forked from wso2/reference-implementations-afm
-
Notifications
You must be signed in to change notification settings - Fork 0
228 lines (200 loc) · 7.56 KB
/
release-common.yml
File metadata and controls
228 lines (200 loc) · 7.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
name: Release Common
on:
workflow_call:
inputs:
implementation:
description: 'Implementation to release'
required: true
type: string
version:
description: 'Version to release (e.g., 0.3.0)'
required: true
type: string
branch:
description: 'Branch to release from'
required: true
type: string
update_latest:
description: 'Whether to update :latest Docker tag'
required: false
default: false
type: boolean
is_rerelease:
description: 'Whether this is a re-release'
required: false
default: false
type: boolean
env:
# Allowed implementations - update this list when adding new implementations
ALLOWED_IMPLEMENTATIONS: ballerina-interpreter langchain-interpreter
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
security-events: write
steps:
- name: Validate inputs
env:
IMPLEMENTATION: ${{ inputs.implementation }}
VERSION: ${{ inputs.version }}
BRANCH: ${{ inputs.branch }}
run: |
# Validate implementation is in allowed list
if [[ ! " $ALLOWED_IMPLEMENTATIONS " =~ " $IMPLEMENTATION " ]]; then
echo "::error::Unknown implementation: $IMPLEMENTATION. Allowed: $ALLOWED_IMPLEMENTATIONS"
exit 1
fi
# Validate version format
if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "::error::Version must be in format X.Y.Z, got: $VERSION"
exit 1
fi
# Validate branch format
if [[ ! "$BRANCH" =~ ^[a-zA-Z0-9._/-]+$ ]]; then
echo "::error::Invalid branch name: $BRANCH"
exit 1
fi
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ inputs.branch }}
fetch-depth: 0
- name: Set up Ballerina
if: inputs.implementation == 'ballerina-interpreter'
uses: ballerina-platform/setup-ballerina@v1.1.3
with:
version: 2201.12.10
- name: Build and test (Ballerina)
if: inputs.implementation == 'ballerina-interpreter'
env:
IMPLEMENTATION: ${{ inputs.implementation }}
working-directory: ${{ inputs.implementation }}
run: |
bal build
bal test
- name: Install uv
if: inputs.implementation == 'langchain-interpreter'
uses: astral-sh/setup-uv@v5
with:
enable-cache: true
- name: Build and test (Python)
if: inputs.implementation == 'langchain-interpreter'
env:
IMPLEMENTATION: ${{ inputs.implementation }}
working-directory: ${{ inputs.implementation }}
run: |
uv sync --dev
uv run pytest
- name: Create release branch
env:
IMPLEMENTATION: ${{ inputs.implementation }}
VERSION: ${{ inputs.version }}
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git checkout -b "release-$IMPLEMENTATION-$VERSION"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Determine Docker tags
id: docker-tags
env:
OWNER: ${{ github.repository_owner }}
IMPLEMENTATION: ${{ inputs.implementation }}
VERSION: ${{ inputs.version }}
UPDATE_LATEST: ${{ inputs.update_latest }}
run: |
# GHCR requires lowercase repository names
OWNER_LOWER=$(echo "$OWNER" | tr '[:upper:]' '[:lower:]')
IMAGE_NAME="ghcr.io/$OWNER_LOWER/afm-$IMPLEMENTATION"
TAGS="$IMAGE_NAME:v$VERSION"
if [ "$UPDATE_LATEST" = "true" ]; then
TAGS="$TAGS,$IMAGE_NAME:latest"
fi
echo "TAGS=$TAGS" >> $GITHUB_OUTPUT
echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_OUTPUT
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: ${{ inputs.implementation }}
push: true
platforms: linux/amd64,linux/arm64
tags: ${{ steps.docker-tags.outputs.TAGS }}
labels: |
org.opencontainers.image.source=https://github.com/${{ github.repository }}
org.opencontainers.image.version=${{ inputs.version }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.title=AFM ${{ inputs.implementation }}
org.opencontainers.image.licenses=Apache-2.0
annotations: |
index:org.opencontainers.image.source=https://github.com/${{ github.repository }}
index:org.opencontainers.image.licenses=Apache-2.0
- name: Scan Docker image for vulnerabilities
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: ${{ steps.docker-tags.outputs.IMAGE_NAME }}:v${{ inputs.version }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
exit-code: '1'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Create tag and push release branch
env:
IMPLEMENTATION: ${{ inputs.implementation }}
VERSION: ${{ inputs.version }}
run: |
git tag "$IMPLEMENTATION-v$VERSION"
git push origin "release-$IMPLEMENTATION-$VERSION"
git push origin "$IMPLEMENTATION-v$VERSION"
- name: Generate release notes
env:
IMPLEMENTATION: ${{ inputs.implementation }}
VERSION: ${{ inputs.version }}
IS_RERELEASE: ${{ inputs.is_rerelease }}
run: |
# Find previous tag for this implementation (exclude current version since tag was just created)
PREV_TAG=$(git tag -l "$IMPLEMENTATION-v*" --sort=-v:refname | grep -v "^$IMPLEMENTATION-v$VERSION$" | head -1)
# Generate notes from commits that touched this implementation
if [ -n "$PREV_TAG" ]; then
echo "Generating notes since $PREV_TAG"
COMMITS=$(git log "$PREV_TAG..HEAD" --oneline -- "$IMPLEMENTATION/" | head -50)
else
echo "No previous tag found, using recent commits"
COMMITS=$(git log --oneline -50 -- "$IMPLEMENTATION/")
fi
# Format notes
RERELEASE_NOTE=""
if [ "$IS_RERELEASE" = "true" ]; then
RERELEASE_NOTE="
_Re-released version_"
fi
if [ -n "$COMMITS" ]; then
NOTES="## Changes in $IMPLEMENTATION
$COMMITS$RERELEASE_NOTE"
else
NOTES="## Changes in $IMPLEMENTATION
No changes detected in this implementation directory.$RERELEASE_NOTE"
fi
echo "$NOTES" > release_notes.md
- name: Create GitHub Release
env:
GH_TOKEN: ${{ github.token }}
TAG: ${{ inputs.implementation }}-v${{ inputs.version }}
IMPLEMENTATION: ${{ inputs.implementation }}
VERSION: ${{ inputs.version }}
run: |
gh release create "$TAG" \
--title "$IMPLEMENTATION v$VERSION" \
--notes-file release_notes.md