secrets.konnect-pat }}
KONG_TEST_KONNECT_SERVER_URL: us.api.konghq.tech
- name: upload diagnostics
if: always()
uses: actions/upload-artifact@v4
with:
name: diagnostics-integration-webhook-enabled-${{ matrix.webhook-enabled }}
path: /tmp/ktf-diag*
if-no-files-found: ignore
test-e2e-current-kubernetes:
runs-on: ubuntu-latest
needs:
- semver
- build-push-images
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure Git for private repositories (this is needed by repositories that include this workflow and have other private dependencies)
run: git config --global url."https://${{ secrets.gh-pat }}@github.com".insteadOf "https://github.com"
- name: Setup golang
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- uses: jdx/mise-action@v2
with:
install: false
# This step is required to check if the OP Service Account Token is available and export a boolean output
# to be used in the next step. It's because we cannot use a secret in a step's condition.
# See: https://github.com/actions/runner/issues/520
- name: Check OP Service Account Token available
id: check-op-service-account-token
run: |
# If secrets.op-service-account-token is set, return true.
if [ -n "${{ secrets.op-service-account-token }}" ]; then
echo "provided=true" >> "$GITHUB_OUTPUT"
fi
- name: Get Kong Enterprise License
if: steps.check-op-service-account-token.outputs.provided == 'true'
id: get-license
uses: Kong/kong-license@master
with:
# OP (1Password) token is used to fetch the Kong Enterprise License from 1Password.
op-token: ${{ secrets.op-service-account-token }}
- name: E2E Tests
run: make test.e2e
env:
KONG_LICENSE_DATA: ${{ steps.get-license.outputs.license || '' }} # The license is optional for OSS tests.
KONG_TEST_GATEWAY_OPERATOR_IMAGE_OVERRIDE: ${{ needs.build-push-images.outputs.full_tag }}
KONG_TEST_KONNECT_ACCESS_TOKEN: ${{ secrets.konnect-pat }}
KONG_TEST_KONNECT_SERVER_URL: us.api.konghq.tech
- name: upload diagnostics
if: always()
uses: actions/upload-artifact@v4
with:
name: diagnostics-e2e
path: /tmp/ktf-diag*
if-no-files-found: ignore
create-release-pr:
runs-on: ubuntu-latest
needs:
- semver
- build-push-images
- test-integration-current-kubernetes
- test-e2e-current-kubernetes
steps:
- name: Check if we're not trying to trigger a major/minor release from non main
if: ${{ inputs.base != 'main' && needs.semver.outputs.patch == '0' }}
run: |
echo "Trying to release: ${{ needs.semver.outputs.fullversion }} from ${{ inputs.base }}"
echo "Major/minor releases can only be triggered from main branch"
exit 1
- name: Check if we're not trying to trigger a patch release from main
if: ${{ inputs.base == 'main' && needs.semver.outputs.patch != '0' }}
run: |
echo "Trying to release: ${{ needs.semver.outputs.fullversion }} from ${{ inputs.base }}"
echo "Patch releases can only be triggered from non main, release branch"
exit 1
# Use the branch set via inputs as a base for the release.
# If anything needs to be fixed before the release, it should be done on the base branch
# before the release workflow is triggered.
- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ inputs.base }}
- name: Configure Git for private repositories (this is needed by repositories that include this workflow and have other private dependencies)
run: git config --global url."https://${{ secrets.gh-pat }}@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Ensure bumped version is set in VERSION file
env:
VERSION: ${{ needs.semver.outputs.fullversion }}
run: |
echo "VERSION=${VERSION}" >> $GITHUB_ENV
echo ${VERSION} > VERSION
- uses: jdx/mise-action@v2
with:
install: false
# Generated manifests are part of the release PR.
- name: Generate manifests
if: ${{ inputs.regenerate-manifests }}
run: make manifests
# The generated bundle is part of the release PR.
# This is done locally in this job, to avoid including unintended changes.
# If anything needs to be fixed before the release, it should be done on the base branch
# before the release workflow is triggered.
- name: Generate bundle
if: ${{ inputs.regenerate-bundle }}
run: make bundle
- name: GPG sign the commits
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5
with:
gpg_private_key: ${{ secrets.gpg-private-key }}
passphrase: ${{ secrets.gpg-passphrase }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Commit message
env:
MSG: "${{ inputs.latest && format('chore({0}): [bot] {1}, [latest]', inputs.release-type, env.VERSION) || format('chore({0}): [bot] {1}', inputs.release-type, env.VERSION)}}"
run: |
echo "MSG=${MSG}" >> $GITHUB_ENV
# PRs will update the version file and manifests
- name: Create a release PR
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f
with:
token: ${{ secrets.gh-pat }}
path: .
branch: release/${{ needs.semver.outputs.fullversion }}/pr-${{ inputs.base }}
base: ${{ inputs.base }}
add-paths: |
VERSION
config
commit-message: "${{ env.MSG }}"
committer: Kong's Team k8s bot <[email protected]>
author: Kong's Team k8s bot <[email protected]>
signoff: true
delete-branch: true
title: "${{ env.MSG }}"
body: "${{ env.MSG }}"