Deterministic Tag Generator Workflow #4299
Description
Task: Generate a GitHub Actions workflow file at .github/workflows/tag.yaml that creates a Git tag for the Azure/azure-container-networking repository.
Context — branch/tag naming convention:
Valid tags must match one of these regexes exactly:
Requirements:
Trigger:
workflow_dispatchonly. The workflow must be manually triggered from a branch namedrelease/v*orrelease/<component>/v*. The branch name is the sole source of truth for both the component and the version — do not add separate user inputs for those values; derive them entirely fromgithub.ref_nameat runtime.Authorization / security — only select team members may run this:
- Assign the single job to a GitHub Environment named
release. Configure that environment (outside this file, via GitHub settings) with required reviewers set to the@azure/acn-adminsteam. This is the GitHub-native, audit-logged mechanism for restricting who can approve a manual deployment/tag push. - Additionally, inside the job, fail early with a clear error message if
github.ref_namedoes not start withrelease/. This prevents the workflow from being run from an arbitrary branch. - Grant the workflow only the minimum required permissions:
contents: write(to push the tag). No other permissions.
- Assign the single job to a GitHub Environment named
Steps (in order):
a. Derive the tag fromgithub.ref_nameby stripping the leadingrelease/prefix. Store into$GITHUB_OUTPUTastag.
b. Validate the tag against the allowed regex patterns listed above. Fail with a descriptive error if no pattern matches.
c. Check the tag does not already exist (git ls-remote --tags origin "<tag>"). Fail if it does, to prevent accidental overwrites.
d. Checkout the branch usingactions/checkout@v4withfetch-depth: 0.
e. Create and push the tag usinggit tagandgit push origin <tag>. Use theGITHUB_TOKENfrom the default token — no PAT needed sincecontents: writeis sufficient for tagging.
f. Print a summary to$GITHUB_STEP_SUMMARYconfirming the tag that was created and the SHA it points to.Style / conventions:
- Mirror the style of release.yaml in this repository (YAML formatting,
runs-on: ubuntu-latest, shell scripts usingbash,set -euo pipefail). - Use
git config user.name "github-actions[bot]"andgit config user.email "github-actions[bot]@users.noreply.github.com"before tagging. - Do not use any third-party actions beyond
actions/checkout. - Add a comment block at the top of the file explaining how to trigger the workflow (create a
release/v*orrelease/<component>/v*branch, then run the workflow from it) and how to configure thereleaseenvironment in GitHub settings.
- Mirror the style of release.yaml in this repository (YAML formatting,
Deliverable: The complete .github/workflows/tag.yaml file, ready to commit. No other files should be created or modified. After writing the file, check it for YAML syntax errors and GitHub Actions schema issues and fix any found.
Context — branch/tag naming convention:
Source branch Tag to create
release/v1.2.3 v1.2.3
release/azure-ipam/v1.2.3 azure-ipam/v1.2.3
release/dropgz/v1.2.3 dropgz/v1.2.3
release/ipv6-hp-bpf/v1.2.3 ipv6-hp-bpf/v1.2.3
release/azure-block-iptables/v1.2.3 azure-block-iptables/v1.2.3
release/azure-ip-masq-merger/v1.2.3 azure-ip-masq-merger/v1.2.3
release/azure-iptables-monitor/v1.2.3 azure-iptables-monitor/v1.2.3
release/cilium-log-collector/v1.2.3 cilium-log-collector/v1.2.3
Valid tags must match one of these regexes exactly:
Requirements:
Trigger: workflow_dispatch only. The workflow must be manually triggered from a branch named release/v* or release//v*. The branch name is the sole source of truth for both the component and the version — do not add separate user inputs for those values; derive them entirely from github.ref_name at runtime.
Authorization / security — only select team members may run this:
Assign the single job to a GitHub Environment named release. Configure that environment (outside this file, via GitHub settings) with required reviewers set to the @azure/acn-admins team. This is the GitHub-native, audit-logged mechanism for restricting who can approve a manual deployment/tag push.
Additionally, inside the job, fail early with a clear error message if github.ref_name does not start with release/. This prevents the workflow from being run from an arbitrary branch.
Grant the workflow only the minimum required permissions: contents: write (to push the tag). No other permissions.
Steps (in order):
a. Derive the tag from github.ref_name by stripping the leading release/ prefix. Store into $GITHUB_OUTPUT as tag.
b. Validate the tag against the allowed regex patterns listed above. Fail with a descriptive error if no pattern matches.
c. Check the tag does not already exist (git ls-remote --tags origin ""). Fail if it does, to prevent accidental overwrites.
d. Checkout the branch using actions/checkout@v4 with fetch-depth: 0.
e. Create and push the tag using git tag and git push origin . Use the GITHUB_TOKEN from the default token — no PAT needed since contents: write is sufficient for tagging.
f. Print a summary to $GITHUB_STEP_SUMMARY confirming the tag that was created and the SHA it points to.
Style / conventions:
Mirror the style of release.yaml in this repository (YAML formatting, runs-on: ubuntu-latest, shell scripts using bash, set -euo pipefail).
Use git config user.name "github-actions[bot]" and git config user.email "github-actions[bot]@users.noreply.github.com" before tagging.
Do not use any third-party actions beyond actions/checkout.
Add a comment block at the top of the file explaining how to trigger the workflow (create a release/v* or release//v* branch, then run the workflow from it) and how to configure the release environment in GitHub settings.
Deliverable: The complete .github/workflows/tag.yaml file, ready to commit. No other files should be created or modified. After writing the file, check it for YAML syntax errors and GitHub Actions schema issues and fix any found.