diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cb3a5723961..576405791ec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,8 @@ name: CI on: push: + tags: + - v* branches-ignore: - gh-pages pull_request: diff --git a/.github/workflows/release-rc.yml b/.github/workflows/release-rc.yml index e479211ff3c..2aca8fb1f67 100644 --- a/.github/workflows/release-rc.yml +++ b/.github/workflows/release-rc.yml @@ -1,18 +1,45 @@ name: Release Armada components - RC on: - push: + workflow_run: + types: [completed] + workflows: [CI] branches: - - main - master permissions: contents: write jobs: + validate: + if: github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success' && github.repository_owner == 'armadaproject' + name: "Validate revision" + runs-on: ubuntu-22.04 + + steps: + - name: "Checkout" + uses: "actions/checkout@v3" + with: + fetch-depth: 0 + + # The given ref should belong to the master branch. + # If it's master, it shouldn't be more than 2 commits away (in case another push happened in the meantime). + # Anything else is invalid. + - name: Validate ref + run: | + ref='${{ github.event.workflow_run.head_branch }}' + sha='${{ github.event.workflow_run.head_sha }}' + + [ "$ref" == "master" ] && + [ $(git branch --contains=$sha master | wc -l) -eq 1 ] && + [ $(git rev-list --count $sha..master) -le 2 ] + if [ $? -ne 0 ]; then + echo "::error ::Invalid ref $ref $sha: must be a merge to master branch and not more than 2 commits away" + exit 1 + fi release: - if: github.repository_owner == 'armadaproject' name: Release + needs: validate runs-on: "ubuntu-22.04" environment: armada-dockerhub diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 188bd802687..798ecc0e448 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,17 +1,45 @@ name: Release Armada components on: - push: - tags: - - 'v*' + workflow_run: + types: [completed] + workflows: [CI] + branches: + - v* permissions: contents: write jobs: + validate: + if: github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success' && github.repository_owner == 'armadaproject' + name: "Validate revision" + runs-on: ubuntu-22.04 + + steps: + - name: "Checkout" + uses: "actions/checkout@v3" + with: + fetch-depth: 0 + + # The given ref should belong to the master branch. + # If it starts with 'v', it should be a tag, belong to the master branch and match the semver regex. + # Anything else is invalid. + - name: Validate ref + run: | + ref='${{ github.event.workflow_run.head_branch }}' + sha='${{ github.event.workflow_run.head_sha }}' + + [[ $ref =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]] && + [ $(git rev-parse refs/tags/$ref) == $sha ] && + [ $(git branch --contains=$sha master | wc -l) -eq 1 ] + if [ $? -ne 0 ]; then + echo "::error ::Invalid ref $ref $sha: must be a tag, belong to the master branch and match the semver regex" + exit 1 + fi release: - if: github.repository_owner == 'armadaproject' name: "Release" + needs: validate runs-on: ubuntu-22.04 environment: armada-dockerhub