integrations-core/.github/workflows/release-dispatch.yml at master · DataDog/integrations-core · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: Dispatch Release

# Reusable workflow — intended to be called by a release-trigger workflow in an
# integration repository (integrations-core, integrations-extras, marketplace).

on:
  workflow_call:
    inputs:
      source-repo:
        description: "Source repository name (e.g. integrations-core, integrations-extras, marketplace)"
        required: false
        type: string
      packages:
        description: >-
          Packages to release. Accepts a JSON array (e.g. '["postgres","datadog_checks_base"]'),
          or omit to auto-detect from tags pointing at the specified ref.
        required: false
        type: string
      source-repo-ref:
        description: "Commit SHA or ref to build from"
        required: false
        type: string
      source-repo-branch:
        description: "Branch that contains source-repo-ref, used to determine stable vs pre-release behavior"
        required: false
        type: string
      dry-run:
        description: >-
          When true, print what would be released and where without pushing tags
          or triggering downstream wheel builds.
        required: false
        type: boolean
        default: false
      ddev-version:
        description: "ddev version, pinned by default."
        required: false
        type: string
      is-stable-release:
        description: "'true' for master/X.X.x (blocks pre-releases), 'false' for alpha/beta/rc (blocks stable). Unset defaults to stable behavior."
        required: false
        type: string

permissions:
  id-token: write
  contents: write # ddev needs to push tags

env:
  # Default ddev version when callers don't pass `ddev-version`. Tracked by Renovate.
  # renovate: datasource=pypi depName=ddev
  DEFAULT_DDEV_VERSION: "16.1.1"
  PYTHON_VERSION: "3.13"

jobs:
  prepare:
    name: Tag releases and build dispatch batches
    runs-on: ubuntu-latest

    outputs:
      has_packages: ${{ steps.prepare.outputs.has_packages }}
      batches: ${{ steps.release-dispatch.outputs.batches }}

    steps:
      # Workflow tooling (composite actions + release scripts) always comes from
      # integrations-core at the workflow's own commit. When called from another
      # repo we don't have that commit available locally, so we fall back to
      # master. This is decoupled from inputs.source-repo-ref on purpose so the
      # release pipeline can build older refs without losing recent tooling.
      - name: Checkout workflow tooling
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: DataDog/integrations-core
          ref: ${{ github.repository == 'DataDog/integrations-core' && github.sha || 'master' }}
          fetch-depth: 1
          sparse-checkout: .github
          path: tooling

      # Source tree to tag and validate. ddev release tag operates on HEAD of
      # this checkout, so it must be at the ref the caller asked to release.
      - name: Checkout source repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.source-repo-ref || github.sha }}
          fetch-depth: 0 # ddev needs full tag history
          path: source

      - name: Verify source ref is on release branch
        if: inputs.source-repo-branch != ''
        working-directory: source
        env:
          SOURCE_REF: ${{ inputs.source-repo-ref || github.sha }}
          SOURCE_BRANCH: ${{ inputs.source-repo-branch }}
        run: |
          branch="${SOURCE_BRANCH#refs/heads/}"
          git fetch --no-tags origin "+refs/heads/${branch}:refs/remotes/origin/${branch}"
          if ! git merge-base --is-ancestor HEAD "refs/remotes/origin/${branch}"; then
            echo "::error::source-repo-ref '${SOURCE_REF}' is not contained in source-repo-branch '${SOURCE_BRANCH}'"
            exit 1
          fi

      - name: Set up Python ${{ env.PYTHON_VERSION }}
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "${{ env.PYTHON_VERSION }}"

      - name: Install ddev
        uses: ./tooling/.github/actions/setup-ddev
        with:
          install-mode: pypi
          ddev-version: "==${{ inputs.ddev-version || env.DEFAULT_DDEV_VERSION }}"

      - name: Configure ddev
        working-directory: source
        env:
          SOURCE_REPO: ${{ inputs.source-repo || 'integrations-core' }}
        run: |
          REPO_SHORT="${SOURCE_REPO#integrations-}"
          ddev config set upgrade_check false
          ddev config set repos.${REPO_SHORT} "$PWD"
          ddev config set repo ${REPO_SHORT}

      - name: Prepare dispatch
        id: prepare
        working-directory: source
        env:
          DRY_RUN: ${{ inputs.dry-run }}
          SELECTED_PACKAGES: ${{ inputs.packages }}
          SOURCE_REPO: ${{ inputs.source-repo || 'integrations-core' }}
          REF: ${{ inputs.source-repo-ref || github.sha }}
          IS_STABLE_RELEASE: ${{ inputs.is-stable-release }}
        run: python "$GITHUB_WORKSPACE/tooling/.github/workflows/scripts/release_prepare.py"

      - name: Build dispatch batches
        id: release-dispatch
        if: steps.prepare.outputs.has_packages == 'true'
        working-directory: source
        env:
          PACKAGES: ${{ steps.prepare.outputs.packages }}
          SOURCE_REPO: ${{ inputs.source-repo || 'integrations-core' }}
          REF: ${{ inputs.source-repo-ref || github.sha }}
          DRY_RUN: ${{ inputs.dry-run }}
        run: python "$GITHUB_WORKSPACE/tooling/.github/workflows/scripts/release_dispatch.py"

  dispatch:
    name: Dispatch wheel builds (batch ${{ strategy.job-index }})
    needs: prepare
    if: needs.prepare.outputs.has_packages == 'true' && !inputs.dry-run
    runs-on: ubuntu-latest

    strategy:
      matrix:
        payload: ${{ fromJson(needs.prepare.outputs.batches) }}

    steps:
      - name: Get GitHub token via dd-octo-sts
        id: octo-sts
        uses: DataDog/dd-octo-sts-action@08f2144903ced3254a3dafec2592563409ba2aa0 # v1.0.1
        with:
          scope: DataDog/agent-integration-wheels-release
          policy: integrations-core.dispatch-wheel-builds

      - name: Dispatch release
        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
        with:
          token: ${{ steps.octo-sts.outputs.token }}
          repository: DataDog/agent-integration-wheels-release
          event-type: build-wheels
          client-payload: ${{ toJson(matrix.payload) }}