Apply container release procedures from ServiceControl to ServicePulse (#1894)

DavidBoike · web-flow · commit 3f407ac776d7 · 2024-06-26T16:27:55.000-05:00
* Apply container release procedures from ServiceControl to ServicePulse

* Also do Major.Minor tag

* Readme as well

* Throw if releasing a lower-versioned patch on the same minor

* Apply version check to all release jobs
diff --git a/.github/actions/validate-version/action.yml b/.github/actions/validate-version/action.yml
@@ -0,0 +1,123 @@
+name: Validate version
+description: Validate that provided version can be released
+inputs:
+  version:
+    description: Full version
+    required: true
+outputs:
+  major:
+    description: Major version
+    value: ${{ steps.validate.outputs.major }}
+  minor:
+    description: Minor version
+    value: ${{ steps.validate.outputs.minor }}
+  patch:
+    description: Patch version
+    value: ${{ steps.validate.outputs.patch }}
+  prerelease:
+    description: Prerelease label
+    value: ${{ steps.validate.outputs.prerelease }}
+  container-tags:
+    description: Tags to be added for container releases (comma-separated)
+    value: ${{ steps.validate.outputs.container-tags }}
+  latest:
+    description: Evaluates to `true` if the version should be flagged as the new latest version
+    value: ${{ steps.validate.outputs.latest }}
+runs:
+  using: composite
+  steps:
+    - name: Validate versions
+      id: validate
+      shell: pwsh
+      run: |
+        $version = "${{ inputs.version }}"
+
+        Write-Output "Received version: $version"
+        $isMatch = $version -match '^(?<Major>\d+)\.(?<Minor>\d+)\.(?<Patch>\d+)(-(?<PrereleaseLabel>[\w\-\.]+))?$'
+        if ( -not $isMatch)
+        {
+          throw "Invalid version $version"
+          exit 1
+        }
+
+        Write-Output "Version $version is valid."
+
+        $major = [int]$Matches.Major
+        $minor = [int]$Matches.Minor
+        $patch = [int]$Matches.Patch
+        $prereleaseLabel = $Matches.PrereleaseLabel
+        $isPrerelease = -not -not $prereleaseLabel
+
+        echo "major=$major" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf-8 -Append
+        echo "minor=$minor" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf-8 -Append
+        echo "patch=$patch" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf-8 -Append
+        echo "prerelease=$prereleaseLabel" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf-8 -Append
+
+        # Get highest-versioned releases
+        $releases = Invoke-WebRequest -Uri https://api.github.com/repos/particular/ServicePulse/releases -UseBasicParsing |
+            ConvertFrom-Json -ErrorAction Stop
+        $releasedVersions = $releases |
+            where Draft -eq $false |
+            where Prerelease -eq $false |
+            where Name -match '^\d+\.\d+\.\d+$' |  # Ignore prerelease tags
+            select -ExpandProperty tag_name
+
+        $latestVersion = $releasedVersions |
+            Sort-Object { [System.Version]$_ } -Descending |
+            select -First 1
+        Write-Output "Latest released version on GitHub = $latestVersion"
+
+        $latestForMajor = $releasedVersions |
+            where { ([System.Version]$_).Major -eq $major } |
+            Sort-Object { [System.Version]$_ } -Descending |
+            select -First 1
+        Write-Output "Latest released v$major version on GitHub = $latestForMajor"
+
+        $latestForMinor = $releasedVersions |
+            where { ([System.Version]$_).Major -eq $major -and ([System.Version]$_).Minor -eq $minor } |
+            Sort-Object { [System.Version]$_ } -Descending |
+            select -First 1
+        Write-Output "Latest released v$major.$minor version on GitHub = $latestForMinor"
+
+        $isLatest = $false
+        if ( -not $isPrerelease ) {
+          $vNew = [System.Version]$version
+          $vPrev = [System.Version]$latestVersion
+          $vPrevForMajor = [System.Version]$latestForMajor
+          $vPrevForMinor = [System.Version]$latestForMinor
+
+          if ($vNew -ge $vPrev) {
+            $isLatest = $true
+          }
+
+          # For new majors, vNew < null evaluates to false, no exception thrown
+          # Logic would not be appropriate if support policy allows backports to previous minors
+          if ($vNew -lt $vPrevForMajor) {
+            throw "Releasing a version $version that is not the latest version for the major would break container tagging and is not supported. (Latest v$major version is $latestForMajor)"
+          }
+
+          # For new minors, vNew < null evaluates to false, no exception thrown
+          if ($vNew -lt $vPrevForMinor) {
+            throw "Releasing a version $version that is not the latest version for the minor would break container tagging and is not supported. (Latest v$major.$minor version is $latestForMinor)"
+          }
+        }
+
+        Write-Output "Major = $major, Minor = $minor, Patch = $patch, PrereleaseLabel = $prereleaseLabel, IsPrerelease = $isPrerelease, IsLatest = $isLatest"
+
+        Write-Output "Determining container tags..."
+        $tags = @($version)
+
+        if ( -not $isPrerelease ) {
+          $tags += "$major.$minor"
+          $tags += "$major"
+          if ($isLatest) {
+            $tags += 'latest'
+          }
+        }
+
+        Write-Output "Tags to apply:"
+        $tags | ForEach-Object { Write-Output " * '$_'" }
+
+        $tagsDelimited = $tags -Join ','
+        echo "container-tags=$tagsDelimited" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf-8 -Append
+        echo "latest=$($isLatest.ToString().ToLower())" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf-8 -Append
diff --git a/.github/workflows/push-container-images.yml b/.github/workflows/push-container-images.yml
@@ -0,0 +1,55 @@
+name: Push container images
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Full version of container image to push. Normally, this should exactly match the tag name.
+        required: true
+        type: string
+jobs:
+  push:
+    runs-on: ubuntu-latest
+    name: Push
+    defaults:
+      run:
+        shell: pwsh
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.7
+      - name: Validate build version
+        id: validate
+        uses: ./.github/actions/validate-version
+        with:
+          version: ${{ inputs.version }}
+      - name: Log in to GitHub container registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3.2.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Publish to Docker Hub
+        run: |
+          $containers = @('servicepulse')
+          $tags = "${{ steps.validate.outputs.container-tags }}" -Split ','
+          $sourceTag = "${{ inputs.version }}"
+
+          foreach ($tag in $tags)
+          {
+            foreach($name in $containers)
+            {
+              Write-Output "::group::Pushing $($name):$($tag)"
+              $cmd = "docker buildx imagetools create --tag particular/$($name):$($tag) ghcr.io/particular/$($name):$($sourceTag)"
+              Write-Output "Command: $cmd"
+              Invoke-Expression $cmd
+              Write-Output "::endgroup::"
+            }
+          }
+      - name: Update Docker Hub Description
+        if: ${{ steps.validate.outputs.latest == 'true' }}
+        uses: peter-evans/dockerhub-description@v4.0.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          repository: particular/servicepulse
+          readme-filepath: ./src/Container/README.md
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -39,6 +39,11 @@ jobs:
       # .NET Build and sign
       - name: Build
         run: dotnet build src --configuration Release
+      - name: Validate build version
+        if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
+        uses: ./.github/actions/validate-version
+        with:
+          version: ${{ env.MinVerVersion }}
       - name: Sign NuGet packages
         uses: Particular/sign-nuget-packages-action@v1.0.0
         with:
@@ -99,6 +104,10 @@ jobs:
   linux-container:
     if: ${{ github.actor != 'dependabot[bot]' }}
     runs-on: ubuntu-22.04
+    name: linux-container
+    defaults:
+      run:
+        shell: bash
     steps:
       - name: Check for secrets
         env:
@@ -113,6 +122,11 @@ jobs:
         run: dotnet tool install --global minver-cli
       - name: Determine version
         run: echo "MinVerVersion=$(minver)" >> $GITHUB_ENV
+      - name: Validate build version
+        if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
+        uses: ./.github/actions/validate-version
+        with:
+          version: ${{ env.MinVerVersion }}
       - name: Set up Node.js
         uses: actions/setup-node@v4.0.2
         with:
@@ -138,10 +152,22 @@ jobs:
         env:
           TAG_NAME: ${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.number) || env.MinVerVersion }}
         run: |
-          docker buildx build --push --tag ghcr.io/particular/servicepulse:${{ env.TAG_NAME }} --file src/Container/Dockerfile \
+          docker buildx build --push --tag ghcr.io/particular/servicepulse:${{ env.TAG_NAME }} \
+            --file src/Container/Dockerfile \
             --build-arg NGINX_TAGORDIGEST="@${{ env.NGINX_DIGEST }}" \
             --build-arg VERSION=${{ env.MinVerVersion }} \
             --build-arg GITHUB_SHA=${{ github.sha }} \
             --build-arg GITHUB_REF_NAME=${{ github.ref.name }} \
+            --annotation "index:org.opencontainers.image.title=ServicePulse" \
+            --annotation "index:org.opencontainers.image.description=ServicePulse provides real-time production monitoring for distributed applications. It monitors the health of a system's endpoints, detects processing errors, sends failed messages for reprocessing, and ensures the specific environment's needs are met, all in one consolidated dashboard." \
+            --annotation "index:org.opencontainers.image.created=$(date '+%FT%TZ')" \
+            --annotation "index:org.opencontainers.image.revision=${{ github.sha }}" \
+            --annotation "index:org.opencontainers.image.authors=Particular Software" \
+            --annotation "index:org.opencontainers.image.vendor=Particular Software" \
+            --annotation "index:org.opencontainers.image.version=${{ env.MinVerVersion }}" \
+            --annotation "index:org.opencontainers.image.source=https://github.com/${{ github.repository }}/tree/${{ github.sha }}" \
+            --annotation "index:org.opencontainers.image.url=https://hub.docker.com/r/particular/servicepulse" \
+            --annotation "index:org.opencontainers.image.documentation=https://docs.particular.net/servicepulse/" \
+            --annotation "index:org.opencontainers.image.base.name=nginx@${{ env.NGINX_DIGEST }}" \
             --platform linux/arm64,linux/arm,linux/amd64 .
           docker buildx imagetools inspect ghcr.io/particular/servicepulse:${{ env.TAG_NAME }}
diff --git a/src/Container/README.md b/src/Container/README.md
@@ -63,6 +63,10 @@ If `particular/servicepulse:1.30.1` is the latest release in the version 1 major
 
 The major version tag is never added to images pushed to [the GitHub Container Registry](https://github.com/Particular/ServicePulse/pkgs/container/servicepulse).
 
+#### Minor version tag
+
+The latest release within a minor version will be tagged with `{major}.{minor}` on images pushed to Docker Hub. This allows users to target the latest patch within a specific minor version.
+
 ## Built With
 
 This image is built from the stable Alpine version of the [nginx official Docker image](https://hub.docker.com/_/nginx/).
