-
Notifications
You must be signed in to change notification settings - Fork 296
141 lines (133 loc) · 5.95 KB
/
on-release-published.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: On release published
on:
release:
types:
- published
jobs:
linting-and-tests:
name: Linting and tests
uses: ./.github/workflows/linting-and-tests.yml
snyk-security-scan:
name: Snyk security scan
uses: ./.github/workflows/snyk-security-scan.yml
build-sign-and-publish-plugin-to-gcom:
name: Build, sign, and publish frontend plugin to grafana.com
needs:
- linting-and-tests
- snyk-security-scan
runs-on: ubuntu-latest
# These permissions are needed to assume roles from Github's OIDC.
# https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets
permissions:
contents: read
id-token: write
steps:
- name: Checkout project
uses: actions/checkout@v4
- name: Install frontend dependencies
uses: ./.github/actions/install-frontend-dependencies
# This will fetch the secret keys from vault and set them as environment variables for subsequent steps
- name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
with:
repo_secrets: |
GRAFANA_ACCESS_POLICY_TOKEN=github_actions:cloud-access-policy-token
GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON=github_actions:gcs-plugin-publisher
GCOM_PLUGIN_PUBLISHER_API_KEY=github_actions:gcom-plugin-publisher-api-key
- name: Build, sign, and package plugin
id: build-sign-and-package-plugin
uses: ./.github/actions/build-sign-and-package-plugin
with:
plugin_version_number: ${{ github.ref_name }}
grafana_access_policy_token: ${{ env.GRAFANA_ACCESS_POLICY_TOKEN }}
working_directory: grafana-plugin
- name: Authenticate with GCS
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ env.GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON }}
- name: Publish plugin artifact to GCS
uses: google-github-actions/upload-cloud-storage@v2
with:
path: grafana-plugin/${{ steps.build-sign-and-package-plugin.outputs.artifact_filename }}
destination: grafana-oncall-app/releases
predefinedAcl: publicRead
- name: Determine GCS artifact URL
shell: bash
id: gcs-artifact-url
# yamllint disable rule:line-length
run: |
echo url="https://storage.googleapis.com/grafana-oncall-app/releases/grafana-oncall-app-${{ github.ref_name }}.zip" >> $GITHUB_OUTPUT
- name: Publish plugin to grafana.com
run: |
curl -f -w "status=%{http_code}" -s -H "Authorization: Bearer ${{ env.GCOM_PLUGIN_PUBLISHER_API_KEY }}" -d "download[any][url]=${{ steps.gcs-artifact-url.outputs.url }}" -d "download[any][md5]=$(curl -sL ${{ steps.gcs-artifact-url.outputs.url }} | md5sum | cut -d'' '' -f1)" -d url=https://github.com/grafana/oncall/grafana-plugin https://grafana.com/api/plugins
# yamllint enable rule:line-length
build-engine-docker-image-and-publish-to-dockerhub:
name: Build engine Docker image and publish to Dockerhub
needs:
- linting-and-tests
- snyk-security-scan
uses: ./.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml
with:
engine_version: ${{ github.ref_name }}
# https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input
docker_image_tags: |
type=raw,value=${{ github.ref_name }}
type=raw,value=latest
create-helm-release-pr:
name: Create Helm release PR
needs:
- build-sign-and-publish-plugin-to-gcom
- build-engine-docker-image-and-publish-to-dockerhub
runs-on: ubuntu-latest
outputs:
helm_release_pr_number: ${{ fromJSON(steps.update-helm-chart-pr.outputs.pull_request).number }}
steps:
- name: Checkout project
uses: actions/checkout@v4
- name: Prepare version tags
id: prepare-version-tags
run: |
echo app-version="${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
echo version="${GITHUB_REF_NAME:1}" >> $GITHUB_OUTPUT
- name: Update oncall Helm chart Chart.yaml
id: update-helm-chart-pr
uses: fjogeleit/[email protected]
with:
valueFile: helm/oncall/Chart.yaml
branch: helm-release/${{ steps.prepare-version-tags.outputs.version }}
targetBranch: main
masterBranchName: main
createPR: true
# yamllint disable rule:line-length
description: |
This PR was created automatically by [this github action](https://github.com/grafana/oncall/blob/dev/.github/workflows/on-release-published.yml).
It will be auto-merged very soon, which will then release the updated version of the chart into the `grafana/helm-charts` helm repository.
# yamllint enable rule:line-length
message: "Release oncall Helm chart ${{ steps.prepare-version-tags.outputs.version }}"
changes: |
{
"version": "${{ steps.prepare-version-tags.outputs.version }}",
"appVersion": "${{ steps.prepare-version-tags.outputs.app-version }}"
}
merge-helm-release-pr:
name: Merge Helm release PR
needs:
- create-helm-release-pr
runs-on: ubuntu-latest
# These permissions are needed to assume roles from Github's OIDC.
# https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets
permissions:
id-token: write
contents: read
steps:
# This will fetch the secret keys from vault and set them as environment variables for subsequent steps
- name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
with:
repo_secrets: |
GITHUB_API_KEY=github_actions:github-api-key
- name: Merge pull Request
uses: juliangruber/merge-pull-request-action@v1
with:
github-token: ${{ env.GITHUB_API_KEY }}
number: ${{ needs.create-helm-release-pr.outputs.helm_release_pr_number }}