feat: fix release ci (#2589)

* feat: fix release ci * change release workflows to depend on ci workflow * update rc job * test release job * add protection for branch/tag name injection * Feat/release ci fix (#44) Co-authored-by: Albin Severinson <albin@severinson.org> Co-authored-by: JamesMurkin <jamesmurkin@hotmail.com> Co-authored-by: Carlo Camurri <carlo.camurri98@gmail.com> Co-authored-by: Noah Held <41909795+zuqq@users.noreply.github.com> Co-authored-by: Rich Scott <rich@gr-oss.io> Co-authored-by: Jay Faulkner <jay@jvf.cc> Co-authored-by: Adam McArthur <46480158+Sharpz7@users.noreply.github.com> Co-authored-by: Kevin Hannon <kannon1992@gmail.com> * rename main to master branch in release rc job * Feat/release ci fix (#45) * change release jobs to target master * final polish for release workflow * remove redundat validate workflow * fix minor issues in release workflows * fix error comments in release workflow * update release workflow and polish it --------- Co-authored-by: Albin Severinson <albin@severinson.org> Co-authored-by: JamesMurkin <jamesmurkin@hotmail.com> Co-authored-by: Carlo Camurri <carlo.camurri98@gmail.com> Co-authored-by: Noah Held <41909795+zuqq@users.noreply.github.com> Co-authored-by: Rich Scott <rich@gr-oss.io> Co-authored-by: Jay Faulkner <jay@jvf.cc> Co-authored-by: Adam McArthur <46480158+Sharpz7@users.noreply.github.com> Co-authored-by: Kevin Hannon <kannon1992@gmail.com>
armadaproject · Jul 6, 2023 · e061b91 · e061b91
1 parent f8c44f2
commit e061b91
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 7 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,6 +2,8 @@ name: CI
 
 on:
  push:
+ tags:
+ - v*
  branches-ignore:
  - gh-pages
  pull_request:

diff --git a/.github/workflows/release-rc.yml b/.github/workflows/release-rc.yml
@@ -1,18 +1,45 @@
 name: Release Armada components - RC
 
 on:
- push:
+ workflow_run:
+ types: [completed]
+ workflows: [CI]
  branches:
- - main
  - master
 
 permissions:
  contents: write
 
 jobs:
+ validate:
+ if: github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success' && github.repository_owner == 'armadaproject'
+ name: "Validate revision"
+ runs-on: ubuntu-22.04
+
+ steps:
+ - name: "Checkout"
+ uses: "actions/checkout@v3"
+ with:
+ fetch-depth: 0
+
+ # The given ref should belong to the master branch.
+ # If it's master, it shouldn't be more than 2 commits away (in case another push happened in the meantime).
+ # Anything else is invalid.
+ - name: Validate ref
+ run: |
+ ref='${{ github.event.workflow_run.head_branch }}'
+ sha='${{ github.event.workflow_run.head_sha }}'
+
+ [ "$ref" == "master" ] &&
+ [ $(git branch --contains=$sha master | wc -l) -eq 1 ] &&
+ [ $(git rev-list --count $sha..master) -le 2 ]
+ if [ $? -ne 0 ]; then
+ echo "::error ::Invalid ref $ref $sha: must be a merge to master branch and not more than 2 commits away"
+ exit 1
+ fi
  release:
- if: github.repository_owner == 'armadaproject'
  name: Release
+ needs: validate
  runs-on: "ubuntu-22.04"
  environment: armada-dockerhub
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,17 +1,45 @@
 name: Release Armada components
 
 on:
- push:
- tags:
- - 'v*'
+ workflow_run:
+ types: [completed]
+ workflows: [CI]
+ branches:
+ - v*
 
 permissions:
  contents: write
 
 jobs:
+ validate:
+ if: github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success' && github.repository_owner == 'armadaproject'
+ name: "Validate revision"
+ runs-on: ubuntu-22.04
+
+ steps:
+ - name: "Checkout"
+ uses: "actions/checkout@v3"
+ with:
+ fetch-depth: 0
+
+ # The given ref should belong to the master branch.
+ # If it starts with 'v', it should be a tag, belong to the master branch and match the semver regex.
+ # Anything else is invalid.
+ - name: Validate ref
+ run: |
+ ref='${{ github.event.workflow_run.head_branch }}'
+ sha='${{ github.event.workflow_run.head_sha }}'
+
+ [[ $ref =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]] &&
+ [ $(git rev-parse refs/tags/$ref) == $sha ] &&
+ [ $(git branch --contains=$sha master | wc -l) -eq 1 ]
+ if [ $? -ne 0 ]; then
+ echo "::error ::Invalid ref $ref $sha: must be a tag, belong to the master branch and match the semver regex"
+ exit 1
+ fi
  release:
- if: github.repository_owner == 'armadaproject'
  name: "Release"
+ needs: validate
  runs-on: ubuntu-22.04
  environment: armada-dockerhub