-
Notifications
You must be signed in to change notification settings - Fork 39
317 lines (287 loc) · 14.6 KB
/
releaser.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
# When a tag is push on the repo, this workflow will run to create a release and add some artifact to it.
name: Releaser
on:
pull_request:
paths:
- .github/workflows/package-server.yml
- .github/workflows/releaser.yml
push:
tags:
- v[0-9]+.[0-9]+.[0-9]+*
- nightly
schedule:
- cron: 30 22 * * * # At 22:30
workflow_dispatch: {}
permissions:
contents: write
# We set `concurrency` to prevent having this workflow being more than once for the same tag.
concurrency:
group: releaser-${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true
env:
NIGHTLY_RELEASE: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.ref == 'refs/tags/nightly') && 'true' || 'false' }}
jobs:
scheduled-nightly-build:
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
uses: ./.github/workflows/_releaser_nightly_build.yml
version:
needs: scheduled-nightly-build
# Always run the job if `scheduled-nightly-build` job is skipped otherwise only if `scheduled-nightly-build` job was successful.
if: (github.event_name != 'schedule' && github.event_name != 'workflow_dispatch') && always() || success()
uses: ./.github/workflows/_parse_version.yml
with:
version: >-
${{
((github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.scheduled-nightly-build.outputs.version_full) ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && github.ref_name != 'nightly' && github.ref_name) ||
''
}}
commit_sha: ${{ needs.scheduled-nightly-build.outputs.commit_sha || github.sha }}
package-parsec-server:
needs: version
if: needs.version.result == 'success' && always()
uses: ./.github/workflows/package-server.yml
with:
version: ${{ needs.version.outputs.full }}
version_patch_run_id: ${{ github.run_id }}
commit_sha: ${{ needs.version.outputs.commit_sha }}
package-parsec-client:
needs: version
# Do not run this job if the event is a pull request from dependabot.
if: needs.version.result == 'success' && !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]') && always()
uses: ./.github/workflows/package-client.yml
with:
version: ${{ needs.version.outputs.full }}
version_patch_run_id: ${{ github.run_id }}
commit_sha: ${{ needs.version.outputs.commit_sha }}
nightly_build: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.ref == 'refs/tags/nightly' }}
secrets:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
MACOS_CI_KEYCHAIN_PASSWD: ${{ secrets.MACOS_CI_KEYCHAIN_PASSWD }}
MACOS_CERT_PASSWD: ${{ secrets.MACOS_CERT_PASSWD }}
MACOS_CERT: ${{ secrets.MACOS_CERT }}
MACOS_CERT_COMMON_NAME: ${{ secrets.MACOS_CERT_COMMON_NAME }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
MACOS_NOTARIZATION_PASSWD: ${{ secrets.MACOS_NOTARIZATION_PASSWD }}
package-parsec-cli:
needs: version
if: needs.version.result == 'success' && always()
uses: ./.github/workflows/package-cli.yml
with:
version: ${{ needs.version.outputs.full }}
version_patch_run_id: ${{ github.run_id }}
commit_sha: ${{ needs.version.outputs.commit_sha }}
releaser:
needs:
- version
- package-parsec-server
- package-parsec-client
- package-parsec-cli
name: 🚛 Releaser
permissions:
contents: write
if: needs.version.result == 'success' && needs.package-parsec-client.result == 'success' && needs.package-parsec-server.result && always()
runs-on: ubuntu-22.04
steps:
- name: Download every artifact generated (and uploaded)
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # pin v4.1.8
with:
path: artifacts
timeout-minutes: 5
- name: List downloaded artifacts
run: tree artifacts
- name: Create the folder that will contain the release files
run: mkdir release-files
- name: Copy artifacts to the release folder
run: |
set -ex
# Python Files
cp ${CP_ARGS} artifacts/Linux-X64-wheel/parsec_cloud-${{ needs.version.outputs.pep440 }}-*.whl release-files
cp ${CP_ARGS} artifacts/Linux-X64-wheel/requirements.txt release-files/python-linux-requirements.txt
cp ${CP_ARGS} artifacts/macOS-X64-wheel/parsec_cloud-${{ needs.version.outputs.pep440 }}-*.whl release-files
cp ${CP_ARGS} artifacts/macOS-X64-wheel/requirements.txt release-files/python-macos-requirements.txt
cp ${CP_ARGS} artifacts/Windows-X64-wheel/parsec_cloud-${{ needs.version.outputs.pep440 }}-*.whl release-files
cp ${CP_ARGS} artifacts/Windows-X64-wheel/requirements.txt release-files/python-win-requirements.txt
# Snapcraft
cp ${CP_ARGS} artifacts/linux-snap-X64-electron/Parsec_${{ needs.version.outputs.full }}_linux_*.snap release-files
# AppImage
cp ${CP_ARGS} artifacts/linux-appimage-X64-electron/Parsec_${{ needs.version.outputs.full }}_linux_*.AppImage release-files
cp ${CP_ARGS} artifacts/linux-appimage-X64-electron/latest-linux-*.yml release-files
# DMG & ZIP
cp ${CP_ARGS} artifacts/macos-dmg-X64-electron/Parsec_${{ needs.version.outputs.full }}_mac_*.{dmg,zip}{,.blockmap} release-files
cp ${CP_ARGS} artifacts/macos-dmg-X64-electron/latest-mac-*.yml release-files
# TODO: Currently, Windows electron client is not signed by the CI, thus
# it should not be uploaded when creating the draft release.
# These artifacts are uploaded manually by someone who is able to sign them.
# # EXE
# cp ${CP_ARGS} artifacts/windows-exe-X64-electron/Parsec_${{ needs.version.outputs.full }}_win_*.unsigned.exe{,.blockmap} release-files
# cp ${CP_ARGS} artifacts/windows-exe-X64-electron/latest-win-*.yml release-files
# CLI
cp ${CP_ARGS} artifacts/Linux-x86_64-unknown-linux-gnu-cli/parsec-cli_${{ needs.version.outputs.full }}_linux-x86_64-gnu release-files
cp ${CP_ARGS} artifacts/Linux-x86_64-unknown-linux-musl-cli/parsec-cli_${{ needs.version.outputs.full }}_linux-x86_64-musl release-files
env:
# TODO: Current version of cp don't support `--update` with argument,
# recent version (coreutils-9.5) allows for `none-fail` that make `cp` fail if it would have overwritten a file.
CP_ARGS: -v --no-clobber
BASH_XTRACEFD: 1
- name: Copy SBOM files
run: cp -v artifacts/**/Parsec-SBOM-*.spdx.json release-files
- name: Merge artifacts file
# cspell:words ireduce
run: yq eval-all '. as $item ireduce ({}; . * $item)' $(find artifacts -name artifacts.yml) | tee artifacts.yml
- name: Generate version file
run:
(
echo "full=${{ needs.version.outputs.full }}";
echo "pep440=${{ needs.version.outputs.pep440 }}";
echo "major=${{ needs.version.outputs.major }}";
echo "minor=${{ needs.version.outputs.minor }}";
echo "patch=${{ needs.version.outputs.patch }}";
echo "pre=${{ needs.version.outputs.pre }}";
echo "dev=${{ needs.version.outputs.dev }}";
echo "local=${{ needs.version.outputs.local }}";
) | tee release-files/version
- name: List files in 'release-files'.
run: tree release-files
- name: Generate checksums file for released files
run: sha256sum * | tee ../checksums.sha256
working-directory: release-files
- name: Generate data for release
id: info
shell: bash -e -o pipefail {0}
run: |
(
echo 'tag_name=${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'nightly' || github.ref }}'
echo 'release_name=${{ env.NIGHTLY_RELEASE == 'true' && 'Nightly release' || format('Release v{0}', needs.version.outputs.full) }}'
echo 'repo_path=${{ github.server_url }}/${{ github.repository }}'
) | tee -a $GITHUB_OUTPUT
timeout-minutes: 1
- name: Generate summary
id: summary
run: |
EOF="EOF-$(dd if=/dev/urandom bs=15 count=1 status=none | base64)"
(
set -eu -o pipefail
function asset_name { yq -r "$1" artifacts.yml; }
function gen_mk_dl_link { local name=$(asset_name "$1"); echo "[$name]($ASSET_DL_PATH/$name)"; }
echo "output<<$EOF"
echo '# Parsec ${{ needs.version.outputs.full }}'
echo
echo '## Client'
echo
echo '| Platform | Download link |'
echo '| ---------------- | ------------- |'
echo "| Windows | [Parsec.exe]($ASSET_DL_PATH/Parsec_${{ steps.version.outputs.full }}_win_x86_64.exe) |"
echo "| Macos | $(gen_mk_dl_link ".macos.x86_64.client.dmg") |"
echo "| Linux (AppImage) | $(gen_mk_dl_link ".linux-gnu.x86_64.client.AppImage") |"
echo "| Linux (Snap) | $(gen_mk_dl_link ".linux-gnu.x86_64.client.snap") |"
echo
echo '## Server'
echo
echo '| Platform | Download link |'
echo '| ---------------- | ------------- |'
echo "| Windows | $(gen_mk_dl_link ".windows.x86_64.server") |"
echo "| Macos | $(gen_mk_dl_link ".macos.x86_64.server") |"
echo "| Linux | $(gen_mk_dl_link ".linux-gnu.x86_64.server") |"
echo
echo '> We provide the wheel for _Windows_ & _Macos_ as best effort basis,'
echo '> we only test and use the linux wheel.'
echo
echo '## CLI'
echo
echo '| Platform | Download link |'
echo '| --------------- | ------------- |'
echo "| Linux (static) | $(gen_mk_dl_link ".linux-musl.x86_64.cli") |"
echo "| Linux (dynamic) | $(gen_mk_dl_link ".linux-gnu.x86_64.cli") |"
echo
echo '## Verifying the assets'
echo
echo 'You can verify the downloaded assets with the following command:'
echo
echo '```shell'
echo 'sha256sum -c checksums.sha256 --ignore-missing'
echo '```'
echo
echo '> The Windows files does not have a checksum because they are signed manually'
echo
echo "You can [download \`checksums.sha256\`]($ASSET_DL_PATH/checksums.sha256) or copy the following content into \`checksums.sha256\`:"
echo
echo '```txt'
cat checksums.sha256
echo '```'
echo
echo ---
echo
echo 'Generated by <${{ steps.info.outputs.repo_path }}/actions/runs/${{ github.run_id }}>'
echo "$EOF"
) | tee -a $GITHUB_OUTPUT
env:
ASSET_DL_PATH: ${{ steps.info.outputs.repo_path }}/releases/download/${{ steps.info.outputs.tag_name }}
- name: Remove previous nightly release
if: env.NIGHTLY_RELEASE == 'true'
run: |
if gh release ${{ env.GH_ARGS }} view nightly; then
gh release ${{ env.GH_ARGS }} delete nightly
else
echo "No nightly release to remove"
fi
env:
GH_ARGS: --repo=${{ steps.info.outputs.repo_path }}
GH_TOKEN: ${{ github.token }}
- name: Checkout the repository to update the nightly tag
if: env.NIGHTLY_RELEASE == 'true'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin v4.2.2
with:
ref: ${{ needs.version.outputs.commit_sha }}
path: parsec-cloud
timeout-minutes: 5
- name: Update the nightly tag
if: env.NIGHTLY_RELEASE == 'true'
run: |
git tag --force nightly ${{ needs.version.outputs.commit_sha }}
git push --force origin refs/tags/nightly
working-directory: parsec-cloud
- name: Create release
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/'))
uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # pin v2.2.1
with:
draft: ${{ env.NIGHTLY_RELEASE != 'true' }}
tag_name: ${{ steps.info.outputs.tag_name }}
body: ${{ steps.summary.outputs.output }}
prerelease: ${{ needs.version.outputs.pre != '' || needs.version.outputs.dev != '' || needs.version.outputs.local != '' }}
name: ${{ steps.info.outputs.release_name }}
# release-files/Parsec_${{ needs.version.outputs.full }}_win_*.exe*
files: |
release-files/parsec_cloud-${{ needs.version.outputs.pep440 }}-*.whl
release-files/Parsec_${{ needs.version.outputs.full }}_linux_*.AppImage
release-files/Parsec_${{ needs.version.outputs.full }}_linux_*.snap
release-files/Parsec_${{ needs.version.outputs.full }}_mac_*.dmg
release-files/Parsec_${{ needs.version.outputs.full }}_mac_*.zip
release-files/parsec-cli-${{ needs.version.outputs.full }}-x86_64-unknown-linux-*
release-files/python-*-requirements.txt
release-files/latest-*.yml
release-files/Parsec-SBOM-*.spdx.json
release-files/version
checksums.sha256
fail_on_unmatched_files: true
generate_release_notes: false
timeout-minutes: 5
publish:
needs: releaser
# Only publish after release if the release is for a nightly build.
# We only do that for nightly because we do not create the github release as draft for nightlies to limit the need to human interventions.
if: >-
(github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref == 'refs/tags/nightly'))
&& needs.releaser.result == 'success'
&& always()
uses: ./.github/workflows/publish.yml
permissions:
contents: read
id-token: write
with:
release_tag: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'nightly' || github.ref_name }}
nightly: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' || github.ref == 'refs/tags/nightly' }}
secrets:
SNAPCRAFT_CREDENTIALS: ${{ secrets.SNAPCRAFT_CREDENTIALS }}
PYPI_CREDENTIALS: ${{ secrets.PYPI_CREDENTIALS }}