Allow hotfix releases in the pipeline

.github/release_drafter_main.yaml

@@ -0,0 +1,46 @@
+name-template: $RESOLVED_VERSION
+tag-template: $RESOLVED_VERSION
+categories:
+  - title: Features
+    labels:
+      - feature
+      - enhancement
+  - title: Bug Fixes
+    labels:
+      - fix
+      - bugfix
+      - bug
+  - title: Maintenance
+    labels:
+      - chore
+      - ci
+      - tech-debt
+  - title: Dependencies
+    label: dependencies
+    collapse-after: 3
+category-template: |
+  ### $TITLE
+version-resolver:
+  major:
+    labels:
+      - major
+      - breaking
+  minor:
+    labels:
+      - feature
+      - minor
+  patch:
+    labels:
+      - patch
+      - bug
+  default: patch
+exclude-labels:
+  - skip-release-notes
+  - released-as-hotfix
+filter-by-commitish: true
+template: |
+  ## What's Changed
+
+  $CHANGES
+
+  **Full Changelog**: https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...$RESOLVED_VERSION

.github/workflows/ci.yaml

@@ -182,6 +182,7 @@ jobs:
     needs: [ansible-lint, test-deploy]
     uses: ./.github/workflows/publish-containers.yaml
     with:
+      branch: main
       image_name: ansible
       tag: rolling
       dockerfile: "docker/Dockerfile"

.github/workflows/git-release.yaml

@@ -3,6 +3,12 @@ name: Do release
 
 on:
   workflow_call:
+    inputs:
+      triggering_branch:
+        type: string
+        required: true
+        description: The branch on which we received a release request.
+
     secrets:
       release_key:
         description: >-
@@ -15,9 +21,13 @@ on:
         value: ${{ jobs.pre-release.outputs.version }}
         description: "The determined version of the release"
 
+env:
+  GIT_USER: shapbot
+  GIT_EMAIL: trento-developers@suse.com
+
 jobs:
   pre-release:
-    name: Detect new version, draft release, update changelog
+    name: Prepare a release
     permissions:
       contents: write
     runs-on: ubuntu-24.04
@@ -28,6 +38,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 2        # required by detect-version step
+          ref: ${{ inputs.triggering_branch }}
           ssh-key: ${{ secrets.release_key }}
 
       - name: Detect new version
@@ -45,10 +56,11 @@ jobs:
         id: draft-release
         uses: release-drafter/release-drafter@v6
         with:
+          config-name: release_drafter_${{ inputs.triggering_branch }}.yaml
           publish: false
+          commitish: ${{ inputs.triggering_branch }}
           version: ${{ steps.detect-version.outputs.current-version }}
           disable-autolabeler: true
-          config-name: release_drafter.yaml
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -61,27 +73,102 @@ jobs:
       - name: Commit new changelog
         uses: stefanzweifel/git-auto-commit-action@v7
         with:
-          branch: main
+          # We need to checkout `branch` explicitly because
+          # `detect-version` messes with the HEAD ref.
+          branch: ${{ inputs.triggering_branch }}
+          skip_fetch: true
+          create_branch: false
+          commit_user_name: ${{ env.GIT_USER }}
+          commit_user_email: ${{ env.GIT_EMAIL }}
+          commit_author: "${{ env.GIT_USER }} <${{ env.GIT_EMAIL }}>"
           commit_message: |
             Automatically update CHANGELOG.md for release ${{ steps.detect-version.outputs.current-version }}
 
             [skip ci]
 
+  cross-merge-branches:
+    name: Merge branches for full release
+    needs: [pre-release]
+    if: inputs.triggering_branch == 'main'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: main
+          ssh-key: ${{ secrets.release_key }}
+
+      - name: Setup git
+        run: |
+          git config --global user.name "${GIT_USER}"
+          git config --global user.email "${GIT_EMAIL}"
+
+      - name: Switch to 'release' branch
+        run: git switch release 2>/dev/null || git switch -c release main
+
+      - name: Merge `main` into `release`
+        run: |
+          git merge main -X theirs --no-ff \
+                         -m "Release ${{ needs.pre-release.outputs.version }}" \
+                         -m "[skip ci]"
+
+      - name: Switch back to `main` branch
+        run: git switch main
+
+      - name: Merge `release` into main
+        run: git merge release --ff-only
+
+      - name: Push branches `main` and `release`
+        run: git push origin main release
+
+  hotfix-merge-branches:
+    name: Merge branches for hotfix release
+    needs: [pre-release]
+    if: inputs.triggering_branch == 'release'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: main
+          ssh-key: ${{ secrets.release_key }}
+
+      - name: Setup git
+        run: |
+          git config --global user.name "${GIT_USER}"
+          git config --global user.email "${GIT_EMAIL}"
+
+      - name: Merge `release` into `main`
+        run: |
+          git merge origin/release -X ours --no-ff \
+                    -m "Merge Release ${{ needs.pre-release.outputs.version }} into main" \
+                    -m "[skip ci]"
+
+      - name: Push branch `main`
+        run: git push origin main
+
   release:
     name: Tag and publish release
     permissions:
       contents: write
     runs-on: ubuntu-24.04
-    needs:
-      - pre-release
+    needs: [pre-release, cross-merge-branches, hotfix-merge-branches]
+    # Hack: Implement poor man's "either or" logic for `needs`.
+    if: >-
+      always()
+      && contains(needs.*.result, 'success')
+      && !contains(needs.*.result, 'failure')
     steps:
       - name: Publish release
         id: publish-release
         uses: release-drafter/release-drafter@v6
         with:
+          config-name: release_drafter_${{ inputs.triggering_branch }}.yaml
           publish: true
+          commitish: ${{ inputs.triggering_branch }}
           version: ${{ needs.pre-release.outputs.version }}
           disable-autolabeler: true
-          config-name: release_drafter.yaml
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish-containers.yaml

@@ -3,6 +3,10 @@ name: Publish Containers
 on:
   workflow_call:
     inputs:
+      branch:
+        type: string
+        required: true
+        description: The branch we want to build and publish.
       registry:
         required: false
         type: string
@@ -29,6 +33,7 @@ on:
           Additional build arguments that would be passed when
           building the container. Value should be new-line delimited
           string.
+
 jobs:
   detect-version:
     name: Detect version
@@ -45,6 +50,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          ref: ${{ inputs.branch }}
 
       - name: Get version from git
         id: extract-version
@@ -65,6 +71,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          ref: ${{ inputs.branch }}
 
       - uses: docker/setup-buildx-action@v3
 

.github/workflows/release.yaml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - release
     paths:
       - "VERSION"
 
@@ -13,6 +14,8 @@ jobs:
   release:
     name: Git Release
     uses: ./.github/workflows/git-release.yaml
+    with:
+      triggering_branch: ${{ github.ref_name }}
     secrets:
       release_key: ${{ secrets.RELEASE_KEY }}
 
@@ -27,6 +30,7 @@ jobs:
           - ${{ needs.release.outputs.version }}
           - rolling
     with:
+      branch: ${{ github.ref_name }}
       image_name: ansible
       tag: ${{ matrix.tag }}
       dockerfile: "docker/Dockerfile"