Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow users to commit to the main branch while full release running #40

Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 17 additions & 9 deletions .github/workflows/reusable-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -301,7 +301,6 @@ jobs:
runs-on: ubuntu-latest
env:
KEY_FINGERPRINT: ${{ needs.init.outputs.key_fingerprint }}
ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }}
steps:
- id: generate-github-app-token
uses: actions/create-github-app-token@v1
Expand All @@ -312,7 +311,7 @@ jobs:
with:
path: repo
ref: ${{ needs.push-release-commit.outputs.release_commit_id }}
fetch-depth: 2 # To fast-forward the main branch, we need the commit on main, as well as the release commit
fetch-depth: 1 # For tag-signing, we only need the release commit - branch operations done with GitHub API
token: ${{ steps.generate-github-app-token.outputs.token }}
persist-credentials: true # Allow us to push as the GitHub App, and bypass branch ruleset
- uses: actions/cache/restore@v4
Expand All @@ -321,6 +320,8 @@ jobs:
key: unsigned-${{ env.RUN_ATTEMPT_UID }}
fail-on-cache-miss: true
- name: Verify artifact hashes before signing
env:
ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }}
run: |
sudo apt-get install hashdeep -q > /dev/null
ARTIFACT_SHA256SUMS_FILE=$( mktemp )
Expand All @@ -342,25 +343,32 @@ jobs:
run: |
echo "KEY_FINGERPRINT=$KEY_FINGERPRINT"
find $LOCAL_ARTIFACTS_STAGING_PATH -type f -exec gpg -a --local-user "$KEY_FINGERPRINT" --detach-sign {} \;
- name: "Full Main-Branch release: Add release commit (from temporary release branch) to default branch"
if: needs.init.outputs.release_type == 'FULL_MAIN_BRANCH'
env:
GH_TOKEN: ${{ steps.generate-github-app-token.outputs.token }}
GH_REPO: ${{ github.repository }}
RELEASE_COMMIT_ID: ${{ needs.push-release-commit.outputs.release_commit_id }}
run: |
if gh api --silent --method PATCH /repos/:owner/:repo/git/refs/heads/$GITHUB_REF_NAME -f "sha=$RELEASE_COMMIT_ID"; then
echo "...fast-forward of default branch to include release commit succeeded"
Copy link
Member Author

@rtyley rtyley Jun 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub API: PATCH /repos/:owner/:repo/git/refs/heads/{branch_name} updates a branch to point at a new commit. It only allows fast-forward changes - not rewriting history, unless you use the force param - and we don't.

Previously we used git push origin $RELEASE_COMMIT_ID:refs/heads/$GITHUB_REF_NAME to do this, but using the GitHub API, we don't need to rely on cloning enough of the git repo's history (fetch-depth: 2) to find the old position of the branch.

else
echo "...fast-forward failed (commits added to default branch while release running?), will attempt a merge instead"
gh api --silent --method POST /repos/:owner/:repo/merges -f "base=$GITHUB_REF_NAME" -f "head=$RELEASE_COMMIT_ID"
Copy link
Member Author

@rtyley rtyley Jun 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub API: POST /repos/:owner/:repo/merges merges a branch (that doesn't need to be a PR branch) into the base branch.

fi
- name: Push signed tag
env:
RELEASE_TAG: ${{ needs.push-release-commit.outputs.release_tag }}
RELEASE_COMMIT_ID: ${{ needs.push-release-commit.outputs.release_commit_id }}
KEY_EMAIL: ${{ needs.init.outputs.key_email }}
ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }}
run: |
cd $GITHUB_WORKSPACE/repo
git config user.email "$KEY_EMAIL"
git config user.name "$COMMITTER_NAME"
git config tag.gpgSign true
git config user.signingkey "$KEY_FINGERPRINT"

if [ "${{ needs.init.outputs.release_type }}" == "FULL_MAIN_BRANCH" ]
then
echo "Full Main-Branch release, fast-forwarding the default branch to the release commit"
git log --oneline -n 3
git push origin $RELEASE_COMMIT_ID:refs/heads/$GITHUB_REF_NAME
fi

cat << EndOfFile > tag-message.txt
Release $RELEASE_TAG initiated by $COMMITTER_NAME

Expand Down