Skip to content

Commit

Permalink
Merge pull request #195 from inteon/cicd
Browse files Browse the repository at this point in the history
Make `Makefile`s reusable and automate release process
  • Loading branch information
inteon authored May 13, 2024
2 parents aa0849e + a927428 commit a7798d5
Show file tree
Hide file tree
Showing 89 changed files with 5,206 additions and 1,805 deletions.
9 changes: 6 additions & 3 deletions .github/dependabot.yaml
Original file line number Diff line number Diff line change
@@ -1,17 +1,20 @@
# Update Go dependencies and GitHub Actions dependencies weekly.
# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead.

# Update Go dependencies and GitHub Actions dependencies daily.
version: 2
updates:
- package-ecosystem: gomod
directory: /
schedule:
interval: weekly
interval: daily
groups:
all:
patterns: ["*"]
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
interval: daily
groups:
all:
patterns: ["*"]
35 changes: 35 additions & 0 deletions .github/workflows/debian-trust-package-release.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: debian-trust-package-release
on:
push:
branches: ['main']
paths:
- make/00_debian_version.mk

jobs:
build_images:
runs-on: ubuntu-latest

permissions:
contents: read # needed for checkout
packages: write # needed for push images
id-token: write # needed for keyless signing

steps:
- uses: actions/checkout@v4

- uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}

- uses: actions/setup-go@v4
with:
go-version-file: go.mod

- id: release
run: make release-debian-trust-package

outputs:
RELEASE_OCI_MANAGER_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_IMAGE }}
RELEASE_OCI_MANAGER_TAG: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_TAG }}
86 changes: 86 additions & 0 deletions .github/workflows/debian-trust-package-upgrade.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
name: debian-trust-package-upgrade
concurrency: debian-trust-package-upgrade
on:
workflow_dispatch: {}
schedule:
- cron: '0 0 * * *'

jobs:
debian-trust-package-upgrade:
runs-on: ubuntu-latest

permissions:
contents: write
pull-requests: write

env:
SOURCE_BRANCH: "${{ github.ref_name }}"
SELF_UPGRADE_BRANCH: "debian-trust-package-upgrade-${{ github.ref_name }}"

steps:
- name: Fail if branch is not head of branch.
if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }}
run: |
echo "This workflow should not be run on a non-branch-head."
exit 1
- uses: actions/checkout@v4

- id: go-version
run: |
make print-go-version >> "$GITHUB_OUTPUT"
- uses: actions/setup-go@v5
with:
go-version: ${{ steps.go-version.outputs.result }}

- run: |
git checkout -B "$SELF_UPGRADE_BRANCH"
- run: |
make -j upgrade-debian-trust-package-version
- id: is-up-to-date
shell: bash
run: |
git_status=$(git status -s)
is_up_to_date="true"
if [ -n "$git_status" ]; then
is_up_to_date="false"
echo "The following changes will be committed:"
echo "$git_status"
fi
echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT"
- if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
run: |
git config --global user.name "cert-manager-bot"
git config --global user.email "[email protected]"
git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff
git push -f origin "$SELF_UPGRADE_BRANCH"
- if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
uses: actions/github-script@v7
with:
script: |
const { repo, owner } = context.repo;
const pulls = await github.rest.pulls.list({
owner: owner,
repo: repo,
head: owner + ':' + process.env.SELF_UPGRADE_BRANCH,
base: process.env.SOURCE_BRANCH,
state: 'open',
});
if (pulls.data.length < 1) {
await github.rest.pulls.create({
title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH,
owner: owner,
repo: repo,
head: process.env.SELF_UPGRADE_BRANCH,
base: process.env.SOURCE_BRANCH,
body: [
'This PR is auto-generated to bump the Makefile modules.',
].join('\n'),
});
}
28 changes: 28 additions & 0 deletions .github/workflows/govulncheck.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead.

# Run govulncheck at midnight every night on the main branch,
# to alert us to recent vulnerabilities which affect the Go code in this
# project.
name: govulncheck
on:
workflow_dispatch: {}
schedule:
- cron: '0 0 * * *'

jobs:
govulncheck:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- id: go-version
run: |
make print-go-version >> "$GITHUB_OUTPUT"
- uses: actions/setup-go@v5
with:
go-version: ${{ steps.go-version.outputs.result }}

- run: make verify-govulncheck
90 changes: 90 additions & 0 deletions .github/workflows/make-self-upgrade.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml instead.

name: make-self-upgrade
concurrency: make-self-upgrade
on:
workflow_dispatch: {}
schedule:
- cron: '0 0 * * *'

jobs:
self_upgrade:
runs-on: ubuntu-latest

permissions:
contents: write
pull-requests: write

env:
SOURCE_BRANCH: "${{ github.ref_name }}"
SELF_UPGRADE_BRANCH: "self-upgrade-${{ github.ref_name }}"

steps:
- name: Fail if branch is not head of branch.
if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }}
run: |
echo "This workflow should not be run on a non-branch-head."
exit 1
- uses: actions/checkout@v4

- id: go-version
run: |
make print-go-version >> "$GITHUB_OUTPUT"
- uses: actions/setup-go@v5
with:
go-version: ${{ steps.go-version.outputs.result }}

- run: |
git checkout -B "$SELF_UPGRADE_BRANCH"
- run: |
make -j upgrade-klone
make -j generate
- id: is-up-to-date
shell: bash
run: |
git_status=$(git status -s)
is_up_to_date="true"
if [ -n "$git_status" ]; then
is_up_to_date="false"
echo "The following changes will be committed:"
echo "$git_status"
fi
echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT"
- if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
run: |
git config --global user.name "cert-manager-bot"
git config --global user.email "[email protected]"
git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff
git push -f origin "$SELF_UPGRADE_BRANCH"
- if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
uses: actions/github-script@v7
with:
script: |
const { repo, owner } = context.repo;
const pulls = await github.rest.pulls.list({
owner: owner,
repo: repo,
head: owner + ':' + process.env.SELF_UPGRADE_BRANCH,
base: process.env.SOURCE_BRANCH,
state: 'open',
});
if (pulls.data.length < 1) {
await github.rest.pulls.create({
title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH,
owner: owner,
repo: repo,
head: process.env.SELF_UPGRADE_BRANCH,
base: process.env.SOURCE_BRANCH,
body: [
'This PR is auto-generated to bump the Makefile modules.',
].join('\n'),
});
}
84 changes: 84 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: release
on:
push:
tags:
- "v*"

env:
VERSION: ${{ github.ref_name }}

jobs:
build_images:
runs-on: ubuntu-latest

permissions:
contents: read # needed for checkout
packages: write # needed for push images
id-token: write # needed for keyless signing

steps:
- uses: actions/checkout@v4

- uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}

- uses: actions/setup-go@v4
with:
go-version-file: go.mod

- id: release
run: make release

- uses: actions/upload-artifact@v3
with:
name: trust-manager-${{ env.VERSION }}.tgz
path: ${{ steps.release.outputs.RELEASE_HELM_CHART_TAR }}

outputs:
RELEASE_OCI_MANAGER_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_IMAGE }}
RELEASE_OCI_MANAGER_TAG: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_TAG }}
RELEASE_OCI_PACKAGE_DEBIAN_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_PACKAGE_DEBIAN_IMAGE }}
RELEASE_OCI_PACKAGE_DEBIAN_TAG: ${{ steps.release.outputs.RELEASE_OCI_PACKAGE_DEBIAN_TAG }}
RELEASE_HELM_CHART_NAME: ${{ steps.release.outputs.RELEASE_HELM_CHART_NAME }}
RELEASE_HELM_CHART_VERSION: ${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }}

github_release:
runs-on: ubuntu-latest

needs: build_images

permissions:
contents: write # needed for creating a PR
pull-requests: write # needed for creating a PR

steps:
- run: |
touch .notes-file
echo "OCI_MANAGER_IMAGE: ${{ needs.build_images.outputs.RELEASE_OCI_MANAGER_IMAGE }}" >> .notes-file
echo "OCI_MANAGER_TAG: ${{ needs.build_images.outputs.RELEASE_OCI_MANAGER_TAG }}" >> .notes-file
echo "OCI_PACKAGE_DEBIAN_IMAGE: ${{ needs.build_images.outputs.RELEASE_OCI_PACKAGE_DEBIAN_IMAGE }}" >> .notes-file
echo "OCI_PACKAGE_DEBIAN_TAG: ${{ needs.build_images.outputs.RELEASE_OCI_PACKAGE_DEBIAN_TAG }}" >> .notes-file
echo "HELM_CHART_NAME: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}" >> .notes-file
echo "HELM_CHART_VERSION: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}" >> .notes-file
- id: chart_download
uses: actions/download-artifact@v3
with:
name: trust-manager-${{ env.VERSION }}.tgz

- env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release create "$VERSION" \
--repo="$GITHUB_REPOSITORY" \
--title="${GITHUB_REPOSITORY#*/} ${VERSION#v}" \
--draft \
--verify-tag \
--notes-file .notes-file
gh release upload "$VERSION" \
--repo="$GITHUB_REPOSITORY" \
"${{ steps.chart_download.outputs.download-path }}/trust-manager-$VERSION.tgz"
35 changes: 31 additions & 4 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,31 @@
/bin
/_artifacts
/.vscode
/.idea/
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
bin
testbin/*

# Test binary, build with `go test -c`
*.test

# Output of the go coverage tool, specifically when used with LiteIDE
*.out

# Kubernetes Generated files - skip generated files, except for vendored files
!vendor/**/zz_generated.*

# editor and IDE paraphernalia
.idea
*.swp
*.swo
*~

_bin
_certs
_artifacts
.vscode

# direnv files
.envrc
Loading

0 comments on commit a7798d5

Please sign in to comment.