Skip to content

ci(release): use RELEASE_TOKEN for the post-release push to main (#1395) #544

ci(release): use RELEASE_TOKEN for the post-release push to main (#1395)

ci(release): use RELEASE_TOKEN for the post-release push to main (#1395) #544

Workflow file for this run

on:
push:
# Sequence of patterns matched against refs/tags
tags:
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
name: Create Release
jobs:
build:
name: Create Release
runs-on: ubuntu-22.04
outputs:
release_url: ${{ steps.create_release.outputs.html_url }}
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Get Release Changes
id: recentCommits
run: |
echo ::set-output name=release_body::$(git log --no-merges --pretty=format:'%s' $(git describe --abbrev=0 --tags)...HEAD)
- name: Create Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
tag_name: ${{ github.ref }}
release_name: Release ${{ github.ref }}
body: ${{steps.recentCommits.outputs.release_body}}
draft: false
prerelease: false
zip-recipes:
runs-on: ubuntu-22.04
needs: build
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Get release
id: get_release
uses: bruceadams/get-release@v1.2.2
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Write version
uses: DamianReeves/write-file-action@v1.0
with:
path: recipes/version.txt
contents: ${{ steps.get_release.outputs.tag_name }}
write-mode: overwrite
- name: Zip recipes
uses: vimtor/action-zip@v1
with:
files: recipes/ version.txt
dest: recipes.zip
- name: Upload recipes zip file to GitHub
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.get_release.outputs.upload_url }}
asset_path: ${{ github.workspace }}/recipes.zip
asset_name: recipes.zip
asset_content_type: application/octet-stream
- name: Install aws cli
run: |
sudo apt-get update -y
sudo apt-get install awscli -y
- name: Write config 1
uses: DamianReeves/write-file-action@v1.0
with:
path: /home/runner/.aws/credentials
contents: |
[virtuoso_user]
aws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}
write-mode: overwrite
- name: Write config 2
uses: DamianReeves/write-file-action@v1.0
with:
path: /home/runner/.aws/config
contents: |
[profile virtuoso]
role_arn = ${{ secrets.AWS_ROLE_ARN }}
region = ${{ secrets.AWS_DEFAULT_REGION }}
source_profile = virtuoso_user
write-mode: overwrite
- name: Upload recipes zip file to S3 (download.newrelic.com)
id: upload-recipes-s3
run: |
aws s3 cp ${{ github.workspace }}/recipes.zip s3://nr-downloads-main/install/open-install-library/${{ steps.get_release.outputs.tag_name }}/recipes.zip --profile virtuoso
- name: Upload currentVersion.txt to S3
id: upload-current-version-s3
run: |
aws s3 cp recipes/version.txt s3://nr-downloads-main/install/open-install-library/currentVersion.txt --profile virtuoso --cache-control no-cache
- name: Cleanup configs
run: |
rm -rf /home/runner/.aws/credentials
rm -rf /home/runner/.aws/config
commit-release-notes:
name: Record release on main
runs-on: ubuntu-22.04
needs: build
permissions:
contents: write
steps:
- name: Checkout main
uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
# RELEASE_TOKEN (PAT) is required because main is protected — rules
# forbid direct pushes and require FOSSA to pass. The default
# GITHUB_TOKEN cannot bypass those rules. RELEASE_TOKEN is the same
# PAT the CLI's OIL→CLI workflow already uses to push tags into OIL.
token: ${{ secrets.RELEASE_TOKEN }}
- name: Commit release marker to main
env:
RELEASE_URL: ${{ needs.build.outputs.release_url }}
run: |
set -euo pipefail
# Strip refs/tags/ → e.g. v0.82.0
TAG="${GITHUB_REF#refs/tags/}"
RELEASE_DATE=$(date -u +'%-d %B %Y')
# Previous release tag = second-newest v* tag by semver sort.
# `git tag --sort=-v:refname` puts the newest first; filter out the just-released tag.
PREV=$(git tag --list 'v*' --sort=-v:refname | grep -v "^${TAG}$" | head -1 || true)
{
printf 'chore(release): Open Install Library Release %s, %s\n\n' "$TAG" "$RELEASE_DATE"
if [ -n "$PREV" ]; then
printf 'Changes since %s:\n\n' "$PREV"
git log --no-merges --pretty=format:'- %s (%h)' "${PREV}..${TAG}"
printf '\n\n'
fi
printf 'Release: %s\n' "${RELEASE_URL}"
} > /tmp/commit-msg.txt
echo "----- Commit message preview -----"
cat /tmp/commit-msg.txt
echo "----------------------------------"
git config user.name 'github-actions[bot]'
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
git commit --allow-empty -F /tmp/commit-msg.txt
# Retry once on race (someone else pushed to main between checkout and push).
if ! git push origin main; then
echo "push rejected; refetching and rebasing before retry"
git pull --rebase origin main
git push origin main
fi