From 9b422505db632fcfc7e869950386a04c9d8a013b Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 12:45:23 +0100 Subject: [PATCH 01/16] chore(extension-release-prepare.yml): update email address for git user to use a noreply email address for better identification chore(extension-release-published.yml): update version of extension-release-prepare.yml used in maven-release job to DAT-16350 branch --- .github/workflows/extension-release-prepare.yml | 2 +- .github/workflows/extension-release-published.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 747ad623..2db490ec 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -79,7 +79,7 @@ jobs: - name: Configure Git run: | git config user.name "liquibot" - git config user.email "liquibot@liquibase.org" + git config user.email "64099989+liquibot@users.noreply.github.com" - name: Run extra command if: inputs.extraCommand != '' diff --git a/.github/workflows/extension-release-published.yml b/.github/workflows/extension-release-published.yml index 308e498b..ce18bd2f 100644 --- a/.github/workflows/extension-release-published.yml +++ b/.github/workflows/extension-release-published.yml @@ -134,7 +134,7 @@ jobs: maven-release: needs: release - uses: liquibase/build-logic/.github/workflows/extension-release-prepare.yml@v0.5.7 + uses: liquibase/build-logic/.github/workflows/extension-release-prepare.yml@DAT-16350 secrets: inherit with: extraCommand: ${{ inputs.extraCommand }} \ No newline at end of file From 1242bf977b3b600b85f6b8b71e7355fdecc4bf7d Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 12:45:39 +0100 Subject: [PATCH 02/16] chore(extension-release-prepare.yml): update extension-release-rollback.yml version to DAT-16350 to fix rollback job failure --- .github/workflows/extension-release-prepare.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 2db490ec..0e8771f7 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -105,7 +105,7 @@ jobs: release-rollback: needs: prepare-release if: ${{ always() && contains(needs.*.result, 'failure') }} - uses: liquibase/build-logic/.github/workflows/extension-release-rollback.yml@v0.5.7 + uses: liquibase/build-logic/.github/workflows/extension-release-rollback.yml@DAT-16350 secrets: inherit with: extraCommand: ${{ inputs.extraCommand }} From 11762f5a317fb24649cc62937fe4817b0c91be43 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 13:15:47 +0100 Subject: [PATCH 03/16] fix(extension-release-prepare.yml): add token parameter to checkout action to allow access to private repositories fix(extension-release-prepare.yml): add pushChanges=false parameter to release:prepare command to prevent accidental pushing of changes fix(extension-release-prepare.yml): add push changes step to push changes made during release preparation --- .github/workflows/extension-release-prepare.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 0e8771f7..1045185e 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -24,6 +24,7 @@ jobs: uses: actions/checkout@v4 with: ref: main + token: ${{ secrets.BOT_TOKEN }} - name: Set up JDK uses: actions/setup-java@v3 @@ -91,7 +92,13 @@ jobs: mvn -B build-helper:parse-version release:clean release:prepare \ -Darguments="-Dusername=liquibot -Dpassword=$GITHUB_TOKEN -Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" \ -DdevelopmentVersion=\${parsedVersion.majorVersion}.\${parsedVersion.nextMinorVersion}.0-SNAPSHOT -DnewVersion=\${parsedVersion.majorVersion}.\${parsedVersion.nextMinorVersion}.\${parsedVersion.incrementalVersion} \ - -DcheckModificationExcludeList=pom.xml + -DcheckModificationExcludeList=pom.xml -DpushChanges=false + + - name: Push changes + uses: ad-m/github-push-action@master + with: + github_token: ${{ secrets.BOT_TOKEN }} + force_with_lease: true - name: Save Release files if: always() From 79afffa6dac8e5a438fc74c9ea93b48c73090d92 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 13:17:49 +0100 Subject: [PATCH 04/16] fix(extension-release-prepare.yml): disable persisting credentials to prevent token leakage --- .github/workflows/extension-release-prepare.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 1045185e..203ee352 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -24,6 +24,7 @@ jobs: uses: actions/checkout@v4 with: ref: main + persist-credentials: false token: ${{ secrets.BOT_TOKEN }} - name: Set up JDK From 5a34eb512e763e94e4e18d690ecdb5255637ccee Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 13:18:19 +0100 Subject: [PATCH 05/16] chore(extension-release-prepare.yml): set fetch-depth to 0 in the GitHub Actions workflow to fetch the complete commit history for the main branch --- .github/workflows/extension-release-prepare.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 203ee352..8f98bee6 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -25,6 +25,7 @@ jobs: with: ref: main persist-credentials: false + fetch-depth: 0 token: ${{ secrets.BOT_TOKEN }} - name: Set up JDK From 68a7a0dd2f8ab59a2d82d517a1becd4453dac0e4 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 13:24:02 +0100 Subject: [PATCH 06/16] chore(extension-release-prepare.yml): update ad-m/github-push-action to v0.8.0 to ensure compatibility with the latest version chore(extension-release-prepare.yml): set branch to main in the github-push-action step to push changes to the main branch --- .github/workflows/extension-release-prepare.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 8f98bee6..c087889a 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -97,10 +97,11 @@ jobs: -DcheckModificationExcludeList=pom.xml -DpushChanges=false - name: Push changes - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@v0.8.0 with: github_token: ${{ secrets.BOT_TOKEN }} force_with_lease: true + branch: main - name: Save Release files if: always() From 3e2bee2d88ca93df6aa175b0af6622eb06d7901d Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 13:27:59 +0100 Subject: [PATCH 07/16] fix(extension-release-prepare.yml): change the branch name from 'main' to '${{ github.head_ref }}' to dynamically use the current branch name fix(extension-release-prepare.yml): add the 'repository' parameter to the 'checkout' action to ensure the correct repository is used feat(extension-release-prepare.yml): add the 'force' and 'tags' parameters to the 'push' action to force push and push tags --- .github/workflows/extension-release-prepare.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index c087889a..e16f97dc 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -23,7 +23,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 with: - ref: main + ref: ${{ github.head_ref }} persist-credentials: false fetch-depth: 0 token: ${{ secrets.BOT_TOKEN }} @@ -101,7 +101,10 @@ jobs: with: github_token: ${{ secrets.BOT_TOKEN }} force_with_lease: true - branch: main + branch: ${{ github.head_ref }} + repository: ${{ github.repository }} + force: true + tags: true - name: Save Release files if: always() From a3604cb661be585caae717372ed76be450484d21 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 13:29:35 +0100 Subject: [PATCH 08/16] chore(extension-release-prepare.yml): remove unused GITHUB_TOKEN environment variable fix(extension-release-prepare.yml): update GITHUB_TOKEN reference to use secrets.BOT_TOKEN for security reasons --- .github/workflows/extension-release-prepare.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index e16f97dc..0cfb3a94 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -17,8 +17,7 @@ jobs: prepare-release: name: Prepare release runs-on: ubuntu-latest - env: - GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }} + steps: - name: Checkout code uses: actions/checkout@v4 @@ -92,7 +91,7 @@ jobs: - name: Prepare Maven Release run: | mvn -B build-helper:parse-version release:clean release:prepare \ - -Darguments="-Dusername=liquibot -Dpassword=$GITHUB_TOKEN -Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" \ + -Darguments="-Dusername=liquibot -Dpassword=${{ secrets.BOT_TOKEN }} -Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" \ -DdevelopmentVersion=\${parsedVersion.majorVersion}.\${parsedVersion.nextMinorVersion}.0-SNAPSHOT -DnewVersion=\${parsedVersion.majorVersion}.\${parsedVersion.nextMinorVersion}.\${parsedVersion.incrementalVersion} \ -DcheckModificationExcludeList=pom.xml -DpushChanges=false From 9762d3aadb14c3d2578fdcda17eb446b23717da3 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 13:29:51 +0100 Subject: [PATCH 09/16] chore(extension-release-prepare.yml): update git user email and name configuration to use local scope for better isolation --- .github/workflows/extension-release-prepare.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 0cfb3a94..9d838bc5 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -82,6 +82,8 @@ jobs: run: | git config user.name "liquibot" git config user.email "64099989+liquibot@users.noreply.github.com" + git config --local user.email "64099989+liquibot@users.noreply.github.com" + git config --local user.name "liquibot" - name: Run extra command if: inputs.extraCommand != '' From 5f025d47408372d949f8e61f1c9d25bffdfbafb1 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 13:52:22 +0100 Subject: [PATCH 10/16] chore(extension-release-prepare.yml): remove unnecessary force flag from the push step to prevent accidental force push --- .github/workflows/extension-release-prepare.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 9d838bc5..b7bef7ce 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -104,7 +104,6 @@ jobs: force_with_lease: true branch: ${{ github.head_ref }} repository: ${{ github.repository }} - force: true tags: true - name: Save Release files From 2d306f5691767dc38e0d1e5c12b39c232e7944cf Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 14:06:11 +0100 Subject: [PATCH 11/16] chore(extension-release-prepare.yml): remove unnecessary git configuration for user name and email chore(extension-release-prepare.yml): remove unused push changes step --- .github/workflows/extension-release-prepare.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index b7bef7ce..1886d0e7 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -80,8 +80,6 @@ jobs: - name: Configure Git run: | - git config user.name "liquibot" - git config user.email "64099989+liquibot@users.noreply.github.com" git config --local user.email "64099989+liquibot@users.noreply.github.com" git config --local user.name "liquibot" @@ -95,16 +93,7 @@ jobs: mvn -B build-helper:parse-version release:clean release:prepare \ -Darguments="-Dusername=liquibot -Dpassword=${{ secrets.BOT_TOKEN }} -Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" \ -DdevelopmentVersion=\${parsedVersion.majorVersion}.\${parsedVersion.nextMinorVersion}.0-SNAPSHOT -DnewVersion=\${parsedVersion.majorVersion}.\${parsedVersion.nextMinorVersion}.\${parsedVersion.incrementalVersion} \ - -DcheckModificationExcludeList=pom.xml -DpushChanges=false - - - name: Push changes - uses: ad-m/github-push-action@v0.8.0 - with: - github_token: ${{ secrets.BOT_TOKEN }} - force_with_lease: true - branch: ${{ github.head_ref }} - repository: ${{ github.repository }} - tags: true + -DcheckModificationExcludeList=pom.xml - name: Save Release files if: always() From 9315b273fc304fec7de16d73057473e550dca283 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 14:16:44 +0100 Subject: [PATCH 12/16] fix(extension-release-prepare.yml): change checkout ref from github.head_ref to "main" to ensure consistent behavior --- .github/workflows/extension-release-prepare.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 1886d0e7..1aaf17aa 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -22,7 +22,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 with: - ref: ${{ github.head_ref }} + ref: main persist-credentials: false fetch-depth: 0 token: ${{ secrets.BOT_TOKEN }} From 92bb4ba053fbfd5b4205f481c54e9408ee370996 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 14:25:09 +0100 Subject: [PATCH 13/16] chore(extension-release-prepare.yml): remove unnecessary options from the checkout action The `persist-credentials` and `fetch-depth` options were removed from the checkout action as they were not needed. --- .github/workflows/extension-release-prepare.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 1aaf17aa..73c3c95c 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -23,8 +23,6 @@ jobs: uses: actions/checkout@v4 with: ref: main - persist-credentials: false - fetch-depth: 0 token: ${{ secrets.BOT_TOKEN }} - name: Set up JDK From 2fe414331847b13eec02df3478777c353726647c Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 14:25:38 +0100 Subject: [PATCH 14/16] chore(extension-release-prepare.yml): add GITHUB_TOKEN environment variable to the prepare-release job to enable authentication for GitHub API requests --- .github/workflows/extension-release-prepare.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 73c3c95c..12862f00 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -17,6 +17,8 @@ jobs: prepare-release: name: Prepare release runs-on: ubuntu-latest + env: + GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }} steps: - name: Checkout code From a72959c4d61afab1ab8835157b290cacec5beccf Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 14:36:38 +0100 Subject: [PATCH 15/16] chore(extension-release-prepare.yml): update liquibase/build-logic version to v0.5.7 in release-rollback job chore(extension-release-published.yml): update liquibase/build-logic version to v0.5.7 in maven-release job --- .github/workflows/extension-release-prepare.yml | 2 +- .github/workflows/extension-release-published.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/extension-release-prepare.yml b/.github/workflows/extension-release-prepare.yml index 12862f00..8ead6929 100644 --- a/.github/workflows/extension-release-prepare.yml +++ b/.github/workflows/extension-release-prepare.yml @@ -107,7 +107,7 @@ jobs: release-rollback: needs: prepare-release if: ${{ always() && contains(needs.*.result, 'failure') }} - uses: liquibase/build-logic/.github/workflows/extension-release-rollback.yml@DAT-16350 + uses: liquibase/build-logic/.github/workflows/extension-release-rollback.yml@v0.5.7 secrets: inherit with: extraCommand: ${{ inputs.extraCommand }} diff --git a/.github/workflows/extension-release-published.yml b/.github/workflows/extension-release-published.yml index ce18bd2f..308e498b 100644 --- a/.github/workflows/extension-release-published.yml +++ b/.github/workflows/extension-release-published.yml @@ -134,7 +134,7 @@ jobs: maven-release: needs: release - uses: liquibase/build-logic/.github/workflows/extension-release-prepare.yml@DAT-16350 + uses: liquibase/build-logic/.github/workflows/extension-release-prepare.yml@v0.5.7 secrets: inherit with: extraCommand: ${{ inputs.extraCommand }} \ No newline at end of file From 0f2be6bf0a4790f86914a170f51c49478dd20091 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 28 Nov 2023 14:52:10 +0100 Subject: [PATCH 16/16] fix(extension-release-rollback.yml): update git user email to use GitHub noreply email address for better identification fix(extension-release-rollback.yml): update GitHub token reference to use secrets.BOT_TOKEN for security reasons --- .github/workflows/extension-release-rollback.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/extension-release-rollback.yml b/.github/workflows/extension-release-rollback.yml index e98d1378..a9a00c81 100644 --- a/.github/workflows/extension-release-rollback.yml +++ b/.github/workflows/extension-release-rollback.yml @@ -25,11 +25,12 @@ jobs: uses: actions/checkout@v4 with: ref: main + token: ${{ secrets.BOT_TOKEN }} - name: Configure Git run: | - git config user.name "liquibot" - git config user.email "liquibot@liquibase.org" + git config --local user.email "64099989+liquibot@users.noreply.github.com" + git config --local user.name "liquibot" - name: Set up JDK uses: actions/setup-java@v3 @@ -95,6 +96,6 @@ jobs: - name: Perform Maven Release Rollback run: | mvn -B versions:revert release:rollback \ - -Darguments="-Dusername=liquibot -Dpassword=$GITHUB_TOKEN -Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" \ + -Darguments="-Dusername=liquibot -Dpassword=${{ secrets.BOT_TOKEN }} -Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" \ -DconnectionUrl=scm:git:https://github.com/${{ github.repository }}.git \ -DcheckModificationExcludeList=pom.xml \ No newline at end of file