Update release workflow #2552
Update release workflow #2552
Conversation
| @@ -0,0 +1,42 @@ | |||
| name: Create a PR | |||
There was a problem hiding this comment.
This replaces https://github.com/peter-evans/create-pull-request
| [Unreleased]: https://github.com/bufbuild/buf/compare/${{ env.RELEASED_VERSION_WITH_V }}...HEAD | ||
| }" CHANGELOG.md | ||
| - name: update home brew badge | ||
| run: make updatehomebrewbadge VERSION=${{ env.RELEASED_VERSION_WITH_V }} |
There was a problem hiding this comment.
I didn't test this in my own repo, but it runs in the same relative order as before. @doriable does this look correct?
| APP_ID: 251311 | ||
|
|
||
| jobs: | ||
| prepare: |
There was a problem hiding this comment.
This is now create-release-pr.yaml
| steps: | ||
| - name: Generate token | ||
| id: generate_token | ||
| uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a |
There was a problem hiding this comment.
This isn't always needed, we can simply use secrets.GITHUB_TOKEN in most cases. One exception is create-release-pr.yaml, where the action creates a PR and another checks needs to be triggered by this PR. In this case, we can use the official github action for this purpose.
| with: | ||
| go-version: "1.21.x" | ||
| - name: Install Buf | ||
| run: make installbuf |
There was a problem hiding this comment.
Do we really need to install buf here? I suppose it checks whether it builds, but regular ci.yaml should cover that.
| done | ||
| echo ERROR: CHANGELOG has not been updated | ||
| exit 1 | ||
| tag: |
There was a problem hiding this comment.
This isn't needed anymore since you pass a tag in gh release create
| run: | | ||
| jq --null-input '{ text: "BufCLI Release v${{env.VERSION}} has started: ${{ steps.cpr.outputs.pull-request-url }}" }' \ | ||
| | curl -sSL -X POST -H 'Content-Type: application/json' -d @- '${{ secrets.SLACK_RELEASE_NOTIFICATION_WEBHOOK }}' | ||
| verify: |
There was a problem hiding this comment.
This is now verify-changelog.yaml
| git push origin :${{env.VERSION}} 2> /dev/null || echo 'remote ref does not exist' | ||
| git tag ${{env.VERSION}} | ||
| git push origin ${{env.VERSION}} | ||
| perform: |
There was a problem hiding this comment.
This is now build-and-draft-release.yaml
| run: | | ||
| jq --null-input '{ text: "BufCLI Release ${{env.VERSION}} is complete: ${{ steps.ghr.outputs.url }}" }' \ | ||
| | curl -sSL -X POST -H 'Content-Type: application/json' -d @- '${{ secrets.SLACK_RELEASE_NOTIFICATION_WEBHOOK }}' | ||
| post-release: |
There was a problem hiding this comment.
This is replaced by back-to-development.yaml
| script: | ||
| core.setOutput('version', "${{github.ref_name}}".replace("v", "")); | ||
| trigger-maven-update: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
These triggers are removed and we will manually released these repos
| run: make updateversion VERSION=${{ env.NEXT_VERSION }} | ||
| - name: Unrelease changelog | ||
| run: | | ||
| sed -i "/^# Changelog/ { |
There was a problem hiding this comment.
This find the line that says # Changelog and inserts content two lines below this line. This isn't a complex expression, but newline and whitespace behavior seem to be different between gnu-sed and mac sed. Therefore, it is not added as a make target.
I wish we can update makego to make SED_I gsed -i on mac, that way we can guarantee consistent behavior across mac and linux. However, I suspect gsed isn't built-in to GitHub's mac runners and if a CI workflow running on mac needs to use gsed it would have to install it first.
| inputs: | ||
| version: | ||
| type: string | ||
| description: The released version without 'v'. For example, 1.0.0. |
There was a problem hiding this comment.
If this fails, it can be restarted with manual trigger
| @@ -0,0 +1,54 @@ | |||
| name: Go back to Development | |||
| on: | |||
| workflow_dispatch: | |||
There was a problem hiding this comment.
If this fails, it can be restarted with manual trigger. However, no input is needed because in a later step, version is read from bufcli.go
| @@ -1,21 +0,0 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
This is now done in draftrelease.bash
| - name: Set VERSION variable | ||
| # The head ref looks like release/v1.0.0, and we need to trim the string up to the `/v`. | ||
| run: | | ||
| VERSION="${{ github.event.inputs.version || github.head_ref}}" |
There was a problem hiding this comment.
This is handled in action so that the script does not need to know about what triggers it
| - name: Checkout repository code | ||
| uses: actions/checkout@v4 | ||
| - name: Get GitHub App Token | ||
| uses: actions/create-github-app-token@v1 |
There was a problem hiding this comment.
This is needed because we want a CI check to check that this PR created here has changes in CHANGELOG.md. To trigger that check, this PR needs to be opened with an App token.
|
|
||
| env: | ||
| VERSION: ${{ github.event.inputs.version }} | ||
| APP_ID: 251311 |
There was a problem hiding this comment.
We should perhaps store this ID in a secret to be safer? It's been here for probably a year by now, but it can be done in a follow up.
| @@ -135,13 +135,6 @@ bufgeneratesteps:: \ | |||
| bufrelease: $(MINISIGN) | |||
| DOCKER_IMAGE=golang:1.21-bullseye bash make/buf/scripts/release.bash | |||
|
|
|||
| # We have to manually set the Homebrew version on the Homebrew badge as there | |||
| # is no badge on shields.io for Homebrew packages outside of homebrew-core | |||
|
|
|||
There was a problem hiding this comment.
We don't manually set the badge version anymore. It's now dynamic, see
Line 9 in 6befbe4
| @@ -1,8 +0,0 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
The make target is removed in the same PR
| jobs: | ||
| draft_release: | ||
| runs-on: ubuntu-latest | ||
| if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'release')) }} |
There was a problem hiding this comment.
github.head_ref is potentially untrusted input, and is used later on. It's a potential vector for attacks since we expand it in-line. However, if the PR has been merged (approved by one of us at buf), the branch name is probably safe.
This updates the CLI release workflow. Releasing CLI itself (not including downstream repos) now has three separate actions, each requiring some level of manual approval.
bufcli.go.This also removes third party actions in the release workflow.