From a91911eaa1e467d696c64e165d9f0058255895ed Mon Sep 17 00:00:00 2001 From: Chris Blackburn Date: Thu, 24 Jul 2025 13:52:28 -0400 Subject: [PATCH 1/6] add appropriate perms and fix run conditional --- .github/workflows/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7fecdc276..8ecd0e9a5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,6 +20,7 @@ jobs: release: permissions: id-token: 'write' + contents: 'write' runs-on: ubuntu-latest env: LD_RELEASE_VERSION: ${{ inputs.releaseVersion }} @@ -65,7 +66,7 @@ jobs: ./scripts/release/commit-and-tag.sh - name: Create Github release uses: ncipollo/release-action@v1.14.0 - if: ${{ inputs.dryRun != 'true' }} + if: ${{ !inputs.dryRun }} with: token: ${{ secrets.GITHUB_TOKEN }} tag: v${{ inputs.releaseVersion }} From 10ebe29016999e527c39bef191e5b5ef8f4070be Mon Sep 17 00:00:00 2001 From: Chris Blackburn Date: Thu, 24 Jul 2025 14:44:50 -0400 Subject: [PATCH 2/6] copy artifacts to artifacts dir --- .github/workflows/release.yml | 40 +++++++++++-------- .../release/create-release-with-artifacts.sh | 12 ++++++ scripts/release/publish-dry-run.sh | 8 +--- scripts/release/publish.sh | 4 +- 4 files changed, 38 insertions(+), 26 deletions(-) create mode 100755 scripts/release/create-release-with-artifacts.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8ecd0e9a5..fd35539c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,20 +1,21 @@ name: Release on: - workflow_dispatch: - inputs: - dryRun: - description: Perform a dry-run only - required: false - type: boolean - releaseVersion: - description: Next release version - required: true - type: string - changeLog: - description: Pending changelog - required: true - type: string + pull_request + # workflow_dispatch: + # inputs: + # dryRun: + # description: Perform a dry-run only + # required: false + # type: boolean + # releaseVersion: + # description: Next release version + # required: true + # type: string + # changeLog: + # description: Pending changelog + # required: true + # type: string jobs: release: @@ -23,9 +24,13 @@ jobs: contents: 'write' runs-on: ubuntu-latest env: - LD_RELEASE_VERSION: ${{ inputs.releaseVersion }} - DRY_RUN: ${{ inputs.dryRun || 'false' }} - CHANGELOG_ENTRY: ${{ inputs.changeLog }} + # temporary for debugging on pull_request + LD_RELEASE_VERSION: 2.14.0 + DRY_RUN: true + CHANGELOG_ENTRY: "changelog stuff or something" + # LD_RELEASE_VERSION: ${{ inputs.releaseVersion }} + # DRY_RUN: ${{ inputs.dryRun || 'false' }} + # CHANGELOG_ENTRY: ${{ inputs.changeLog }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ARTIFACT_DIRECTORY: "/tmp/release-artifacts" steps: @@ -61,6 +66,7 @@ jobs: else ./scripts/release/publish.sh fi + ls -1a "$ARTIFACT_DIRECTORY" - name: Commit changes and tag run: | ./scripts/release/commit-and-tag.sh diff --git a/scripts/release/create-release-with-artifacts.sh b/scripts/release/create-release-with-artifacts.sh new file mode 100755 index 000000000..8d8b0d580 --- /dev/null +++ b/scripts/release/create-release-with-artifacts.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +set -euo pipefail + +TARGET=$1 + +echo ${DOCKER_TOKEN} | sudo docker login --username ${DOCKER_USERNAME} --password-stdin + +sudo PATH=${PATH} GITHUB_TOKEN=${GITHUB_TOKEN} make ${TARGET} + +mkdir -p ${ARTIFACT_DIRECTORY} +cp ./dist/*.deb ./dist/*.rpm ./dist/*.tar.gz ./dist/*.txt ${ARTIFACT_DIRECTORY} diff --git a/scripts/release/publish-dry-run.sh b/scripts/release/publish-dry-run.sh index 8704dce53..71f397985 100755 --- a/scripts/release/publish-dry-run.sh +++ b/scripts/release/publish-dry-run.sh @@ -2,12 +2,8 @@ set -euo pipefail -echo ${DOCKER_TOKEN} | sudo docker login --username ${DOCKER_USERNAME} --password-stdin - -sudo PATH=${PATH} GITHUB_TOKEN=${GITHUB_TOKEN} make products-for-release - -mkdir -p ${ARTIFACT_DIRECTORY} - +sudo ./create-release-with-artifacts.sh products-for-release +# # Copy the Docker image that goreleaser just built into the artifacts - we only do # this in a dry run, because in a real release the image will be available from # DockerHub anyway so there's no point in attaching it to the release. diff --git a/scripts/release/publish.sh b/scripts/release/publish.sh index c350fbf38..73d49c713 100755 --- a/scripts/release/publish.sh +++ b/scripts/release/publish.sh @@ -2,9 +2,7 @@ set -euo pipefail -echo ${DOCKER_TOKEN} | sudo docker login --username ${DOCKER_USERNAME} --password-stdin - -sudo PATH=${PATH} GITHUB_TOKEN=${GITHUB_TOKEN} make publish +sudo ./create-release-with-artifacts publish # make bitbucket and github known hosts to push successfully mkdir -m700 ~/.ssh From 73892acdc7176658ed6529d55aa5a35552532694 Mon Sep 17 00:00:00 2001 From: Chris Blackburn Date: Thu, 24 Jul 2025 15:02:17 -0400 Subject: [PATCH 3/6] debugging --- scripts/release/create-release-with-artifacts.sh | 8 ++++---- scripts/release/publish-dry-run.sh | 2 +- scripts/release/publish.sh | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/release/create-release-with-artifacts.sh b/scripts/release/create-release-with-artifacts.sh index 8d8b0d580..ffd393414 100755 --- a/scripts/release/create-release-with-artifacts.sh +++ b/scripts/release/create-release-with-artifacts.sh @@ -4,9 +4,9 @@ set -euo pipefail TARGET=$1 -echo ${DOCKER_TOKEN} | sudo docker login --username ${DOCKER_USERNAME} --password-stdin +echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USERNAME" --password-stdin -sudo PATH=${PATH} GITHUB_TOKEN=${GITHUB_TOKEN} make ${TARGET} +sudo PATH="$PATH" GITHUB_TOKEN="$GITHUB_TOKEN" make "$TARGET" -mkdir -p ${ARTIFACT_DIRECTORY} -cp ./dist/*.deb ./dist/*.rpm ./dist/*.tar.gz ./dist/*.txt ${ARTIFACT_DIRECTORY} +mkdir -p "$ARTIFACT_DIRECTORY" +cp ./dist/*.deb ./dist/*.rpm ./dist/*.tar.gz ./dist/*.txt "$ARTIFACT_DIRECTORY" diff --git a/scripts/release/publish-dry-run.sh b/scripts/release/publish-dry-run.sh index 71f397985..cfb4e6b74 100755 --- a/scripts/release/publish-dry-run.sh +++ b/scripts/release/publish-dry-run.sh @@ -2,7 +2,7 @@ set -euo pipefail -sudo ./create-release-with-artifacts.sh products-for-release +sudo $(dirname $0)/create-release-with-artifacts.sh products-for-release # # Copy the Docker image that goreleaser just built into the artifacts - we only do # this in a dry run, because in a real release the image will be available from diff --git a/scripts/release/publish.sh b/scripts/release/publish.sh index 73d49c713..5d61298c5 100755 --- a/scripts/release/publish.sh +++ b/scripts/release/publish.sh @@ -2,7 +2,7 @@ set -euo pipefail -sudo ./create-release-with-artifacts publish +sudo $(dirname $0)/create-release-with-artifacts publish # make bitbucket and github known hosts to push successfully mkdir -m700 ~/.ssh From 5fbd9d6155f51c3ab90929fa3d3f5dcac5a89f80 Mon Sep 17 00:00:00 2001 From: Chris Blackburn Date: Thu, 24 Jul 2025 15:21:10 -0400 Subject: [PATCH 4/6] fix artifacts call --- scripts/release/create-release-with-artifacts.sh | 12 ------------ scripts/release/publish-dry-run.sh | 5 +++-- scripts/release/publish.sh | 3 ++- scripts/release/stage-artifacts.sh | 14 ++++++++++++++ 4 files changed, 19 insertions(+), 15 deletions(-) delete mode 100755 scripts/release/create-release-with-artifacts.sh create mode 100755 scripts/release/stage-artifacts.sh diff --git a/scripts/release/create-release-with-artifacts.sh b/scripts/release/create-release-with-artifacts.sh deleted file mode 100755 index ffd393414..000000000 --- a/scripts/release/create-release-with-artifacts.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -TARGET=$1 - -echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USERNAME" --password-stdin - -sudo PATH="$PATH" GITHUB_TOKEN="$GITHUB_TOKEN" make "$TARGET" - -mkdir -p "$ARTIFACT_DIRECTORY" -cp ./dist/*.deb ./dist/*.rpm ./dist/*.tar.gz ./dist/*.txt "$ARTIFACT_DIRECTORY" diff --git a/scripts/release/publish-dry-run.sh b/scripts/release/publish-dry-run.sh index cfb4e6b74..efd0a1421 100755 --- a/scripts/release/publish-dry-run.sh +++ b/scripts/release/publish-dry-run.sh @@ -2,8 +2,9 @@ set -euo pipefail -sudo $(dirname $0)/create-release-with-artifacts.sh products-for-release -# +source $(dirname $0)/stage-artifacts.sh +stage_artifacts products-for-release + # Copy the Docker image that goreleaser just built into the artifacts - we only do # this in a dry run, because in a real release the image will be available from # DockerHub anyway so there's no point in attaching it to the release. diff --git a/scripts/release/publish.sh b/scripts/release/publish.sh index 5d61298c5..62a7a5f8d 100755 --- a/scripts/release/publish.sh +++ b/scripts/release/publish.sh @@ -2,7 +2,8 @@ set -euo pipefail -sudo $(dirname $0)/create-release-with-artifacts publish +source $(dirname $0)/stage-artifacts.sh +stage_artifacts publish # make bitbucket and github known hosts to push successfully mkdir -m700 ~/.ssh diff --git a/scripts/release/stage-artifacts.sh b/scripts/release/stage-artifacts.sh new file mode 100755 index 000000000..1c9e98240 --- /dev/null +++ b/scripts/release/stage-artifacts.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -euo pipefail + +stage_artifacts() { + TARGET=$1 + + echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USERNAME" --password-stdin + + sudo PATH="$PATH" GITHUB_TOKEN="$GITHUB_TOKEN" make "$TARGET" + + mkdir -p "$ARTIFACT_DIRECTORY" + cp ./dist/*.deb ./dist/*.rpm ./dist/*.tar.gz ./dist/*.txt "$ARTIFACT_DIRECTORY" +} From e9b1395240555da4acf0aa007dc9eb9d42f96df9 Mon Sep 17 00:00:00 2001 From: Chris Blackburn Date: Thu, 24 Jul 2025 15:48:34 -0400 Subject: [PATCH 5/6] remove gh release step --- .github/workflows/release.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fd35539c1..4f042358e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -70,10 +70,11 @@ jobs: - name: Commit changes and tag run: | ./scripts/release/commit-and-tag.sh - - name: Create Github release - uses: ncipollo/release-action@v1.14.0 - if: ${{ !inputs.dryRun }} - with: - token: ${{ secrets.GITHUB_TOKEN }} - tag: v${{ inputs.releaseVersion }} - body: ${{ inputs.changeLog }} + # - name: Create Github release + # uses: ncipollo/release-action@v1.14.0 + # if: ${{ !inputs.dryRun }} + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + # tag: v${{ inputs.releaseVersion }} + # body: ${{ inputs.changeLog }} + # artifacts: ${{ env.ARTIFACT_DIRECTORY }}/* From e44858121977e1e4548ae6978dd90a9dfbfe924d Mon Sep 17 00:00:00 2001 From: Chris Blackburn Date: Thu, 24 Jul 2025 17:55:17 -0400 Subject: [PATCH 6/6] finalize release action --- .github/workflows/release.yml | 64 ++++++++++++++++------------------- 1 file changed, 29 insertions(+), 35 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4f042358e..ddd796502 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,21 +1,20 @@ name: Release on: - pull_request - # workflow_dispatch: - # inputs: - # dryRun: - # description: Perform a dry-run only - # required: false - # type: boolean - # releaseVersion: - # description: Next release version - # required: true - # type: string - # changeLog: - # description: Pending changelog - # required: true - # type: string + workflow_dispatch: + inputs: + dryRun: + description: Perform a dry-run only + required: false + type: boolean + releaseVersion: + description: Next release version + required: true + type: string + changeLog: + description: Pending changelog + required: true + type: string jobs: release: @@ -24,21 +23,17 @@ jobs: contents: 'write' runs-on: ubuntu-latest env: - # temporary for debugging on pull_request - LD_RELEASE_VERSION: 2.14.0 - DRY_RUN: true - CHANGELOG_ENTRY: "changelog stuff or something" - # LD_RELEASE_VERSION: ${{ inputs.releaseVersion }} - # DRY_RUN: ${{ inputs.dryRun || 'false' }} - # CHANGELOG_ENTRY: ${{ inputs.changeLog }} + LD_RELEASE_VERSION: ${{ inputs.releaseVersion }} + DRY_RUN: ${{ inputs.dryRun || 'false' }} + CHANGELOG_ENTRY: ${{ inputs.changeLog }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ARTIFACT_DIRECTORY: "/tmp/release-artifacts" steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0 - name: Get secrets + - name: get secrets + uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0 with: aws_assume_role: ${{ vars.AWS_ROLE_ARN }} ssm_parameter_pairs: '/global/services/docker/public/username = DOCKER_USERNAME, /global/services/docker/public/token = DOCKER_TOKEN, /production/common/releasing/circleci/orb-token= CIRCLECI_CLI_TOKEN, /production/common/releasing/bitbucket/username = BITBUCKET_USERNAME, /production/common/releasing/bitbucket/token = BITBUCKET_TOKEN' @@ -67,14 +62,13 @@ jobs: ./scripts/release/publish.sh fi ls -1a "$ARTIFACT_DIRECTORY" - - name: Commit changes and tag - run: | - ./scripts/release/commit-and-tag.sh - # - name: Create Github release - # uses: ncipollo/release-action@v1.14.0 - # if: ${{ !inputs.dryRun }} - # with: - # token: ${{ secrets.GITHUB_TOKEN }} - # tag: v${{ inputs.releaseVersion }} - # body: ${{ inputs.changeLog }} - # artifacts: ${{ env.ARTIFACT_DIRECTORY }}/* + - name: commit changes and tag + run: ./scripts/release/commit-and-tag.sh + - name: create Github release + uses: ncipollo/release-action@v1.14.0 + if: ${{ !inputs.dryRun }} + with: + token: ${{ secrets.GITHUB_TOKEN }} + tag: v${{ inputs.releaseVersion }} + body: ${{ inputs.changeLog }} + artifacts: ${{ env.ARTIFACT_DIRECTORY }}/*