Skip to content

test

test #34

Workflow file for this run

---
name: release
permissions:
contents: read
on:
push:
tags: [ "v[0-9]+*" ]
branches:
- main
- test/github-secrets
env:
BUILD_PACKAGES: build/packages
jobs:
release-started:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags')
steps:
- uses: elastic/oblt-actions/slack/[email protected]
with:
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
channel-id: "#apm-agent-php"
message: |
:runner: [${{ github.repository }}] Release *${{ github.ref_name }}* has been triggered : (<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|here> for further details)
build:
uses: ./.github/workflows/build.yml
build-packages:
permissions:
contents: read
packages: read
needs:
- build
uses: ./.github/workflows/build-packages.yml
sign:
runs-on: ubuntu-latest
needs:
- build-packages
env:
BUCKET_NAME: "apm-agent-php"
permissions:
attestations: write
id-token: write
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v3
with:
name: package
path: ${{ env.BUILD_PACKAGES }}
- name: generate build provenance
uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-path: "${{ github.workspace }}/${{ env.BUILD_PACKAGES }}/*"
## NOTE: The name of the zip should match the name of the folder to be zipped.
- name: Prepare packages to be signed
run: zip -r packages.zip packages/
working-directory: build
- name: 'Get service account'
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
method: approle
secrets: |
secret/observability-team/ci/apm-agent-php-bucket service-account | SERVICE_ACCOUNT ;
- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2'
with:
credentials_json: '${{ env.SERVICE_ACCOUNT }}'
- id: 'upload-file'
uses: 'google-github-actions/upload-cloud-storage@v2'
with:
path: "${{ env.BUILD_PACKAGES }}.zip"
destination: "${{ env.BUCKET_NAME }}/${{ github.run_id }}"
predefinedAcl: "publicRead"
- id: buildkite-run
if: startsWith(github.ref, 'refs/tags')
uses: elastic/oblt-actions/buildkite/[email protected]
with:
token: ${{ secrets.BUILDKITE_TOKEN }}
pipeline: observability-robots-php-release
wait-for: true
env-vars: |
BUNDLE_URL=https://storage.googleapis.com/${{ env.BUCKET_NAME }}/${{ steps.upload-file.outputs.uploaded }}
- uses: elastic/oblt-actions/buildkite/[email protected]
with:
build-number: ${{ steps.buildkite-run.outputs.number }}
path: signed-artifacts.zip
pipeline: ${{ steps.buildkite-run.outputs.pipeline }}
token: ${{ secrets.BUILDKITE_TOKEN }}
# this artifact name is used also in some other places,
# such as ./.github/workflows/test-packages.yml.
# Therefore v4 cannot be used at the moment.
- uses: actions/upload-artifact@v3
with:
name: signed-artifacts
path: signed-artifacts.zip
generate-test-packages-matrix:
if: startsWith(github.ref, 'refs/tags')
uses: ./.github/workflows/generate-matrix.yml
test-packages:
if: startsWith(github.ref, 'refs/tags')
needs:
- sign
- generate-test-packages-matrix
permissions:
contents: read
packages: read
uses: ./.github/workflows/test-packages.yml
with:
include: ${{ needs.generate-test-packages-matrix.outputs.include }}
max-parallel: 40
package-name: 'signed-artifacts'
release:
needs:
- test-packages
runs-on: ubuntu-latest
permissions:
contents: write
env:
GITHUB_TOKEN: ${{ github.token }}
TAG_NAME: ${{ github.ref_name }}
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v3
with:
name: signed-artifacts
path: ${{ env.BUILD_PACKAGES }}
- name: Unzip signed packages
run: unzip ${PACKAGE_FILE} && rm ${PACKAGE_FILE}
working-directory: ${{ env.BUILD_PACKAGES }}
env:
PACKAGE_FILE: "signed-artifacts.zip"
- name: Create draft release
if: startsWith(github.ref, 'refs/tags')
run: make -f .ci/Makefile draft-release
- name: Verify draft release
if: startsWith(github.ref, 'refs/tags')
run: ORIGINAL_PACKAGES_LOCATION=${{ env.BUILD_PACKAGES }} make -f .ci/Makefile download-verify
- name: Publish release
if: startsWith(github.ref, 'refs/tags')
run: make -f .ci/Makefile github-release-ready
notify:
if: always()
needs:
- build
- build-packages
- generate-test-packages-matrix
- release
- sign
- test-packages
runs-on: ubuntu-latest
steps:
- id: check
uses: elastic/apm-pipeline-library/.github/actions/check-dependent-jobs@current
with:
needs: ${{ toJSON(needs) }}
- if: startsWith(github.ref, 'refs/tags')
uses: elastic/oblt-actions/slack/[email protected]
with:
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
channel-id: "#apm-agent-php"
status: ${{ steps.check.outputs.status }}
message: "[${{ github.repository }}] Release (<${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.ref_name }}|${{ github.ref_name }}>)"