-
Notifications
You must be signed in to change notification settings - Fork 2
149 lines (133 loc) · 5.45 KB
/
create-release-tag.yml
File metadata and controls
149 lines (133 loc) · 5.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# Create Release Tag workflow
#
# Triggered when the VERSION file changes on main (typically via merged release PR).
# This workflow:
# 1. Validates the VERSION file contains valid semver
# 2. Verifies the commit message matches release pattern (to prevent accidental tags)
# 3. Creates a git tag (v*) and GitHub Release
#
# The tag push then triggers (via `on: push: tags: ["v*"]`):
# - docker-publish.yml (builds and pushes Docker image)
# - releaser-helm-chart.yml (packages and publishes Helm chart)
#
name: Create Release Tag
on:
push:
branches:
- main
paths:
- "VERSION"
permissions:
contents: write
jobs:
create-tag:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Read version
id: version
run: |
VERSION=$(cat VERSION | tr -d '[:space:]')
if ! [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Error: VERSION file does not contain valid semver: $VERSION"
exit 1
fi
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "Read version: $VERSION"
- name: Verify release PR
id: verify
run: |
VERSION="${{ steps.version.outputs.version }}"
# Get commit details
COMMIT_MSG=$(git log -1 --pretty=%s)
COMMIT_SHA=$(git rev-parse HEAD)
echo "Commit SHA: $COMMIT_SHA"
echo "Commit message: $COMMIT_MSG"
echo ""
# Track verification status
VERIFIED=true
# Check 1: Verify commit message contains release version pattern
# Squash merge: "Release v1.0.0 (#123)" or "feat: release v1.0.0 (#123)"
# Merge commit: "Merge pull request #123 from user/release/v1.0.0"
# Direct: "Release v1.0.0"
if [[ "$COMMIT_MSG" =~ (^|[^a-zA-Z])[Rr]elease\ v[0-9]+\.[0-9]+\.[0-9]+ ]] || \
[[ "$COMMIT_MSG" =~ release/v[0-9]+\.[0-9]+\.[0-9]+ ]]; then
echo "✅ Commit message matches release pattern"
echo "message_verified=true" >> $GITHUB_OUTPUT
else
echo "❌ Commit message does not match release pattern"
echo "Expected: 'Release v{semver}' or merge from 'release/v{semver}'"
echo "Got: '$COMMIT_MSG'"
echo "message_verified=false" >> $GITHUB_OUTPUT
VERIFIED=false
fi
# Check 2: Verify the version in commit message matches VERSION file
if [[ "$COMMIT_MSG" =~ v${VERSION} ]]; then
echo "✅ VERSION file matches version in commit message"
echo "version_match=true" >> $GITHUB_OUTPUT
else
echo "❌ VERSION file does not match version in commit message"
echo "VERSION file: $VERSION"
echo "Commit message: $COMMIT_MSG"
echo "version_match=false" >> $GITHUB_OUTPUT
VERIFIED=false
fi
echo ""
if [ "$VERIFIED" = true ]; then
echo "✅ All verification checks passed"
echo "verified=true" >> $GITHUB_OUTPUT
else
echo "❌ Verification failed"
echo ""
echo "This could indicate:"
echo " - A manual VERSION file edit (not via release PR)"
echo " - An unexpected commit message format"
echo ""
echo "Blocking release. Please investigate."
echo "verified=false" >> $GITHUB_OUTPUT
exit 1
fi
- name: Check if tag exists
id: check-tag
run: |
TAG="v${{ steps.version.outputs.version }}"
if git rev-parse "$TAG" >/dev/null 2>&1; then
echo "Tag $TAG already exists"
echo "exists=true" >> $GITHUB_OUTPUT
else
echo "Tag $TAG does not exist"
echo "exists=false" >> $GITHUB_OUTPUT
fi
- name: Create tag and GitHub Release
if: steps.check-tag.outputs.exists == 'false'
run: |
TAG="v${{ steps.version.outputs.version }}"
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git tag -a "$TAG" -m "Release $TAG"
git push https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git "$TAG"
echo "Created and pushed tag: $TAG"
# Create GitHub Release (triggers docker-publish.yml and releaser-helm-chart.yml)
# Note: Must use PAT (GH_TOKEN) because GITHUB_TOKEN cannot trigger other workflows
gh release create "$TAG" \
--title "Release $TAG" \
--generate-notes
echo "Created GitHub Release: $TAG"
env:
GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
- name: Summary
run: |
TAG="v${{ steps.version.outputs.version }}"
if [ "${{ steps.check-tag.outputs.exists }}" == "true" ]; then
echo "## Tag Already Exists" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Tag \`$TAG\` already exists. No action taken." >> $GITHUB_STEP_SUMMARY
else
echo "## Release Tag Created" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "- **Tag**: \`$TAG\`" >> $GITHUB_STEP_SUMMARY
echo "- **Release URL**: https://github.com/${{ github.repository }}/releases/tag/$TAG" >> $GITHUB_STEP_SUMMARY
fi