switch releasing based on tag (#3661)

* switch to run pipeline for tagged releases

* cleanup unused target

* add execution time limit

for when cache is not available

* address review feedback

* fix when release pipeline is triggered

* make it easier to debug

.semaphore/push_images.yml

@@ -53,8 +53,10 @@ blocks:
       jobs:
         - name: Build
           commands:
-            - make cd CONFIRM=true;
-            - make maybe-build-release;
+            - make cd
+          env_vars:
+            - name: CONFIRM
+              value: "true"
 
 promotions:
   - name: Clean Up

.semaphore/release.yml

@@ -0,0 +1,77 @@
+version: v1.0
+
+name: Operator CD
+
+execution_time_limit:
+  hours: 4
+
+agent:
+  machine:
+    type: f1-standard-2
+    os_image: ubuntu2004
+
+global_job_config:
+  secrets:
+    - name: docker-hub
+    - name: oss-release-secrets
+    # Mount the github SSH secret for pulling private repositories.
+    - name: private-repo
+  prologue:
+    commands:
+      - echo $DOCKERHUB_PASSWORD | docker login --username "$DOCKERHUB_USERNAME" --password-stdin
+      # Correct permissions since they are too open by default:
+      - chmod 0600 ~/.keys/*
+      # Add the key to the ssh agent:
+      - ssh-add ~/.keys/*
+      # Free up some space
+      - sudo rm -rf ~/.kiex ~/.phpbrew ~/.rbenv ~/.nvm ~/.kerl
+      # Semaphore mounts a copy-on-write FS as /var/lib/docker in order to provide a pre-loaded cache of
+      # some images. However, the cache is not useful to us and the copy-on-write FS is a big problem given
+      # how much we churn docker containers during testing.  Disable it.
+      - sudo systemctl stop docker
+      - sudo umount /var/lib/docker && sudo killall qemu-nbd || true
+      - sudo systemctl start docker
+      - checkout
+      # Restore all the build specific caches
+      - "cache restore bin-amd64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-pkg-cache-amd64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-mod-cache-amd64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore bin-arm64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-pkg-cache-arm64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-mod-cache-arm64-${SEMAPHORE_GIT_SHA}"
+      - "cache restore bin-ppc64le-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-pkg-cache-ppc64le-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-mod-cache-ppc64le-${SEMAPHORE_GIT_SHA}"
+      - "cache restore bin-s390x-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-pkg-cache-s390x-${SEMAPHORE_GIT_SHA}"
+      - "cache restore go-mod-cache-s390x-${SEMAPHORE_GIT_SHA}"
+
+blocks:
+  - name: Release
+    run:
+      when: "tag =~ '^v'"
+    task:
+      secrets:
+        - name: quay-robot-semaphore_v2
+        - name: operator-redhat-connect
+      prologue:
+        commands:
+          - docker login -u="$QUAY_USERNAME" -p="$QUAY_TOKEN" quay.io;
+          - export BRANCH_NAME=$SEMAPHORE_GIT_BRANCH
+      jobs:
+        - name: Publish Release
+          commands:
+            - make release-tag RELEASE_TAG=${SEMAPHORE_GIT_RELEASE_TAG}
+          env_vars:
+            - name: CONFIRM
+              value: "true"
+
+promotions:
+  - name: Clean Up
+    pipeline_file: clean_up.yml
+    # Auto promote to clean up since this likely wasn't promoted from the CI pipeline (since we only promote to the
+    # clean up pipeline if we're not running on master or a release branch).
+    # We only auto promote if the cd has passed, because if it's failed we'll likely just want to run CD again, but if
+    # we've cleared the cache it will take a long time.
+    auto_promote:
+      when: "result = 'passed'"

.semaphore/semaphore.yml

@@ -162,6 +162,10 @@ promotions:
     pipeline_file: push_images.yml
     auto_promote:
       when: "branch =~ 'master|release-.*'"
+  - name: Release
+    pipeline_file: release.yml
+    auto_promote:
+      when: "result = 'passed' AND tag =~ '^v'"
   - name: Clean Up
     pipeline_file: clean_up.yml
     # Don't auto promote if this is master or a release branch so the cache is available for the Push Images pipeline.

Makefile

@@ -501,9 +501,21 @@ endif
 ###############################################################################
 # Release
 ###############################################################################
-## Determines if we are on a tag and if so builds a release.
-maybe-build-release:
-	./hack/maybe-build-release.sh
+VERSION_REGEX := ^v[0-9]+\.[0-9]+\.[0-9]+$$
+release-tag: var-require-all-RELEASE_TAG-GITHUB_TOKEN
+	$(eval VALID_TAG := $(shell echo $(RELEASE_TAG) | grep -Eq "$(VERSION_REGEX)" && echo true))
+	$(if $(VALID_TAG),,$(error $(RELEASE_TAG) is not a valid version. Please use a version in the format vX.Y.Z))
+
+# Skip releasing if the image already exists.
+	@if !$(MAKE) VERSION=$(RELEASE_TAG) release-check-image-exists; then \
+		echo "Images for $(RELEASE_TAG) already exists"; \
+		exit 0; \
+	fi
+
+	$(MAKE) release VERSION=$(RELEASE_TAG)
+	$(MAKE) release-publish-images VERSION=$(RELEASE_TAG)
+	$(MAKE) release-github VERSION=$(RELEASE_TAG)
+
 
 release-notes: var-require-all-VERSION-GITHUB_TOKEN clean
 	@docker build -t tigera/release-notes -f build/Dockerfile.release-notes .
@@ -552,23 +564,6 @@ release-publish-images: release-prereqs release-check-image-exists
 	# Push images.
 	$(MAKE) push-all push-manifests push-non-manifests RELEASE=true IMAGETAG=$(VERSION)
 
-## Pushes a github release and release artifacts produced by `make release-build`.
-release-publish: release-prereqs
-	# Push the git tag.
-	git push origin $(VERSION)
-
-	$(MAKE) release-publish-images IMAGETAG=$(VERSION)
-	$(MAKE) release-github
-
-	@echo "Finalize the GitHub release based on the pushed tag."
-	@echo ""
-	@echo "  https://$(PACKAGE_NAME)/releases/tag/$(VERSION)"
-	@echo ""
-	@echo "If this is the latest stable release, then run the following to push 'latest' images."
-	@echo ""
-	@echo "  make VERSION=$(VERSION) release-publish-latest"
-	@echo ""
-
 release-github: hack/bin/gh release-notes
 	@echo "Creating github release for $(VERSION)"
 	hack/bin/gh release create $(VERSION) --title $(VERSION) --draft --notes-file $(VERSION)-release-notes.md