Merge pull request #3 from OpenVoxProject/github-automation

bastelfreak · web-flow · commit fac507d8e10b · 2025-07-09T21:37:38.000+02:00
Sync automation from another OpenVoxProject repo
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,11 +1,17 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
 version: 2
 updates:
-  - package-ecosystem: "" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  # raise PRs for gem updates
+  - package-ecosystem: bundler
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "13:00"
+    open-pull-requests-limit: 10
+
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: github-actions
+    directory: "/"
     schedule:
-      interval: "weekly"
+      interval: daily
+      time: "13:00"
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/gem_release.yaml b/.github/workflows/gem_release.yaml
@@ -0,0 +1,106 @@
+---
+name: Gem Release
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions: {}
+
+jobs:
+  build-release:
+    # Prevent releases from forked repositories
+    if: github.repository_owner == 'OpenVoxProject'
+    name: Build the gem
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 'ruby'
+      - name: Build gem
+        shell: bash
+        run: gem build --verbose *.gemspec
+      - name: Upload gem to GitHub cache
+        uses: actions/upload-artifact@v4
+        with:
+          name: gem-artifact
+          path: '*.gem'
+          retention-days: 1
+          compression-level: 0
+
+  create-github-release:
+    needs: build-release
+    name: Create GitHub release
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write # clone repo and create release
+    steps:
+      - name: Download gem from GitHub cache
+        uses: actions/download-artifact@v4
+        with:
+          name: gem-artifact
+      - name: Create Release
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh release create --repo ${{ github.repository }} ${{ github.ref_name }} --generate-notes *.gem
+
+  release-to-github:
+    needs: build-release
+    name: Release to GitHub
+    runs-on: ubuntu-24.04
+    permissions:
+      packages: write # publish to rubygems.pkg.github.com
+    steps:
+      - name: Download gem from GitHub cache
+        uses: actions/download-artifact@v4
+        with:
+          name: gem-artifact
+      - name: Publish gem to GitHub packages
+        run: gem push --host https://rubygems.pkg.github.com/${{ github.repository_owner }} *.gem
+        env:
+          GEM_HOST_API_KEY: ${{ secrets.GITHUB_TOKEN }}
+
+  release-to-rubygems:
+    needs: build-release
+    name: Release gem to rubygems.org
+    runs-on: ubuntu-24.04
+    environment: release # recommended by rubygems.org
+    permissions:
+      id-token: write # rubygems.org authentication
+    steps:
+      - name: Download gem from GitHub cache
+        uses: actions/download-artifact@v4
+        with:
+          name: gem-artifact
+      - uses: rubygems/configure-rubygems-credentials@v1.0.0
+      - name: Publish gem to rubygems.org
+        shell: bash
+        run: gem push *.gem
+
+  release-verification:
+    name: Check that all releases are done
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read # minimal permissions that we have to grant
+    needs:
+      - create-github-release
+      - release-to-github
+      - release-to-rubygems
+    steps:
+      - name: Download gem from GitHub cache
+        uses: actions/download-artifact@v4
+        with:
+          name: gem-artifact
+      - name: Install Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 'ruby'
+      - name: Wait for release to propagate
+        shell: bash
+        run: |
+          gem install rubygems-await
+          gem await *.gem
diff --git a/.github/workflows/mend.yaml b/.github/workflows/mend.yaml
diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
@@ -0,0 +1,28 @@
+name: 'Prepare Release'
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to be released.'
+        required: false
+        default: ''
+        type: string
+      base-branch:
+        description: 'The branch that will be used as the origin for the release branch.'
+        required: false
+        default: ''
+        type: string
+
+permissions: {}
+
+jobs:
+  prepare_release:
+    uses: OpenVoxProject/shared-actions/.github/workflows/prepare_release.yml@main
+    with:
+      allowed_owner: 'OpenVoxProject'
+      base-branch: ${{ github.event.inputs.base-branch }}
+      version: ${{ github.event.inputs.version }}
+    secrets:
+      github_pat: ${{ secrets.OPENVOXBOT_COMMIT_AND_PRS }}
+      ssh_private_key: ${{ secrets.OPENVOXBOT_SSH_PRIVATE_KEY }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,28 @@
+name: 'Release'
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to be released.'
+        required: false
+        default: ''
+        type: string
+      base-branch:
+        description: 'The branch where we do this release.'
+        required: false
+        default: ''
+        type: string
+
+permissions: {}
+
+jobs:
+  release:
+    uses: OpenVoxProject/shared-actions/.github/workflows/release.yml@main
+    with:
+      allowed_owner: 'OpenVoxProject'
+      base-branch: ${{ github.event.inputs.base-branch }}
+      version: ${{ github.event.inputs.version }}
+    secrets:
+      github_pat: ${{ secrets.OPENVOXBOT_COMMIT_AND_PRS }}
+      ssh_private_key: ${{ secrets.OPENVOXBOT_SSH_PRIVATE_KEY }}
diff --git a/tasks/vox.rake b/tasks/vox.rake
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+namespace :vox do
+  desc 'Update the version in preparation for a release'
+  task 'version:bump:full', [:version] do |_, args|
+    abort 'You must provide a tag.' if args[:version].nil? || args[:version].empty?
+    version = args[:version]
+    abort "#{version} does not appear to be a valid version string in x.y.z format" unless Gem::Version.correct?(version)
+
+    # Update lib/facter/version.rb and openvox.gemspec
+    puts "Setting version to #{version}"
+
+    data = File.read('lib/puppetserver/ca/version.rb')
+    new_data = data.sub(/VERSION = "\d+\.\d+\.\d+(\.rc\d+)?"/, %(VERSION = "#{version}"))
+    warn 'Failed to update version in lib/facter/version.rb' if data == new_data
+
+    File.write('lib/puppetserver/ca/version.rb', new_data)
+  end
+end
