beam/.github/workflows/finalize_release.yml at master · dustin12/beam · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
name: finalize_release

# Workflow added after https://github.com/apache/beam/commit/4183e747becebd18becee5fff547af365910fc9c
# If help is needed debugging issues, you can view the release guide at that commit for guidance on how to do this manually.
# (https://github.com/apache/beam/blob/4183e747becebd18becee5fff547af365910fc9c/website/www/site/content/en/contribute/release-guide.md)
on:
  workflow_dispatch:
    inputs:
      RELEASE:
        description: Beam version of current release (e.g. 2.XX.0)
        required: true
        default: '2.XX.0'
      RC:
        description: Integer RC version for the release that we'd like to finalize (e.g. 3 for RC3)
        required: true
      PYPI_API_TOKEN:
        description: PyPi API token to perform the PyPi upload with
        required: false
      PUSH_DOCKER_ARTIFACTS:
        description: Whether to push SDK docker images to docker hub Apache organization. Should be yes unless you've already completed this step.
        required: true
        default: 'no'
      PUBLISH_PYTHON_ARTIFACTS:
        description: Whether to publish the python artifacts into PyPi. Should be yes unless you've already completed this step.
        required: true
        default: 'no'
      TAG_RELEASE:
        description: Whether to tag the release on GitHub. Should be yes unless you've already completed this step.
        required: true
        default: 'no'
env:
  DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}

permissions:
  contents: write
  pull-requests: write

jobs:
  push_docker_artifacts:
    if: ${{github.event.inputs.PUSH_DOCKER_ARTIFACTS == 'yes'}}
    runs-on: [self-hosted, ubuntu-20.04, main]
    steps:
    - name: Login to Docker Hub
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKERHUB_USER }}
        password: ${{ secrets.DOCKERHUB_TOKEN }}
    - name: Publish to Docker
      env:
        RELEASE: "${{ github.event.inputs.RELEASE }}"
        RC_NUM: "${{ github.event.inputs.RC }}"
        RC_VERSION: "rc${{ github.event.inputs.RC }}"
      run: |

        echo "Publish SDK docker images to Docker Hub."

        echo "================Pull RC Containers from DockerHub==========="
        IMAGES=$(docker search apache/beam --format "{{.Name}}" --limit 100)
        KNOWN_IMAGES=()
        echo "We are using ${RC_VERSION} to push docker images for ${RELEASE}."
        while read IMAGE; do
          # Try pull verified RC from dockerhub.
          if docker pull "${IMAGE}:${RELEASE}${RC_VERSION}" 2>/dev/null ; then
            KNOWN_IMAGES+=( $IMAGE )
          fi
        done < <(echo "${IMAGES}")

        echo "================Confirming Release and RC version==========="
        echo "Publishing the following images:"
        # Sort by name for easy examination
        IFS=$'\n' KNOWN_IMAGES=($(sort <<<"${KNOWN_IMAGES[*]}"))
        unset IFS
        printf "%s\n" ${KNOWN_IMAGES[@]}

        for IMAGE in "${KNOWN_IMAGES[@]}"; do
          # Perform a carbon copy of ${RC_VERSION} to dockerhub with a new tag as ${RELEASE}.
          docker buildx imagetools create --tag "${IMAGE}:${RELEASE}" "${IMAGE}:${RELEASE}${RC_VERSION}"

          # Perform a carbon copy of ${RC_VERSION} to dockerhub with a new tag as latest.
          docker buildx imagetools create --tag "${IMAGE}:latest" "${IMAGE}:${RELEASE}"
        done

  publish_python_artifacts:
    if: ${{github.event.inputs.PUBLISH_PYTHON_ARTIFACTS == 'yes'}}
    runs-on: [self-hosted, ubuntu-20.04, main]
    steps:
    - name: Checkout
      uses: actions/checkout@v4
    - name: Mask PyPi password
      run: |
        # Workaround for Actions bug - https://github.com/actions/runner/issues/643
        PYPI_PASSWORD=$(jq -r '.inputs.PYPI_PASSWORD' $GITHUB_EVENT_PATH)
        echo "::add-mask::$PYPI_PASSWORD"
    - name: Validate PyPi id/password
      run: |
        # Workaround for Actions bug - https://github.com/actions/runner/issues/643
        PYPI_API_TOKEN=$(jq -r '.inputs.PYPI_API_TOKEN' $GITHUB_EVENT_PATH)
        echo "::add-mask::$PYPI_API_TOKEN"
        if [ "$PYPI_API_TOKEN" == "" ]
        then
          echo "Must provide a PyPi password to publish artifacts to PyPi"
          exit 1
        fi
    - name: Setup environment
      uses: ./.github/actions/setup-environment-action
      with:
        python-version: 3.11
        disable-cache: true
    - name: Install dependencies
      run: |
        pip install python-dateutil
        pip install requests
        pip install twine
    - name: Deploy to Pypi
      env:
        RELEASE: "${{ github.event.inputs.RELEASE }}"
      run: |
        wget -e robots=off -r --no-parent -A tar.gz,whl "https://dist.apache.org/repos/dist/dev/beam/${RELEASE}/python"
        cd "dist.apache.org/repos/dist/dev/beam/${RELEASE}/python/"
        echo "Will upload the following files to PyPI:"
        ls
        twine upload * -u __token__ -p "${{ github.event.inputs.PYPI_API_TOKEN }}"

  push_git_tags:
    if: ${{github.event.inputs.TAG_RELEASE == 'yes'}}
    runs-on: [self-hosted, ubuntu-20.04, main]
    steps:
    - name: Checkout
      uses: actions/checkout@v4
    - name: Set git config
      run: |
        git config user.name $GITHUB_ACTOR
        git config user.email actions@"$RUNNER_NAME".local
    - name: Import GPG key
      id: import_gpg
      uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec
      with:
        gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
    - name: Push tags
      env:
        VERSION_TAG: "v${{ github.event.inputs.RELEASE }}"
        RC_TAG: "v${{ github.event.inputs.RELEASE }}-RC${{ github.event.inputs.RC }}"
        POST_RELEASE_BRANCH: "release-${{ github.event.inputs.RELEASE }}-postrelease"
      run: |
        # Ensure local tags are in sync. If there's a mismatch, it will tell you.
        git fetch --all --tags --prune

        # If the tag exists, a commit number is produced, otherwise there's an error.
        git rev-list $RC_TAG -n 1

        # Tag for Go SDK
        git tag "sdks/$VERSION_TAG" "$RC_TAG"^{} -m "Tagging release" --local-user="${{steps.import_gpg.outputs.name}}"
        git push https://github.com/apache/beam "sdks/$VERSION_TAG"

        # Tag for repo root.
        git tag "$VERSION_TAG" "$RC_TAG"^{} -m "Tagging release" --local-user="${{steps.import_gpg.outputs.name}}"
        git push https://github.com/apache/beam "$VERSION_TAG"

        git checkout -b "$POST_RELEASE_BRANCH" "$VERSION_TAG"
        git push https://github.com/apache/beam "$POST_RELEASE_BRANCH"

  update_master:
    needs: push_git_tags
    runs-on: ubuntu-latest
    env:
        POST_RELEASE_BRANCH: "release-${{ github.event.inputs.RELEASE }}-postrelease"
    steps:
      - name: Check out code
        uses: actions/checkout@v4
      - name: Set git config
        run: |
          git config user.name $GITHUB_ACTOR
          git config user.email actions@"$RUNNER_NAME".local
      - name: Update .asf.yaml to protect new postrelease branch from force push
        run: |
          sed -i -e "s/master: {}/master: {}\n    ${POST_RELEASE_BRANCH}: {}/g" .asf.yaml
      - name: Commit and Push to master branch files with Next Version
        run: |
          git add .asf.yaml
          git commit -m "Adding ${POST_RELEASE_BRANCH} to protected branches in .asf.yaml"
          git push origin ${MASTER_BRANCH}