redhat-certification · mgoerens · Jul 20, 2023 · Jul 24, 2023
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,4 +1,9 @@
-name: Build, Test and Release
+name: Build, Test, Automerge and Tag
+
+# This workflow runs on all PRs that are targetting the main branch.
+#
+# It runs the test suite. If the PR is a release PR, it automerges and tags the main branch with
+# the corresonding new version.
 
 on:
     pull_request_target:
@@ -118,7 +123,7 @@ jobs:
               id: create-tarfile
               working-directory: ./chart-verifier
               run: |
-                # check if release file only is included in PR
+                # create test tarball for the tests
                 ve1/bin/tar-file --release="test"
 
 
@@ -187,7 +192,7 @@ jobs:
             - name: Approve PR
               id: approve_pr
               if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
-              uses: hmarr/auto-approve-action@v2
+              uses: hmarr/auto-approve-action@v3
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -200,54 +205,25 @@ jobs:
                 MERGE_METHOD: squash
                 MERGE_LABELS: ""
 
-            - name: Check for PR merge
+            - name: Get master branch sha
+              id: master_sha
               if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
               run: |
-                ve1/bin/check-auto-merge --api-url=${{ github.event.pull_request._links.self.href }}
+                git fetch
+                export ORIGIN_MASTER_SHA=$(git rev-parse origin/master)
+                echo "origin_master_sha=$ORIGIN_MASTER_SHA" >> $GITHUB_OUTPUT
 
-            - name: Create the the release
-              id: create_release
+            - name: Create release tag
+              id: create_release_tag
               if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
-              uses: softprops/action-gh-release@v1
+              uses: mathieudutour/[email protected]
               with:
-                tag_name: ${{ steps.check_version_in_PR.outputs.PR_version }}
-                body: ${{ steps.check_version_in_PR.outputs.PR_release_body }}
-                files: ${{ steps.check_version_in_PR.outputs.PR_tarball_name }}
-              env:
-                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-            - name: Wait for image build to complete
-              # Quay is configured to automatically build our image. This waits
-              # for it to complete before proceeding successfully.
-              id: wait_for_image_build
-              if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
-              run: |
-                expectedImage=quay.io/redhat-certification/chart-verifier:${{ steps.check_version_in_PR.outputs.PR_version }}
-                for i in {1..30}; do
-                  s=60
-                  echo "Querying Quay for "${expectedImage}" in ${s} seconds..." 
-                  sleep $s
-                  skopeo inspect docker://"${expectedImage}" && echo "Image Found!" && exit 0
-                done
-                echo "ERR Image not found in allotted time."
-                exit 1           
-
-            - name: Login to Quay as Bot
-              id: login_as_bot
-              if: ${{ steps.wait_for_image_build.outcome == 'success'}}
-              uses: redhat-actions/podman-login@v1
-              with:
-                username: ${{ secrets.QUAY_BOT_USERNAME }}
-                password: ${{ secrets.QUAY_BOT_TOKEN }}
-                registry: quay.io/redhat-certification
-
-            - name: Update latest tag
-              if: ${{ steps.login_as_bot.outcome == 'success'}}
-              id: update_latest_tag
-              # TODO: When we shift to a push-from-this-repo model (instead of Quay build model)
-              # we should transition this tag workflow to use the digest of the image built here in CI.
-              run: |
-                imageReference=quay.io/redhat-certification/chart-verifier
-                podman pull ${imageReference}:${{ steps.check_version_in_PR.outputs.PR_version }}
-                podman tag ${imageReference}:${{ steps.check_version_in_PR.outputs.PR_version }} ${imageReference}:latest
-                podman push ${imageReference}:latest
+                # It is necessary to use a Personal Access Token here rather than the usual GITHUB_TOKEN, as this
+                # step should trigger the release.yaml workflow, and events (such as tags) triggered by the
+                # GITHUB_TOKEN cannot create a new workflow run. See:
+                # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
+                # This Personal Access Token belongs to the openshift-helm-charts-bot account.
+                github_token: ${{ secrets.GH_HELM_BOT_TOKEN }}
+                custom_tag: ${{ steps.check_version_in_PR.outputs.PR_version }}
+                tag_prefix: ""
+                commit_sha: ${{ steps.master_sha.outputs.origin_master_sha }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,113 @@
+name: create release on new tags
+
+# This workflow is triggered by new version tags (e.g. "1.12.2" without leading "v") on the main
+# branch.
+#
+# Tagging should be automatic after each merged PR release (see the build.yaml workflow).
+# Alternatively, this workflow can be triggered by manually creating a tag on the main branch with
+# the aforementioned format. Note that the tests are *not* run by this workflow, and that you
+# should therefore apply caution before manually tagging the main branch in order to trigger it.
+#
+# This workflow contains a check that the tag matches the version set in
+# ./pkg/chartverifier/version/version_info.json.
+#
+# In order to recreate a GitHub release and rebuild its associated assets, first the tag needs to
+# be manually deleted (e.g `git tag --delete 1.12.2 && git push --delete origin 1.12.2`). The
+# GitHub release that was created for this tag automatically turns into a "Draft" release and will
+# need to be manually cleaned up, though it doesn't constitute a blocker for this workflow to run.
+# Finally, as mentioned above, create a new tag (e.g. `git tag 1.12.2 && git push --tags`) to
+# recreate the release.
+#
+# This workflow builds all release assets (the tarball and the container images), creates the
+# Github release and attaches the tarball to it.
+
+on:
+  push:
+    # Publish semver tags as releases.
+    tags: '[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  build-and-release:
+    name: Create GitHub release
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+
+      - name: Print tag to GITHUB_OUTPUT
+        id: get_tag
+        run: |
+          echo "release_version=${GITHUB_REF#refs/*/}" | tee -a $GITHUB_OUTPUT
+
+      - name: Build binary and make tarball
+        id: build_bin
+        run: |
+          make bin
+          TARBALL_NAME="chart-verifier.tgz-${{ steps.get_tag.outputs.release_version }}.tgz"
+          tar -zcvf $TARBALL_NAME -C out/ chart-verifier
+          export TARBALL_PATH=$(realpath $TARBALL_NAME)
+          echo "tarball_path=$TARBALL_PATH" | tee -a $GITHUB_OUTPUT
+
+      - name: Check that the tag matches the current version
+        id: check_tag_and_version
+        run: |
+          release_version=${{ steps.get_tag.outputs.release_version }}
+          bin_version=$(out/chart-verifier version --as-data | jq -r .version)
+          if [[ "$release_version" != "$bin_version" ]]; then
+            echo "Binary version ($bin_version) doesn't match tag ($release_version)" && exit 1
+          fi
+
+      - name: Set up Python 3.x
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+
+      - name: Set up Python scripts
+        run: |
+          # set up python requirements and scripts on PR branch
+          python3 -m venv ve1
+          cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
+          cd scripts && ../ve1/bin/python3 setup.py install && cd ..
+
+      - name: Generate release body
+        id: release_body
+        run: echo "release_body=$(ve1/bin/print-release-body)" | tee -a $GITHUB_OUTPUT
+
+      - name: Create the release
+        id: create_release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ steps.get_tag.outputs.release_version }}
+          body: ${{ steps.release_body.outputs.release_body }}
+          files: ${{ steps.build_bin.outputs.tarball_path }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build container images
+        id: build_container_images
+        run: |
+            # Build podman images locally
+            image_tag=${{ steps.get_tag.outputs.release_version }}
+            podman build \
+              -t quay.io/redhat-certification/chart-verifier:$image_tag \
+              -t quay.io/redhat-certification/chart-verifier:latest \
+              -t quay.io/redhat-certification/chart-verifier:main .
+
+      - name: Push to quay.io
+        id: push_to_quay
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: chart-verifier
+          tags: |
+            ${{ steps.get_tag.outputs.release_version }}
+            latest
+            main
+          registry: quay.io/redhat-certification
+          username: ${{ secrets.QUAY_BOT_USERNAME }}
+          password: ${{ secrets.QUAY_BOT_TOKEN }}
diff --git a/scripts/README.md b/scripts/README.md
@@ -5,12 +5,7 @@
     - used to determine if a PR contains a version update. 
 -  ```buildandtest/buildandtest.py```
     - used to build a docker image and then test created image.
-- ```checkautomerge/checkautomerge.py```
-    - loops waiting for a PR to merge
-    - exact copy of same script from chart repo
-      - ```https://github.com/openshift-helm-charts/charts/blob/main/scripts/src/checkautomerge/checkautomerge.py```
 - ```report/report-info.py```
     - used to generate of report of a chart verifier verify report.
     - exact copy of same script from chart repo    
       - ```https://github.com/openshift-helm-charts/charts/blob/main/scripts/src/report/report_info.py```
-
diff --git a/scripts/setup.cfg b/scripts/setup.cfg
@@ -36,8 +36,8 @@ where = src
 [options.entry_points]
 console_scripts =
     release-checker = release.releasechecker:main
-    check-auto-merge = checkautomerge.checkautomerge:main
+    print-release-body = release.releasebody:main
     build-and-test = buildandtest.buildandtest:main
     check-user = owners.checkuser:main
     sa-for-chart-testing = saforcharttesting.saforcharttesting:main
-    tar-file = release.tarfile_asset:main
+    tar-file = release.tarfile_asset:main
diff --git a/scripts/src/checkautomerge/__init__.py b/scripts/src/checkautomerge/__init__.py
diff --git a/scripts/src/checkautomerge/checkautomerge.py b/scripts/src/checkautomerge/checkautomerge.py
diff --git a/scripts/src/release/releasebody.py b/scripts/src/release/releasebody.py
@@ -0,0 +1,21 @@
+import sys
+
+sys.path.append('./scripts/src/')
+from release import releasechecker
+from utils import utils
+
+def get_release_body(version, image_name, release_info):
+    """Generate the body of the GitHub release"""
+    body = f"Chart verifier version {version} <br><br>Docker Image:<br>- {image_name}:{version}<br><br>"
+    body += "This version includes:<br>"
+    for info in release_info:
+        if info.startswith("<"):
+            body += info
+        else:
+            body += f"- {info}<br>"
+    return body
+
+def main():
+    version_info = releasechecker.get_version_info()
+    release_body = get_release_body(version_info["version"],version_info["quay-image"],version_info["release-info"])
+    print(release_body)
diff --git a/scripts/src/release/releasechecker.py b/scripts/src/release/releasechecker.py
@@ -31,7 +31,7 @@
 import semver
 import sys
 sys.path.append('./scripts/src/')
-from release import tarfile_asset
+from release import tarfile_asset, releasebody
 from utils import utils
 
 VERSION_FILE = 'pkg/chartverifier/version/version_info.json'
@@ -64,18 +64,6 @@ def check_if_only_version_file_is_modified(api_url):
 
     return version_file_found
 
-def make_release_body(version, image_name, release_info):
-    body = f"Chart verifier version {version} <br><br>Docker Image:<br>- {image_name}:{version}<br><br>"
-    body += "This version includes:<br>"
-    for info in release_info:
-        if info.startswith("<"):
-            body += info
-        else:
-            body += f"- {info}<br>"
-
-    print(f"[INFO] Release body: {body}")
-    utils.add_output("PR_release_body",body)
-
 def get_version_info():
     data = {}
     with open(VERSION_FILE) as json_file:
@@ -111,7 +99,8 @@ def main():
             utils.add_output("PR_release_image",version_info["quay-image"])
             utils.add_output("PR_release_info",version_info["release-info"])
             utils.add_output("PR_includes_release","true")
-            make_release_body(version_info["version"],version_info["quay-image"],version_info["release-info"])
+            release_body = releasebody.get_release_body(version_info["version"],version_info["quay-image"],version_info["release-info"])
+            utils.add_output("PR_release_body",release_body)
     else:
         version_info = get_version_info()
         if args.version: