v1.13.4 #92
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: On release published | |
on: | |
release: | |
types: | |
- published | |
jobs: | |
linting-and-tests: | |
name: Linting and tests | |
uses: ./.github/workflows/linting-and-tests.yml | |
snyk-security-scan: | |
name: Snyk security scan | |
uses: ./.github/workflows/snyk-security-scan.yml | |
secrets: inherit | |
build-sign-and-publish-plugin-to-gcom: | |
name: Build, sign, and publish frontend plugin to grafana.com | |
needs: | |
- linting-and-tests | |
- snyk-security-scan | |
runs-on: ubuntu-latest | |
# These permissions are needed to assume roles from Github's OIDC. | |
# https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Checkout project | |
uses: actions/checkout@v4 | |
- name: Install frontend dependencies | |
uses: ./.github/actions/install-frontend-dependencies | |
# This will fetch the secret keys from vault and set them as environment variables for subsequent steps | |
- name: Get Vault secrets | |
uses: grafana/shared-workflows/actions/get-vault-secrets@main | |
with: | |
repo_secrets: | | |
GRAFANA_ACCESS_POLICY_TOKEN=github_actions:cloud-access-policy-token | |
GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON=github_actions:gcs-plugin-publisher | |
- name: Build, sign, and package plugin | |
id: build-sign-and-package-plugin | |
uses: ./.github/actions/build-sign-and-package-plugin | |
with: | |
plugin_version_number: ${{ github.ref_name }} | |
- name: Authenticate with GCS | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ env.GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON }} | |
- name: Publish plugin artifact to GCS | |
uses: google-github-actions/upload-cloud-storage@v2 | |
with: | |
path: grafana-plugin/${{ steps.build-sign-and-package-plugin.outputs.artifact_filename }} | |
destination: grafana-oncall-app/releases | |
predefinedAcl: publicRead | |
- name: Determine GCS artifact URL | |
shell: bash | |
id: gcs-artifact-url | |
# yamllint disable rule:line-length | |
run: | | |
echo url="https://storage.googleapis.com/grafana-oncall-app/releases/grafana-oncall-app-${{ steps.build-sign-and-package-plugin.outputs.authoritative_version_number }}.zip" >> $GITHUB_OUTPUT | |
- name: Publish plugin to grafana.com | |
run: | | |
curl -f -w "status=%{http_code}" -s -H "Authorization: Bearer ${{ env.GRAFANA_ACCESS_POLICY_TOKEN }}" -d "download[any][url]=${{ steps.gcs-artifact-url.outputs.url }}" -d "download[any][md5]=$(curl -sL ${{ steps.gcs-artifact-url.outputs.url }} | md5sum | cut -d'' '' -f1)" -d url=https://github.com/grafana/oncall/grafana-plugin https://grafana.com/api/plugins | |
# yamllint enable rule:line-length | |
build-engine-docker-image-and-publish-to-dockerhub: | |
name: Build engine Docker image and publish to Dockerhub | |
needs: | |
- linting-and-tests | |
- snyk-security-scan | |
uses: ./.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml | |
with: | |
engine_version: ${{ github.ref_name }} | |
# https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input | |
docker_image_tags: | | |
type=raw,value=${{ github.ref_name }} | |
type=raw,value=latest | |
create-helm-release-pr: | |
name: Create Helm release PR | |
needs: | |
- build-sign-and-publish-plugin-to-gcom | |
- build-engine-docker-image-and-publish-to-dockerhub | |
runs-on: ubuntu-latest | |
outputs: | |
helm_release_pr_number: ${{ fromJSON(steps.update-helm-chart-pr.outputs.pull_request).number }} | |
steps: | |
- name: Checkout project | |
uses: actions/checkout@v4 | |
- name: Prepare version tags | |
id: prepare-version-tags | |
run: | | |
echo app-version="${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT | |
echo version="${GITHUB_REF_NAME:1}" >> $GITHUB_OUTPUT | |
- name: Update oncall Helm chart Chart.yaml | |
id: update-helm-chart-pr | |
uses: fjogeleit/[email protected] | |
with: | |
valueFile: helm/oncall/Chart.yaml | |
branch: helm-release/${{ steps.prepare-version-tags.outputs.version }} | |
targetBranch: main | |
masterBranchName: main | |
createPR: true | |
# yamllint disable rule:line-length | |
description: | | |
This PR was created automatically by [this github action](https://github.com/grafana/oncall/blob/dev/.github/workflows/on-release-published.yml). | |
It will be auto-merged very soon, which will then release the updated version of the chart into the `grafana/helm-charts` helm repository. | |
# yamllint enable rule:line-length | |
message: "Release oncall Helm chart ${{ steps.prepare-version-tags.outputs.version }}" | |
changes: | | |
{ | |
"version": "${{ steps.prepare-version-tags.outputs.version }}", | |
"appVersion": "${{ steps.prepare-version-tags.outputs.app-version }}" | |
} | |
merge-helm-release-pr: | |
name: Merge Helm release PR | |
needs: | |
- create-helm-release-pr | |
runs-on: ubuntu-latest | |
# These permissions are needed to assume roles from Github's OIDC. | |
# https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Get Vault secrets | |
uses: grafana/shared-workflows/actions/get-vault-secrets@main | |
with: | |
repo_secrets: | | |
GH_APP_ID=github-app:app-id | |
GH_APP_PRIVATE_KEY=github-app:private-key | |
- name: Generate Github App token | |
id: generate-token | |
uses: actions/create-github-app-token@v1 | |
with: | |
app-id: ${{ env.GH_APP_ID }} | |
private-key: ${{ env.GH_APP_PRIVATE_KEY }} | |
- name: Merge pull Request | |
uses: juliangruber/merge-pull-request-action@v1 | |
with: | |
github-token: ${{ steps.generate-token.outputs.token }} | |
number: ${{ needs.create-helm-release-pr.outputs.helm_release_pr_number }} |