ci(release): use RELEASE_TOKEN for the post-release push to main (#1395) #544
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| # Sequence of patterns matched against refs/tags | |
| tags: | |
| - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 | |
| name: Create Release | |
| jobs: | |
| build: | |
| name: Create Release | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| release_url: ${{ steps.create_release.outputs.html_url }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Get Release Changes | |
| id: recentCommits | |
| run: | | |
| echo ::set-output name=release_body::$(git log --no-merges --pretty=format:'%s' $(git describe --abbrev=0 --tags)...HEAD) | |
| - name: Create Release | |
| id: create_release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token | |
| with: | |
| tag_name: ${{ github.ref }} | |
| release_name: Release ${{ github.ref }} | |
| body: ${{steps.recentCommits.outputs.release_body}} | |
| draft: false | |
| prerelease: false | |
| zip-recipes: | |
| runs-on: ubuntu-22.04 | |
| needs: build | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Get release | |
| id: get_release | |
| uses: bruceadams/get-release@v1.2.2 | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Write version | |
| uses: DamianReeves/write-file-action@v1.0 | |
| with: | |
| path: recipes/version.txt | |
| contents: ${{ steps.get_release.outputs.tag_name }} | |
| write-mode: overwrite | |
| - name: Zip recipes | |
| uses: vimtor/action-zip@v1 | |
| with: | |
| files: recipes/ version.txt | |
| dest: recipes.zip | |
| - name: Upload recipes zip file to GitHub | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.get_release.outputs.upload_url }} | |
| asset_path: ${{ github.workspace }}/recipes.zip | |
| asset_name: recipes.zip | |
| asset_content_type: application/octet-stream | |
| - name: Install aws cli | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install awscli -y | |
| - name: Write config 1 | |
| uses: DamianReeves/write-file-action@v1.0 | |
| with: | |
| path: /home/runner/.aws/credentials | |
| contents: | | |
| [virtuoso_user] | |
| aws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| write-mode: overwrite | |
| - name: Write config 2 | |
| uses: DamianReeves/write-file-action@v1.0 | |
| with: | |
| path: /home/runner/.aws/config | |
| contents: | | |
| [profile virtuoso] | |
| role_arn = ${{ secrets.AWS_ROLE_ARN }} | |
| region = ${{ secrets.AWS_DEFAULT_REGION }} | |
| source_profile = virtuoso_user | |
| write-mode: overwrite | |
| - name: Upload recipes zip file to S3 (download.newrelic.com) | |
| id: upload-recipes-s3 | |
| run: | | |
| aws s3 cp ${{ github.workspace }}/recipes.zip s3://nr-downloads-main/install/open-install-library/${{ steps.get_release.outputs.tag_name }}/recipes.zip --profile virtuoso | |
| - name: Upload currentVersion.txt to S3 | |
| id: upload-current-version-s3 | |
| run: | | |
| aws s3 cp recipes/version.txt s3://nr-downloads-main/install/open-install-library/currentVersion.txt --profile virtuoso --cache-control no-cache | |
| - name: Cleanup configs | |
| run: | | |
| rm -rf /home/runner/.aws/credentials | |
| rm -rf /home/runner/.aws/config | |
| commit-release-notes: | |
| name: Record release on main | |
| runs-on: ubuntu-22.04 | |
| needs: build | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout main | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| # RELEASE_TOKEN (PAT) is required because main is protected — rules | |
| # forbid direct pushes and require FOSSA to pass. The default | |
| # GITHUB_TOKEN cannot bypass those rules. RELEASE_TOKEN is the same | |
| # PAT the CLI's OIL→CLI workflow already uses to push tags into OIL. | |
| token: ${{ secrets.RELEASE_TOKEN }} | |
| - name: Commit release marker to main | |
| env: | |
| RELEASE_URL: ${{ needs.build.outputs.release_url }} | |
| run: | | |
| set -euo pipefail | |
| # Strip refs/tags/ → e.g. v0.82.0 | |
| TAG="${GITHUB_REF#refs/tags/}" | |
| RELEASE_DATE=$(date -u +'%-d %B %Y') | |
| # Previous release tag = second-newest v* tag by semver sort. | |
| # `git tag --sort=-v:refname` puts the newest first; filter out the just-released tag. | |
| PREV=$(git tag --list 'v*' --sort=-v:refname | grep -v "^${TAG}$" | head -1 || true) | |
| { | |
| printf 'chore(release): Open Install Library Release %s, %s\n\n' "$TAG" "$RELEASE_DATE" | |
| if [ -n "$PREV" ]; then | |
| printf 'Changes since %s:\n\n' "$PREV" | |
| git log --no-merges --pretty=format:'- %s (%h)' "${PREV}..${TAG}" | |
| printf '\n\n' | |
| fi | |
| printf 'Release: %s\n' "${RELEASE_URL}" | |
| } > /tmp/commit-msg.txt | |
| echo "----- Commit message preview -----" | |
| cat /tmp/commit-msg.txt | |
| echo "----------------------------------" | |
| git config user.name 'github-actions[bot]' | |
| git config user.email '41898282+github-actions[bot]@users.noreply.github.com' | |
| git commit --allow-empty -F /tmp/commit-msg.txt | |
| # Retry once on race (someone else pushed to main between checkout and push). | |
| if ! git push origin main; then | |
| echo "push rejected; refetching and rebasing before retry" | |
| git pull --rebase origin main | |
| git push origin main | |
| fi |