From be1e5a715687ec2137ddcc64ecb3016a3eeea628 Mon Sep 17 00:00:00 2001 From: Arjun Raja Yogidas Date: Thu, 25 Sep 2025 20:31:35 +0000 Subject: [PATCH 1/3] feat: trigger toolbox rlease on upstream release Signed-off-by: Arjun Raja Yogidas --- .github/workflows/release-automation.yaml | 47 +++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/.github/workflows/release-automation.yaml b/.github/workflows/release-automation.yaml index d5684a7e3..ff9d2d7c0 100644 --- a/.github/workflows/release-automation.yaml +++ b/.github/workflows/release-automation.yaml @@ -121,3 +121,50 @@ jobs: # Upload to S3 aws s3 cp latest-version.json s3://${{ secrets.ARTIFACT_BUCKET_NAME }}/manifest/latest-version.json --content-type "application/json" + + upload-release-definition-to-s3: + needs: + - get-latest-tag + - upload-pkg-and-dependency-source-code-to-release + - upload-msi-to-release + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + with: + role-to-assume: ${{ secrets.TOOLBOX_TRIGGER_ROLE }} + role-session-name: upload-release-definition-to-s3 + aws-region: ${{ secrets.TOOLBOX_TRIGGER_REGION }} + + - name: Create and upload release definition to S3 + run: | + # Extract version without 'v' prefix for filename + VERSION="${{ needs.get-latest-tag.outputs.tag }}" + VERSION_NO_V="${VERSION#v}" + + # Create release definition JSON file + cat > "release-def-${VERSION_NO_V}.json" << EOF + { + "tag_name": "${{ needs.get-latest-tag.outputs.tag }}", + "source_s3uri": "s3://finch-installer-private/", + "source_access_role": "arn:aws:iam::090529234398:role/BundlerRole", + "assets": [ + { + "name": "Finch-${{ needs.get-latest-tag.outputs.tag }}-aarch64.pkg", + "os": "mac", + "architecture": "aarch64" + }, + { + "name": "Finch-${{ needs.get-latest-tag.outputs.tag }}-x86_64.pkg", + "os": "mac", + "architecture": "x86_64" + } + ] + } + EOF + + # Upload to S3 + aws s3 cp "release-def-${VERSION_NO_V}.json" s3://${{ secrets.TOOLBOX_TRIGGER_BUCKET }}/manifest/release-def-${VERSION_NO_V}.json --content-type "application/json" From 3ea0984e2ba912b4248cf21a53a7c5b1118a7e5c Mon Sep 17 00:00:00 2001 From: Arjun Raja Yogidas Date: Tue, 30 Sep 2025 20:33:13 +0000 Subject: [PATCH 2/3] chore: test simple file Signed-off-by: Arjun Raja Yogidas --- .github/workflows/release-automation.yaml | 109 +--------------------- 1 file changed, 4 insertions(+), 105 deletions(-) diff --git a/.github/workflows/release-automation.yaml b/.github/workflows/release-automation.yaml index ff9d2d7c0..56f4453d2 100644 --- a/.github/workflows/release-automation.yaml +++ b/.github/workflows/release-automation.yaml @@ -2,6 +2,9 @@ name: Release Finch latest version on: workflow_dispatch: workflow_call: + pull_request: + branches: + - main jobs: get-latest-tag: @@ -19,114 +22,10 @@ jobs: - name: 'Get the latest tag' id: latest-tag uses: "WyriHaximus/github-action-get-previous-tag@04e8485ecb6487243907e330d522ff60f02283ce" # v1.4.0 - - build-and-test-finch-pkg: - needs: get-latest-tag - uses: ./.github/workflows/build-and-test-pkg.yaml - secrets: inherit - with: - ref_name: ${{ needs.get-latest-tag.outputs.tag }} - - upload-pkg-and-dependency-source-code-to-release: - needs: - - get-latest-tag - - build-and-test-finch-pkg - uses: ./.github/workflows/upload-installer-to-release.yaml - permissions: - # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. - # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings - id-token: write - contents: write # this is used to upload to the release - secrets: inherit - with: - ref_name: ${{ needs.get-latest-tag.outputs.tag }} - - build-and-test-finch-msi: - needs: get-latest-tag - uses: ./.github/workflows/build-and-test-msi.yaml - permissions: - # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. - # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings - id-token: write - contents: read # this is required for actions/checkout - secrets: inherit - with: - ref_name: ${{ needs.get-latest-tag.outputs.tag }} - - upload-msi-to-release: - needs: - - get-latest-tag - - build-and-test-finch-msi - uses: ./.github/workflows/upload-msi-to-release.yaml - permissions: - # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. - # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings - id-token: write - contents: read # this is required for actions/checkout - secrets: inherit - with: - ref_name: ${{ needs.get-latest-tag.outputs.tag }} - - build-and-test-finch-deb: - needs: get-latest-tag - uses: ./.github/workflows/build-and-test-deb.yaml - permissions: - # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. - # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings - id-token: write - contents: read # this is required for actions/checkout - secrets: inherit - with: - ref_name: ${{ needs.get-latest-tag.outputs.tag }} - - upload-deb-to-release: - needs: - - get-latest-tag - - build-and-test-finch-deb - uses: ./.github/workflows/upload-deb-to-release.yaml - permissions: - # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. - # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings - id-token: write - contents: write # this is required for uploading the release assets - secrets: inherit - with: - ref_name: ${{ needs.get-latest-tag.outputs.tag }} - - update-latest-version-in-s3: - needs: - - get-latest-tag - - upload-pkg-and-dependency-source-code-to-release - - upload-msi-to-release - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 - with: - role-to-assume: ${{ secrets.ROLE }} - role-session-name: update-latest-version-in-s3 - aws-region: ${{ secrets.REGION }} - - - name: Update latest version in S3 - run: | - # Create latest-version.json with the latest Finch release version to track updates - cat > latest-version.json << EOF - { - "latest_version": "${{ needs.get-latest-tag.outputs.tag }}" - } - EOF - - # Upload to S3 - aws s3 cp latest-version.json s3://${{ secrets.ARTIFACT_BUCKET_NAME }}/manifest/latest-version.json --content-type "application/json" - + upload-release-definition-to-s3: needs: - get-latest-tag - - upload-pkg-and-dependency-source-code-to-release - - upload-msi-to-release runs-on: ubuntu-latest permissions: id-token: write From 1442fe354710b69651f73781f391cccee427148c Mon Sep 17 00:00:00 2001 From: Arjun Raja Yogidas Date: Thu, 2 Oct 2025 18:12:03 +0000 Subject: [PATCH 3/3] test removed creds Signed-off-by: Arjun Raja Yogidas --- .github/workflows/release-automation.yaml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-automation.yaml b/.github/workflows/release-automation.yaml index 56f4453d2..c68a54a46 100644 --- a/.github/workflows/release-automation.yaml +++ b/.github/workflows/release-automation.yaml @@ -22,7 +22,7 @@ jobs: - name: 'Get the latest tag' id: latest-tag uses: "WyriHaximus/github-action-get-previous-tag@04e8485ecb6487243907e330d522ff60f02283ce" # v1.4.0 - + upload-release-definition-to-s3: needs: - get-latest-tag @@ -34,9 +34,9 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: - role-to-assume: ${{ secrets.TOOLBOX_TRIGGER_ROLE }} + role-to-assume: ${{ vars.AWS_RELEASE_TRIGGER_ROLE }} role-session-name: upload-release-definition-to-s3 - aws-region: ${{ secrets.TOOLBOX_TRIGGER_REGION }} + aws-region: ${{ vars.AWS_RELEASE_TRIGGER_REGION }} - name: Create and upload release definition to S3 run: | @@ -47,9 +47,7 @@ jobs: # Create release definition JSON file cat > "release-def-${VERSION_NO_V}.json" << EOF { - "tag_name": "${{ needs.get-latest-tag.outputs.tag }}", - "source_s3uri": "s3://finch-installer-private/", - "source_access_role": "arn:aws:iam::090529234398:role/BundlerRole", + "tag_name": "${VERSION}", "assets": [ { "name": "Finch-${{ needs.get-latest-tag.outputs.tag }}-aarch64.pkg", @@ -66,4 +64,4 @@ jobs: EOF # Upload to S3 - aws s3 cp "release-def-${VERSION_NO_V}.json" s3://${{ secrets.TOOLBOX_TRIGGER_BUCKET }}/manifest/release-def-${VERSION_NO_V}.json --content-type "application/json" + aws s3 cp "release-def-${VERSION_NO_V}.json" s3://${{ vars.AWS_RELEASE_TRIGGER_BUCKET }}/manifest/release-def-${VERSION_NO_V}.json --content-type "application/json"