From 44633abc76643c0834cad920bafef15c13f77e60 Mon Sep 17 00:00:00 2001 From: Rui Zhang <55496957+StinkyBenji@users.noreply.github.com> Date: Wed, 25 Oct 2023 18:59:38 +0200 Subject: [PATCH] fix: update git-clone to pass the branch for semantic-release (#10) fix: update git-clone to pass the branch name to semantic-releas and update the cel expression on pac --- .gitignore | 1 + .tekton/ansible-ee-pipeline.yaml | 10 +- .tekton/tasks/git-clone.yaml | 246 ++++++++++++++++++++++++++++ .tekton/tasks/semantic-release.yaml | 19 ++- commitlint.config.js | 1 - package-lock.json | 7 + release.config.js | 3 +- 7 files changed, 270 insertions(+), 17 deletions(-) create mode 100644 .tekton/tasks/git-clone.yaml diff --git a/.gitignore b/.gitignore index 2575db2..c5d8053 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ *secret* node_modules/ .env +test* diff --git a/.tekton/ansible-ee-pipeline.yaml b/.tekton/ansible-ee-pipeline.yaml index 8d2e628..952fe2c 100644 --- a/.tekton/ansible-ee-pipeline.yaml +++ b/.tekton/ansible-ee-pipeline.yaml @@ -4,10 +4,8 @@ kind: PipelineRun metadata: name: ansible-ee-pipeline annotations: - # pipelinesascode.tekton.dev/on-event: "[push, pull_request]" - pipelinesascode.tekton.dev/on-target-branch: "[main]" pipelinesascode.tekton.dev/max-keep-runs: "5" - pipelinesascode.tekton.dev/task: "[git-clone]" + pipelinesascode.tekton.dev/task: "[.tekton/tasks/git-clone.yaml]" pipelinesascode.tekton.dev/task-1: "[.tekton/tasks/gitleaks.yaml]" pipelinesascode.tekton.dev/task-2: "[.tekton/tasks/ansible-lint.yaml]" pipelinesascode.tekton.dev/task-3: "[.tekton/tasks/ansible-builder-create.yaml]" @@ -15,7 +13,7 @@ metadata: pipelinesascode.tekton.dev/task-5: "[.tekton/tasks/ansible-ee-sanity-test.yaml]" pipelinesascode.tekton.dev/task-6: "[.tekton/tasks/semantic-release.yaml]" pipelinesascode.tekton.dev/on-cel-expression: | - event == "pull_request" || event == "push" && target_branch == "main" && "examples/ansible-ee/***".pathChanged() + event == "pull_request" || event == "push" && target_branch == "main" && "examples/ansible-ee/***".pathChanged() || ".tekton/ansible-ee-pipeline.yaml".pathChanged() spec: params: - name: repo_url @@ -119,9 +117,9 @@ spec: - name: semantic-release when: - - input: "$(params.revision)" + - input: "$(tasks.fetch-repository.results.branch)" operator: in - values: ["main"] + values: ["HEAD"] runAfter: - ee-sanity-test taskRef: diff --git a/.tekton/tasks/git-clone.yaml b/.tekton/tasks/git-clone.yaml new file mode 100644 index 0000000..c3d853e --- /dev/null +++ b/.tekton/tasks/git-clone.yaml @@ -0,0 +1,246 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: git-clone + labels: + app.kubernetes.io/version: "0.9" + annotations: + tekton.dev/pipelines.minVersion: "0.38.0" + tekton.dev/categories: Git + tekton.dev/tags: git + tekton.dev/displayName: "git clone" + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" +spec: + description: >- + These Tasks are Git tasks to work with repositories used by other tasks + in your Pipeline. + + The git-clone Task will clone a repo from the provided url into the + output Workspace. By default the repo will be cloned into the root of + your Workspace. You can clone into a subdirectory by setting this Task's + subdirectory param. This Task also supports sparse checkouts. To perform + a sparse checkout, pass a list of comma separated directory patterns to + this Task's sparseCheckoutDirectories param. + workspaces: + - name: output + description: The git repo will be cloned onto the volume backing this Workspace. + - name: ssh-directory + optional: true + description: | + A .ssh directory with private key, known_hosts, config, etc. Copied to + the user's home before git commands are executed. Used to authenticate + with the git remote when performing the clone. Binding a Secret to this + Workspace is strongly recommended over other volume types. + - name: basic-auth + optional: true + description: | + A Workspace containing a .gitconfig and .git-credentials file. These + will be copied to the user's home before any git commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to use ssh-directory over basic-auth whenever possible and to bind a + Secret to this Workspace over other volume types. + - name: ssl-ca-directory + optional: true + description: | + A workspace containing CA certificates, this will be used by Git to + verify the peer with when fetching or pushing over HTTPS. + params: + - name: url + description: Repository URL to clone from. + type: string + - name: revision + description: Revision to checkout. (branch, tag, sha, ref, etc...) + type: string + default: "" + - name: refspec + description: Refspec to fetch before checking out revision. + default: "" + - name: submodules + description: Initialize and fetch git submodules. + type: string + default: "true" + - name: depth + description: Perform a shallow clone, fetching only the most recent N commits. + type: string + default: "1" + - name: sslVerify + description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. + type: string + default: "true" + - name: crtFileName + description: file name of mounted crt using ssl-ca-directory workspace. default value is ca-bundle.crt. + type: string + default: "ca-bundle.crt" + - name: subdirectory + description: Subdirectory inside the `output` Workspace to clone the repo into. + type: string + default: "" + - name: sparseCheckoutDirectories + description: Define the directory patterns to match or exclude when performing a sparse checkout. + type: string + default: "" + - name: deleteExisting + description: Clean out the contents of the destination directory if it already exists before cloning. + type: string + default: "true" + - name: httpProxy + description: HTTP proxy server for non-SSL requests. + type: string + default: "" + - name: httpsProxy + description: HTTPS proxy server for SSL requests. + type: string + default: "" + - name: noProxy + description: Opt out of proxying HTTP/HTTPS requests. + type: string + default: "" + - name: verbose + description: Log the commands that are executed during `git-clone`'s operation. + type: string + default: "true" + - name: gitInitImage + description: The image providing the git-init binary that this Task runs. + type: string + default: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2" + - name: userHome + description: | + Absolute path to the user's home directory. + type: string + default: "/home/git" + results: + - name: commit + description: The precise commit SHA that was fetched by this Task. + - name: url + description: The precise URL that was fetched by this Task. + - name: committer-date + description: The epoch timestamp of the commit that was fetched by this Task. + - name: branch + description: The current branch of the git checkout. + steps: + - name: clone + image: "$(params.gitInitImage)" + env: + - name: HOME + value: "$(params.userHome)" + - name: PARAM_URL + value: $(params.url) + - name: PARAM_REVISION + value: $(params.revision) + - name: PARAM_REFSPEC + value: $(params.refspec) + - name: PARAM_SUBMODULES + value: $(params.submodules) + - name: PARAM_DEPTH + value: $(params.depth) + - name: PARAM_SSL_VERIFY + value: $(params.sslVerify) + - name: PARAM_CRT_FILENAME + value: $(params.crtFileName) + - name: PARAM_SUBDIRECTORY + value: $(params.subdirectory) + - name: PARAM_DELETE_EXISTING + value: $(params.deleteExisting) + - name: PARAM_HTTP_PROXY + value: $(params.httpProxy) + - name: PARAM_HTTPS_PROXY + value: $(params.httpsProxy) + - name: PARAM_NO_PROXY + value: $(params.noProxy) + - name: PARAM_VERBOSE + value: $(params.verbose) + - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES + value: $(params.sparseCheckoutDirectories) + - name: PARAM_USER_HOME + value: $(params.userHome) + - name: WORKSPACE_OUTPUT_PATH + value: $(workspaces.output.path) + - name: WORKSPACE_SSH_DIRECTORY_BOUND + value: $(workspaces.ssh-directory.bound) + - name: WORKSPACE_SSH_DIRECTORY_PATH + value: $(workspaces.ssh-directory.path) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND + value: $(workspaces.basic-auth.bound) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH + value: $(workspaces.basic-auth.path) + - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND + value: $(workspaces.ssl-ca-directory.bound) + - name: WORKSPACE_SSL_CA_DIRECTORY_PATH + value: $(workspaces.ssl-ca-directory.path) + securityContext: + runAsNonRoot: true + runAsUser: 65532 + script: | + #!/usr/bin/env sh + set -eu + + if [ "${PARAM_VERBOSE}" = "true" ] ; then + set -x + fi + + if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" + chmod 400 "${PARAM_USER_HOME}/.git-credentials" + chmod 400 "${PARAM_USER_HOME}/.gitconfig" + fi + + if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then + cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh + chmod 700 "${PARAM_USER_HOME}"/.ssh + chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* + fi + + if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then + export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}" + if [ "${PARAM_CRT_FILENAME}" != "" ] ; then + export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}" + fi + fi + CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}" + + cleandir() { + # Delete any existing contents of the repo directory if it exists. + # + # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/" + # or the root of a mounted volume. + if [ -d "${CHECKOUT_DIR}" ] ; then + # Delete non-hidden files and directories + rm -rf "${CHECKOUT_DIR:?}"/* + # Delete files and directories starting with . but excluding .. + rm -rf "${CHECKOUT_DIR}"/.[!.]* + # Delete files and directories starting with .. plus any other character + rm -rf "${CHECKOUT_DIR}"/..?* + fi + } + + if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then + cleandir || true + fi + + test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}" + test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}" + test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}" + + git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}" + /ko-app/git-init \ + -url="${PARAM_URL}" \ + -revision="${PARAM_REVISION}" \ + -refspec="${PARAM_REFSPEC}" \ + -path="${CHECKOUT_DIR}" \ + -sslVerify="${PARAM_SSL_VERIFY}" \ + -submodules="${PARAM_SUBMODULES}" \ + -depth="${PARAM_DEPTH}" \ + -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}" + cd "${CHECKOUT_DIR}" + RESULT_SHA="$(git rev-parse HEAD)" + BRANCH="$(git rev-parse --abbrev-ref HEAD)" + EXIT_CODE="$?" + if [ "${EXIT_CODE}" != 0 ] ; then + exit "${EXIT_CODE}" + fi + RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)" + printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)" + printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" + printf "%s" "${PARAM_URL}" > "$(results.url.path)" + printf "%s" "${BRANCH}" > "$(results.branch.path)" diff --git a/.tekton/tasks/semantic-release.yaml b/.tekton/tasks/semantic-release.yaml index 566e1dc..113fda5 100644 --- a/.tekton/tasks/semantic-release.yaml +++ b/.tekton/tasks/semantic-release.yaml @@ -15,11 +15,7 @@ spec: - name: IMAGE type: string description: The name of the image used to run the task. - default: "registry.access.redhat.com/ubi8/nodejs-18-minimal@sha256:f05c9e5fb1d076091d971330f725c83672fb1165b3a9fb05f64a1a40210efbfd" - - name: CONTEXT - type: string - description: Path to the directory to use as context. - default: "." + default: "registry.access.redhat.com/ubi8/nodejs-18@sha256:d4ef3da5c97ae5f063f604d58ba620350c68c086f7f6d88ec0536a883b2d364f" - name: semantic-release-auth type: string description: name of the secret holding the github token and npm token @@ -40,15 +36,20 @@ spec: secretKeyRef: name: $(params.semantic-release-auth) key: NPM_TOKEN - workingDir: $(workspaces.source.path)/$(params.CONTEXT) + securityContext: + runAsNonRoot: true + runAsUser: 65532 + workingDir: $(workspaces.source.path) script: | #!/usr/bin/env sh - npm --version - npx --version + echo "npm version: $(npm --version)" + echo "npx version: $(npx --version)" # install all the dependencies for semantic-release npm clean-install + git config --global --add safe.directory $(workspaces.source.path) + # run the semantic-release - npx semantic-release + npx semantic-release --no-ci diff --git a/commitlint.config.js b/commitlint.config.js index 0bfbeba..7014b03 100644 --- a/commitlint.config.js +++ b/commitlint.config.js @@ -1,5 +1,4 @@ module.exports = { extends: ["@commitlint/config-conventional"], - formatter: "@commitlint/format", }; diff --git a/package-lock.json b/package-lock.json index 7b5eeae..266f8b2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,6 +8,13 @@ "@commitlint/cli": "^18.0.0", "@commitlint/config-conventional": "^18.0.0" }, + "devDependencies": { + "@codedependant/semantic-release-docker": "^4.5.0", + "@semantic-release/changelog": "^6.0.3", + "@semantic-release/git": "^10.0.1", + "@semantic-release/github": "^9.2.1", + "semantic-release": "^22.0.5" + }, "devDependencies": { "@codedependant/semantic-release-docker": "^4.5.0", "@semantic-release/changelog": "^6.0.3", diff --git a/release.config.js b/release.config.js index 71a687a..5fe9a91 100644 --- a/release.config.js +++ b/release.config.js @@ -9,10 +9,10 @@ module.exports = { { type: "docs", scope: "README", release: "patch" }, { type: "refactor", release: "patch" }, { type: "style", release: "patch" }, - { scope: "no-release", release: "false" }, ], parserOpts: { noteKeywords: ["BREAKING CHANGE", "BREAKING CHANGES", "BREAKING"], + noteKeywords: ["feat", "feature"] }, }, ], @@ -25,5 +25,6 @@ module.exports = { ], "@semantic-release/git", "@semantic-release/github", + "@codedependant/semantic-release-docker", ], };