-
Notifications
You must be signed in to change notification settings - Fork 296
147 lines (137 loc) · 5.98 KB
/
on-release-published.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: On release published
on:
release:
types:
- published
jobs:
linting-and-tests:
name: Linting and tests
uses: ./.github/workflows/linting-and-tests.yml
snyk-security-scan:
name: Snyk security scan
uses: ./.github/workflows/snyk-security-scan.yml
secrets: inherit
build-sign-and-publish-plugin-to-gcom:
name: Build, sign, and publish frontend plugin to grafana.com
needs:
- linting-and-tests
- snyk-security-scan
runs-on: ubuntu-latest
# These permissions are needed to assume roles from Github's OIDC.
# https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets
permissions:
contents: read
id-token: write
steps:
- name: Checkout project
uses: actions/checkout@v4
- name: Install frontend dependencies
uses: ./.github/actions/install-frontend-dependencies
# This will fetch the secret keys from vault and set them as environment variables for subsequent steps
- name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
with:
repo_secrets: |
GRAFANA_ACCESS_POLICY_TOKEN=github_actions:cloud-access-policy-token
GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON=github_actions:gcs-plugin-publisher
- name: Build, sign, and package plugin
id: build-sign-and-package-plugin
uses: ./.github/actions/build-sign-and-package-plugin
with:
plugin_version_number: ${{ github.ref_name }}
- name: Authenticate with GCS
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ env.GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON }}
- name: Publish plugin artifact to GCS
uses: google-github-actions/upload-cloud-storage@v2
with:
path: grafana-plugin/${{ steps.build-sign-and-package-plugin.outputs.artifact_filename }}
destination: grafana-oncall-app/releases
predefinedAcl: publicRead
- name: Determine GCS artifact URL
shell: bash
id: gcs-artifact-url
# yamllint disable rule:line-length
run: |
echo url="https://storage.googleapis.com/grafana-oncall-app/releases/grafana-oncall-app-${{ steps.build-sign-and-package-plugin.outputs.authoritative_version_number }}.zip" >> $GITHUB_OUTPUT
- name: Publish plugin to grafana.com
run: |
curl -f -w "status=%{http_code}" -s -H "Authorization: Bearer ${{ env.GRAFANA_ACCESS_POLICY_TOKEN }}" -d "download[any][url]=${{ steps.gcs-artifact-url.outputs.url }}" -d "download[any][md5]=$(curl -sL ${{ steps.gcs-artifact-url.outputs.url }} | md5sum | cut -d'' '' -f1)" -d url=https://github.com/grafana/oncall/grafana-plugin https://grafana.com/api/plugins
# yamllint enable rule:line-length
build-engine-docker-image-and-publish-to-dockerhub:
name: Build engine Docker image and publish to Dockerhub
needs:
- linting-and-tests
- snyk-security-scan
uses: ./.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml
with:
engine_version: ${{ github.ref_name }}
# https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input
docker_image_tags: |
type=raw,value=${{ github.ref_name }}
type=raw,value=latest
create-helm-release-pr:
name: Create Helm release PR
needs:
- build-sign-and-publish-plugin-to-gcom
- build-engine-docker-image-and-publish-to-dockerhub
runs-on: ubuntu-latest
outputs:
helm_release_pr_number: ${{ fromJSON(steps.update-helm-chart-pr.outputs.pull_request).number }}
steps:
- name: Checkout project
uses: actions/checkout@v4
- name: Prepare version tags
id: prepare-version-tags
run: |
echo app-version="${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
echo version="${GITHUB_REF_NAME:1}" >> $GITHUB_OUTPUT
- name: Update oncall Helm chart Chart.yaml
id: update-helm-chart-pr
uses: fjogeleit/[email protected]
with:
valueFile: helm/oncall/Chart.yaml
branch: helm-release/${{ steps.prepare-version-tags.outputs.version }}
targetBranch: main
masterBranchName: main
createPR: true
# yamllint disable rule:line-length
description: |
This PR was created automatically by [this github action](https://github.com/grafana/oncall/blob/dev/.github/workflows/on-release-published.yml).
It will be auto-merged very soon, which will then release the updated version of the chart into the `grafana/helm-charts` helm repository.
# yamllint enable rule:line-length
message: "Release oncall Helm chart ${{ steps.prepare-version-tags.outputs.version }}"
changes: |
{
"version": "${{ steps.prepare-version-tags.outputs.version }}",
"appVersion": "${{ steps.prepare-version-tags.outputs.app-version }}"
}
merge-helm-release-pr:
name: Merge Helm release PR
needs:
- create-helm-release-pr
runs-on: ubuntu-latest
# These permissions are needed to assume roles from Github's OIDC.
# https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets
permissions:
id-token: write
contents: read
steps:
- name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
with:
repo_secrets: |
GH_APP_ID=github-app:app-id
GH_APP_PRIVATE_KEY=github-app:private-key
- name: Generate Github App token
id: generate-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ env.GH_APP_ID }}
private-key: ${{ env.GH_APP_PRIVATE_KEY }}
- name: Merge pull Request
uses: juliangruber/merge-pull-request-action@v1
with:
github-token: ${{ steps.generate-token.outputs.token }}
number: ${{ needs.create-helm-release-pr.outputs.helm_release_pr_number }}