generated from metaversecloud-com/sdk-boilerplate
-
Notifications
You must be signed in to change notification settings - Fork 1
239 lines (197 loc) · 9.48 KB
/
aws_auto_release.yml
File metadata and controls
239 lines (197 loc) · 9.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
name: Auto Release on Main Merge
on:
pull_request:
types: [closed]
branches:
- main
concurrency:
group: ${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: write
pull-requests: read
jobs:
auto_release:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: main
token: ${{ secrets.PAT }}
- name: Check if user is authorized
id: auth_check
run: |
merged_by="${{ github.event.pull_request.merged_by.login }}"
echo "PR was merged by: $merged_by"
# Get authorized users from CODEOWNERS file
authorized_users=()
# Read CODEOWNERS file if it exists
if [[ -f ".github/CODEOWNERS" ]]; then
echo "[INFO] Reading CODEOWNERS file..."
# Extract usernames from CODEOWNERS (remove @ prefix)
codeowners=$(grep -v '^#' .github/CODEOWNERS | grep -o '@[a-zA-Z0-9_-]*' | sed 's/@//' | sort -u)
for user in $codeowners; do
authorized_users+=("$user")
echo " - CODEOWNER: $user"
done
else
echo "[WARN] No CODEOWNERS file found"
fi
# Get repository collaborators with admin/maintain permissions using GitHub API
echo "[CHECK] Checking repository permissions..."
# Check if user has admin or maintain permissions
user_permission=$(curl -s -H "Authorization: token ${{ secrets.PAT }}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${{ github.repository }}/collaborators/$merged_by/permission" | \
jq -r '.permission // "none"')
echo "User $merged_by has permission level: $user_permission"
# Check if user is authorized
is_authorized=false
# Check if user is in CODEOWNERS
for user in "${authorized_users[@]}"; do
if [[ "$user" == "$merged_by" ]]; then
is_authorized=true
echo "[OK] User $merged_by is authorized via CODEOWNERS"
break
fi
done
# Check if user has admin or maintain permissions
if [[ "$user_permission" == "admin" || "$user_permission" == "maintain" ]]; then
is_authorized=true
echo "[OK] User $merged_by is authorized via repository permissions ($user_permission)"
fi
# Check if user is organization owner (for metaversecloud-com org)
org_response=$(curl -s -H "Authorization: token ${{ secrets.PAT }}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/orgs/metaversecloud-com/members/$merged_by" \
-w "%{http_code}")
# Extract HTTP status code from the response
http_code=${org_response: -3}
if [[ "$http_code" == "200" ]]; then
# Check if user is an owner
owner_status=$(curl -s -H "Authorization: token ${{ secrets.PAT }}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/orgs/metaversecloud-com/memberships/$merged_by" | \
jq -r '.role // "none"')
if [[ "$owner_status" == "admin" ]]; then
is_authorized=true
echo "[OK] User $merged_by is authorized as organization owner"
fi
fi
echo "is_authorized=$is_authorized" >> $GITHUB_OUTPUT
if [[ "$is_authorized" == "false" ]]; then
echo "[ERROR] User $merged_by is not authorized to trigger releases"
echo "[TIP] Authorized users include:"
echo " - CODEOWNERS: ${authorized_users[*]}"
echo " - Repository admins and maintainers"
echo " - Organization owners"
exit 0
else
echo "[SUCCESS] User $merged_by is authorized to trigger releases"
fi
- name: Check for release labels and determine version bumps
if: steps.auth_check.outputs.is_authorized == 'true'
id: check
run: |
labels='${{ toJson(github.event.pull_request.labels.*.name) }}'
echo "PR Labels: $labels"
has_release_label=false
has_major=false
has_minor=false
has_patch=false
# Check if release label exists
if echo "$labels" | grep -q "release"; then
has_release_label=true
# Check for each type of version bump
if echo "$labels" | grep -q "major"; then
has_major=true
fi
if echo "$labels" | grep -q "minor"; then
has_minor=true
fi
if echo "$labels" | grep -q "patch"; then
has_patch=true
fi
# If no specific version type is specified, default to patch
if [[ "$has_major" == "false" && "$has_minor" == "false" && "$has_patch" == "false" ]]; then
has_patch=true
fi
fi
echo "should_release=$has_release_label" >> $GITHUB_OUTPUT
echo "has_major=$has_major" >> $GITHUB_OUTPUT
echo "has_minor=$has_minor" >> $GITHUB_OUTPUT
echo "has_patch=$has_patch" >> $GITHUB_OUTPUT
echo "Should release: $has_release_label"
echo "Has major: $has_major, minor: $has_minor, patch: $has_patch"
- name: Setup Node.js
if: steps.auth_check.outputs.is_authorized == 'true' && steps.check.outputs.should_release == 'true'
uses: actions/setup-node@v4
with:
node-version: 20.10
- name: Calculate new version with cumulative bumps
if: steps.auth_check.outputs.is_authorized == 'true' && steps.check.outputs.should_release == 'true'
id: version
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
# Get the latest tag from git
latest_tag=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
echo "Latest git tag: $latest_tag"
# Remove 'v' prefix if present
current_version=${latest_tag#v}
echo "Current version: $current_version"
# Parse current version
IFS='.' read -r major minor patch <<< "$current_version"
echo "Parsed version - Major: $major, Minor: $minor, Patch: $patch"
# Apply cumulative version bumps
if [[ "${{ steps.check.outputs.has_major }}" == "true" ]]; then
major=$((major + 1))
minor=0 # Reset minor when major is bumped
patch=0 # Reset patch when major is bumped
echo "Applied major bump: $major.0.0"
fi
if [[ "${{ steps.check.outputs.has_minor }}" == "true" ]]; then
minor=$((minor + 1))
if [[ "${{ steps.check.outputs.has_major }}" != "true" ]]; then
patch=0 # Reset patch when minor is bumped (only if major wasn't bumped)
fi
echo "Applied minor bump: $major.$minor.$patch"
fi
if [[ "${{ steps.check.outputs.has_patch }}" == "true" ]]; then
patch=$((patch + 1))
echo "Applied patch bump: $major.$minor.$patch"
fi
new_version="$major.$minor.$patch"
echo "Final calculated version: $new_version"
# Create package.json if it doesn't exist
if [[ ! -f "package.json" ]]; then
echo '{"version": "0.0.0"}' > package.json
fi
# Update package.json with new version
npm version $new_version --no-git-tag-version --allow-same-version
echo "NEW_VERSION=v$new_version" >> $GITHUB_ENV
echo "New version will be: v$new_version"
- name: Create Release
if: steps.auth_check.outputs.is_authorized == 'true' && steps.check.outputs.should_release == 'true'
uses: softprops/action-gh-release@v2
with:
token: ${{ secrets.PAT }} # Use PAT to trigger other workflows
tag_name: ${{ env.NEW_VERSION }}
name: "Release ${{ env.NEW_VERSION }}"
generate_release_notes: true
make_latest: true
body: |
## ? Release ${{ env.NEW_VERSION }}
**Version Bumps Applied:**
- Major: ${{ steps.check.outputs.has_major }}
- Minor: ${{ steps.check.outputs.has_minor }}
- Patch: ${{ steps.check.outputs.has_patch }}
**Triggered by:** PR #${{ github.event.pull_request.number }} - ${{ github.event.pull_request.title }}
**Merged by:** @${{ github.event.pull_request.merged_by.login }}
### Changes in this PR
${{ github.event.pull_request.body }}
---
*This release was automatically created by the Auto Release workflow*