CLOUDP-307033: Sign also release PRs and SBOMs (#2289)

* CLOUDP-307033: Sign also releas PRs and SBOMs

* trace create commit

* Send blobs from files

* Sync remote created commit locally

* Allow set a different upstream branch

* force clean

* fetch remote

* Debug changing the branch reference

* Ensure target branch exists, no need for upstream

Signed-off-by: jose.vazquez <[email protected]>

* Checkout and pull local if present

* Create remote branch on demand

Signed-off-by: jose.vazquez <[email protected]>

* pull rebase

* Don't pull

* Remove reviewers

* Remove traces

---------

Signed-off-by: jose.vazquez <[email protected]>

Author: josvazg

.github/actions/create-pr/Dockerfile

@@ -51,23 +51,28 @@ jobs:
     - name: Configure Git
       run: |
         git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
-        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-        git config --global user.name "github-actions[bot]"
 
     - name: Create branch and push it
+      id: generate_branch
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         devbox run -- 'make check-major-version'
-        BRANCH="release/${VERSION}"
+        export BRANCH="release/${VERSION}"
+        export COMMIT_MESSAGE="Release ${VERSION}"
         git checkout -b $BRANCH
         git add -f ./deploy ./bundle bundle.Dockerfile docs/releases
-        git commit -m "Release ${VERSION}"
-        git reset --hard
-        git push --set-upstream origin $BRANCH
+        scripts/create-signed-commit.sh
+        echo "BRANCH=$BRANCH" >> $GITHUB_OUTPUT  # Export branch name
+        echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" >> $GITHUB_OUTPUT  # Export commit message
 
     - name: Create PR
-      uses: ./.github/actions/create-pr
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        REVIEWERS: ${{ env.REVIEWERS }}
-      with:
-        REVIEWERS: ${{ env.REVIEWERS }}
+        BRANCH: ${{ steps.generate_branch.outputs.BRANCH }}
+        COMMIT_MESSAGE: ${{ steps.generate_branch.outputs.COMMIT_MESSAGE }}
+      run: |
+        gh pr create --head="${BRANCH}" \
+        --title "${COMMIT_MESSAGE}" \
+        --body "This is an autogenerated PR to prepare for the release" \
+        && echo "Pull request created"

.github/actions/create-pr/action.yml

@@ -31,26 +31,30 @@ jobs:
       - name: Configure Git
         run: |
           git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
 
       - name: Create SBOMs branch
+        id: generate_branch
         env:
           BRANCH: version-${{ env.VERSION }}-sboms
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COMMIT_MESSAGE: "Add SBOMs for version ${{ env.VERSION }}"
         run: |
           OS=linux ARCH=amd64 DOCKER_SBOM_PLUGIN_VERSION=0.6.1 ./scripts/get-docker-sbom-plugin.sh
           devbox run -- make generate-sboms VERSION=${{ env.VERSION }}
           git checkout -b $BRANCH
           git add docs/releases
-          git commit -m "Add SBOMs for version ${{ env.VERSION }}"
-          git push --set-upstream origin $BRANCH
+          scripts/create-signed-commit.sh
+          echo "BRANCH=$BRANCH" >> $GITHUB_OUTPUT  # Export branch name
+          echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" >> $GITHUB_OUTPUT  # Export commit message
 
       - name: Create SBOMs PR
-        uses: ./.github/actions/create-pr
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REVIEWERS: ${{ env.REVIEWERS }}
-        with:
-          REVIEWERS: ${{ env.REVIEWERS }}
-          TITLE_PREFIX: "SBOMs for version "
+          BRANCH: ${{ steps.generate_branch.outputs.BRANCH }}
+          COMMIT_MESSAGE: ${{ steps.generate_branch.outputs.COMMIT_MESSAGE }}
+          VERSION: ${{ env.VERSION }}
+        run: |
+          gh pr create --head="${BRANCH}" \
+          --title "${COMMIT_MESSAGE}" \
+          --body ""SBOMs for version ${VERSION}" \
+          && echo "Pull request created"

.github/actions/create-pr/entrypoint.sh

@@ -25,6 +25,20 @@ repo_owner="${REPO_OWNER:-mongodb}"
 repo_name="${REPO_NAME:-mongodb-atlas-kubernetes}"
 branch="${BRANCH:?}"
 commit_message="${COMMIT_MESSAGE:?}"
+remote=${REMOTE:-origin}
+
+# Ensure remote branch exists
+echo "Check remote branch ${branch} exists..."
+
+function create_branch() {
+  echo "Creating branch ${remote}/${branch}"
+  git stash
+  git push "${remote}" "${branch}"
+  git stash pop
+  git add .
+}
+
+git ls-remote --exit-code --heads origin "${branch}" >/dev/null || create_branch
 
 # Fetch the latest commit SHA
 LATEST_COMMIT_SHA=$(curl -s -H "Authorization: token $github_token" \
@@ -47,12 +61,14 @@ for FILE_PATH in $MODIFIED_FILES; do
   # Read file content encoded to base64  
   ENCODED_CONTENT=$(base64 -w0 < "${FILE_PATH}")
 
-  # Create blob  
+  # Create blob
+  echo "{\"content\": \"$ENCODED_CONTENT\", \"encoding\": \"base64\"}" > content.blob
   BLOB_JSON=$(curl -s -X POST -H "Authorization: token $github_token" \
     -H "Accept: application/vnd.github.v3+json" \
-    -d "{\"content\": \"$ENCODED_CONTENT\", \"encoding\": \"base64\"}" \
+    -d @content.blob \
     "https://api.github.com/repos/$repo_owner/$repo_name/git/blobs")
   BLOB_SHA=$(echo "${BLOB_JSON}" | jq -r '.sha')
+  rm content.blob
 
   # Append file info to tree JSON  
   NEW_TREE_ARRAY="${NEW_TREE_ARRAY}{\"path\": \"$FILE_PATH\", \"mode\": \"100644\", \"type\": \"blob\", \"sha\": \"$BLOB_SHA\"},"  
@@ -61,11 +77,13 @@ done
 # Remove trailing comma and close the array  
 NEW_TREE_ARRAY="${NEW_TREE_ARRAY%,}]"
 
-# Create new tree  
+# Create new tree
+echo "{\"base_tree\": \"$LATEST_TREE_SHA\", \"tree\": $NEW_TREE_ARRAY}" > new_tree_spec.json
 NEW_TREE_SHA=$(curl -s -X POST -H "Authorization: token $github_token" \
   -H "Accept: application/vnd.github.v3+json" \
-  -d "{\"base_tree\": \"$LATEST_TREE_SHA\", \"tree\": $NEW_TREE_ARRAY}" \
+  -d @new_tree_spec.json \
   "https://api.github.com/repos/$repo_owner/$repo_name/git/trees" | jq -r '.sha')  
+rm new_tree_spec.json
 
 echo "New tree SHA: $NEW_TREE_SHA"  
 
@@ -76,9 +94,16 @@ NEW_COMMIT_SHA=$(curl -s -X POST -H "Authorization: token $github_token" \
   "https://api.github.com/repos/$repo_owner/$repo_name/git/commits" | jq -r '.sha')
 echo "New commit SHA: $NEW_COMMIT_SHA"  
 
-# Update the reference of the branch to point to the new commit  
+# Update the reference of the branch to point to the new commit
 curl -s -X PATCH -H "Authorization: token $github_token" \
   -H "Accept: application/vnd.github.v3+json" -d "{\"sha\": \"$NEW_COMMIT_SHA\"}" \
-  "https://api.github.com/repos/$repo_owner/$repo_name/git/refs/heads/$branch"  
+  "https://api.github.com/repos/$repo_owner/$repo_name/git/refs/heads/$branch"
 
 echo "Branch ${branch} updated to new commit ${NEW_COMMIT_SHA}."  
+git restore --staged .
+git restore .
+git clean -f
+git fetch "${remote}"
+git checkout -b "${branch}" "${remote}/${branch}" || git checkout "${branch}"
+
+echo "Local branch set to ${remote}/${branch}"