From 97f9af3e7094c57222a3e160139d692b962c41b8 Mon Sep 17 00:00:00 2001 From: Samuel Isola Date: Tue, 30 Apr 2024 13:49:33 +0200 Subject: [PATCH] refactor release workflows --- .github/workflows/build_container.yml | 26 ++-- .github/workflows/pkg_arch-aur.yaml | 30 ++-- .github/workflows/pkg_chocolatey.yaml | 26 ++-- .github/workflows/pkg_macos.yaml | 52 ++++++- .github/workflows/pkg_msi.yaml | 46 ++++-- .github/workflows/release.yml | 169 +++++++++++++++++++++ .github/workflows/release_mondoo_pkgs.yaml | 43 +++--- .github/workflows/test-released-all.yaml | 8 + .github/workflows/test_install_sh.yml | 8 +- .github/workflows/update-version.yml | 24 +-- .gitignore | 5 +- 11 files changed, 355 insertions(+), 82 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/build_container.yml b/.github/workflows/build_container.yml index a472d470..3c0ba63a 100644 --- a/.github/workflows/build_container.yml +++ b/.github/workflows/build_container.yml @@ -1,10 +1,19 @@ name: Release Mondoo Container Image on: - release: - types: [released] workflow_dispatch: - + workflow_call: + inputs: + push: + description: "Push docker image?" + required: false + default: true + type: boolean + secrets: + DOCKER_USERNAME: + required: true + DOCKER_PASSWORD: + required: true jobs: build_container: @@ -55,7 +64,7 @@ jobs: provenance: true context: . platforms: linux/amd64,linux/arm64 - push: true + push: ${{ inputs.push }} build-args: VERSION=${{ steps.version.outputs.version }} target: root tags: | @@ -76,7 +85,7 @@ jobs: context: . file: Dockerfile-dev platforms: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7 - push: true + push: ${{ inputs.push }} build-args: VERSION=${{ steps.version.outputs.version }} target: root tags: | @@ -91,7 +100,7 @@ jobs: provenance: true context: . platforms: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7 - push: true + push: ${{ inputs.push }} build-args: VERSION=${{ steps.version.outputs.version }} target: rootless tags: | @@ -107,7 +116,7 @@ jobs: context: . file: Dockerfile-ubi platforms: linux/amd64,linux/arm64 - push: true + push: ${{ inputs.push }} build-args: VERSION=${{ steps.version.outputs.version }} target: root tags: | @@ -123,11 +132,10 @@ jobs: context: . file: Dockerfile-ubi platforms: linux/amd64,linux/arm64 - push: true + push: ${{ inputs.push }} build-args: VERSION=${{ steps.version.outputs.version }} target: rootless tags: | mondoo/client:${{ steps.version.outputs.version }}-ubi-rootless mondoo/client:${{ steps.semver.outputs.major }}-ubi-rootless mondoo/client:latest-ubi-rootless - diff --git a/.github/workflows/pkg_arch-aur.yaml b/.github/workflows/pkg_arch-aur.yaml index 6ce794db..899fce11 100644 --- a/.github/workflows/pkg_arch-aur.yaml +++ b/.github/workflows/pkg_arch-aur.yaml @@ -1,6 +1,25 @@ name: 'PKG: Archlinux AUR Release' on: + workflow_call: + inputs: + version: + description: "Version to release" + required: true + default: "8.0.0" + type: string + skip: + description: "Skip release" + required: false + default: false + type: boolean + secrets: + AUR_USERNAME: + required: true + AUR_EMAIL: + required: true + AUR_SSH_PRIVATE_KEY: + required: true workflow_dispatch: inputs: version: @@ -13,8 +32,6 @@ on: required: false default: false type: boolean - release: - types: [published] jobs: setup: @@ -25,14 +42,9 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Set Version (Workflow Dispatch) - if: github.event_name == 'workflow_dispatch' + - name: Set Version run: | echo VERSION=${{ inputs.version }} >> $GITHUB_ENV - - name: Set Version (Release Event) - if: github.event_name == 'release' - run: | - echo VERSION=${{ github.event.release.tag_name }} >> $GITHUB_ENV - name: Unified Version id: version run: | @@ -106,4 +118,4 @@ jobs: packages/archlinux/mondoo/mondoo.sh packages/archlinux/mondoo/LICENSE.html packages/archlinux/mondoo/OSS-LICENSES.tar.xz - packages/archlinux/mondoo/mondoo.service \ No newline at end of file + packages/archlinux/mondoo/mondoo.service diff --git a/.github/workflows/pkg_chocolatey.yaml b/.github/workflows/pkg_chocolatey.yaml index c0dae043..5b261923 100644 --- a/.github/workflows/pkg_chocolatey.yaml +++ b/.github/workflows/pkg_chocolatey.yaml @@ -1,6 +1,21 @@ name: 'PKG: Chocolatey NuGet Release' on: + workflow_call: + inputs: + version: + description: "Version to release" + required: true + type: string + default: "8.0.0" + skip-publish: + description: "Skip publish?" + required: false + default: false + type: boolean + secrets: + CHOCOLATEY_API_KEY: + required: true workflow_dispatch: inputs: version: @@ -8,8 +23,6 @@ on: required: true type: string default: "8.0.0" - release: - types: [published] jobs: chocotize: @@ -19,15 +32,10 @@ jobs: - name: Checkout uses: actions/checkout@v4 # Determine which version should be released based on event type - - name: Set Version (Workflow Dispatch) + - name: Set Version shell: bash - if: github.event_name == 'workflow_dispatch' run: | echo VERSION=${{ inputs.version }} >> $GITHUB_ENV - - name: Set Version (Release Event) - if: github.event_name == 'release' - run: | - echo VERSION=${{ github.event.release.tag_name }} >> $GITHUB_ENV - name: Unified Version id: version shell: bash @@ -51,6 +59,7 @@ jobs: - name: Update Chocolatey Packages uses: addnab/docker-run-action@v3 + if: ${{ ! inputs.skip-publish }} with: image: chocolatey/choco:latest options: -v ${{ github.workspace }}/packages/chocolatey:/packages -e CHOCO_API_KEY=${{ secrets.CHOCOLATEY_API_KEY }} -e VERSION=${{ steps.version.outputs.version }} @@ -64,4 +73,3 @@ jobs: done echo 'Go check for the moderation status:' echo 'Mondoo Moderation Queue: https://community.chocolatey.org/packages?q=tag%3Amondoo&moderatorQueue=true&moderationStatus=all-statuses&prerelease=false&sortOrder=relevance' - diff --git a/.github/workflows/pkg_macos.yaml b/.github/workflows/pkg_macos.yaml index a36e528b..559bd1df 100644 --- a/.github/workflows/pkg_macos.yaml +++ b/.github/workflows/pkg_macos.yaml @@ -1,6 +1,48 @@ name: 'PKG: macOS Universal pkg Release' on: + workflow_call: + inputs: + version: + description: "Package Version" + required: true + default: "0.0.1" + type: string + name: + description: "Package Name" + required: false + default: "mondoo" + type: string + skip-publish: + description: "Skip publish?" + required: false + default: false + type: boolean + secrets: + APPLE_KEYCHAIN_PASSWORD: + required: true + APPLE_KEYS_PRODUCTSIGN_P12: + required: true + APPLE_KEYS_CODESIGN_P12: + required: true + APPLE_KEYS_PASSWORD: + required: true + APPLE_KEYS_CODESIGN_ID: + required: true + APPLE_KEYS_PRODUCTSIGN_ID: + required: true + APPLE_ACCOUNT_USERNAME: + required: true + APPLE_ACCOUNT_PASSWORD: + required: true + APPLE_ACCOUNT_TEAM_ID: + required: true + GCP_CREDENTIALS: + required: true + RELEASR_ACTION_TOKEN: + required: true + REPO_API_TOKEN: + required: true workflow_dispatch: inputs: version: @@ -11,13 +53,12 @@ on: description: 'Package Name' required: false default: 'mondoo' + type: string skip-publish: description: 'Skip publish?' required: false default: false type: boolean - release: - types: [released] jobs: pkg: @@ -27,14 +68,9 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Set Version (Workflow Dispatch) - if: github.event_name == 'workflow_dispatch' + - name: Set Version run: | echo VERSION=${{ inputs.version }} >> $GITHUB_ENV - - name: Set Version (Release Event) - if: github.event_name == 'release' - run: | - echo VERSION=${{ github.event.release.tag_name }} >> $GITHUB_ENV - name: Unified Version id: version run: | diff --git a/.github/workflows/pkg_msi.yaml b/.github/workflows/pkg_msi.yaml index c7574d36..bc2595e7 100644 --- a/.github/workflows/pkg_msi.yaml +++ b/.github/workflows/pkg_msi.yaml @@ -1,23 +1,55 @@ name: 'PKG: Microsoft Software Installer (MSI)' on: + workflow_call: + inputs: + version: + description: "Package Version" + required: true + default: "0.0.1" + type: string + name: + description: "Package Name" + required: false + default: "mondoo" + type: string + skip-publish: + description: "Skip publish?" + required: false + default: false + type: boolean + secrets: + SM_CLIENT_CERT_FILE_B64: + required: true + SM_HOST: + required: true + SM_API_KEY: + required: true + SM_CLIENT_CERT_PASSWORD: + required: true + SM_CODE_SIGNING_CERT_SHA1_HASH: + required: true + GCP_CREDENTIALS: + required: true + RELEASR_ACTION_TOKEN: + required: true workflow_dispatch: inputs: version: description: 'Package Version' required: true default: '0.0.1' + type: string name: description: 'Package Name' required: false default: 'mondoo' + type: string skip-publish: description: 'Skip publish?' required: false default: false type: boolean - release: - types: [published] jobs: setup: @@ -28,14 +60,9 @@ jobs: trimmed-version: ${{ steps.version.outputs.trimmed_version }} name: ${{ steps.version.outputs.name }} steps: - - name: Set Version (Workflow Dispatch) - if: github.event_name == 'workflow_dispatch' + - name: Set Version run: | echo VERSION=${{ inputs.version }} >> $GITHUB_ENV - - name: Set Version (Release Event) - if: github.event_name == 'release' - run: | - echo VERSION=${{ github.event.release.tag_name }} >> $GITHUB_ENV - name: Unified Version id: version run: | @@ -56,7 +83,6 @@ jobs: curl -sL --head --fail https://github.com/mondoohq/cnquery/releases/download/v${{ steps.version.outputs.version }}/cnquery_${{ steps.version.outputs.version }}_windows_amd64.zip curl -sL --head --fail https://github.com/mondoohq/cnspec/releases/download/v${{ steps.version.outputs.version }}/cnspec_${{ steps.version.outputs.version }}_windows_amd64.zip - dist-prepare: name: 'Prepare Distribution for Packaging' runs-on: ubuntu-latest @@ -83,7 +109,6 @@ jobs: name: dist path: dist - msi-build: name: 'Packaging: Windows MSI' runs-on: windows-latest @@ -216,4 +241,3 @@ jobs: - name: Cleanup run: | rm -f "${{ steps.gauth.outputs.credentials_file_path }}" - diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..e6b7e6a0 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,169 @@ +name: Run Release Workflows + +on: + release: + types: [released] + workflow_dispatch: + inputs: + version: + description: "Version that should be released" + required: true + default: "1.2.3" + type: string + skip-release: + description: "Skip release?" + required: false + default: false + type: boolean + +jobs: + get-version: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.version.outputs.version }} + steps: + - name: Get Version (Workflow Dispatch) + if: github.event_name == 'workflow_dispatch' + run: | + echo VERSION=${{ inputs.version }} >> $GITHUB_ENV + - name: Get Version (Release Event) + if: github.event_name == 'release' + run: | + echo VERSION=${{ github.event.release.tag_name }} >> $GITHUB_ENV + - name: Set Version + id: version + run: | + echo "version=$VERSION" >> $GITHUB_OUTPUT + + create-release: + runs-on: ubuntu-latest + needs: get-version + if: github.event_name == 'workflow_dispatch' && ! inputs.skip-release + steps: + - name: Create release + uses: softprops/action-gh-release@v2 + with: + name: ${{ inputs.version }} + tag_name: ${{ inputs.version }} + + release_mondoo_pkgs: + name: Trigger release_mondoo_pkgs workflow + uses: ./.github/workflows/release_mondoo_pkgs.yaml + needs: get-version + with: + version: ${{ needs.get-version.outputs.version }} + skip-release: ${{ inputs.skip-release }} + secrets: + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} + REPO_API_TOKEN: ${{ secrets.REPO_API_TOKEN }} + + update-version: + name: Trigger update-version workflow + uses: ./.github/workflows/update-version.yml + needs: get-version + with: + version: ${{ needs.get-version.outputs.version }} + skip-commit: ${{ inputs.skip-release }} + + build_container: + name: Trigger build_container workflow + uses: ./.github/workflows/build_container.yml + with: + push: ${{ ! inputs.skip-release }} + secrets: + DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} + + pkg_macos: + name: Trigger pkg_macos workflow + uses: ./.github/workflows/pkg_macos.yaml + needs: get-version + with: + version: ${{ needs.get-version.outputs.version }} + skip-publish: ${{ inputs.skip-release }} + secrets: + APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} + APPLE_KEYS_PRODUCTSIGN_P12: ${{ secrets.APPLE_KEYS_PRODUCTSIGN_P12 }} + APPLE_KEYS_CODESIGN_P12: ${{ secrets.APPLE_KEYS_CODESIGN_P12 }} + APPLE_KEYS_PASSWORD: ${{ secrets.APPLE_KEYS_PASSWORD }} + APPLE_KEYS_CODESIGN_ID: ${{ secrets.APPLE_KEYS_CODESIGN_ID }} + APPLE_KEYS_PRODUCTSIGN_ID: ${{ secrets.APPLE_KEYS_PRODUCTSIGN_ID }} + APPLE_ACCOUNT_USERNAME: ${{ secrets.APPLE_ACCOUNT_USERNAME }} + APPLE_ACCOUNT_PASSWORD: ${{ secrets.APPLE_ACCOUNT_PASSWORD }} + APPLE_ACCOUNT_TEAM_ID: ${{ secrets.APPLE_ACCOUNT_TEAM_ID }} + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} + RELEASR_ACTION_TOKEN: ${{ secrets.RELEASR_ACTION_TOKEN }} + REPO_API_TOKEN: ${{ secrets.REPO_API_TOKEN }} + + pkg_arch-aur: + name: Trigger pkg_arch-aur workflow + uses: ./.github/workflows/pkg_arch-aur.yaml + needs: get-version + with: + version: ${{ needs.get-version.outputs.version }} + skip: ${{ inputs.skip-release }} + secrets: + AUR_USERNAME: ${{ secrets.AUR_USERNAME }} + AUR_EMAIL: ${{ secrets.AUR_EMAIL }} + AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }} + + pkg_chocolatey: + name: Trigger pkg_chocolatey workflow + uses: ./.github/workflows/pkg_chocolatey.yaml + needs: get-version + with: + version: ${{ needs.get-version.outputs.version }} + skip-publish: ${{ inputs.skip-release }} + secrets: + CHOCOLATEY_API_KEY: ${{ secrets.CHOCOLATEY_API_KEY }} + + pkg_msi: + name: Trigger pkg_msi workflow + uses: ./.github/workflows/pkg_msi.yaml + needs: get-version + with: + version: ${{ needs.get-version.outputs.version }} + skip-publish: ${{ inputs.skip-release }} + secrets: + SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }} + SM_HOST: ${{ secrets.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} + SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} + RELEASR_ACTION_TOKEN: ${{ secrets.RELEASR_ACTION_TOKEN }} + + test_install_sh: + name: Trigger test_install_sh workflow + uses: ./.github/workflows/test_install_sh.yml + needs: update-version + secrets: + DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }} + + test-released-all: + name: Trigger test-released-all workflow + uses: ./.github/workflows/test-released-all.yaml + with: + version: ${{ needs.get-version.outputs.version }} + needs: + - get-version + - release_mondoo_pkgs + - build_container + - pkg_macos + - pkg_arch-aur + - pkg_chocolatey + - pkg_msi + - test_install_sh + + integration-tests: + name: Trigger integration test workflow + runs-on: ubuntu-latest + if: ${{ ! inputs.skip-release }} + needs: + - get-version + - test-released-all + steps: + - name: Run integration test workfow + env: + GH_TOKEN: ${{ secrets.REPO_API_TOKEN }} + run: gh workflow run test.yaml --repo "mondoohq/integration-test" --field version=${{ needs.get-version.outputs.version }} diff --git a/.github/workflows/release_mondoo_pkgs.yaml b/.github/workflows/release_mondoo_pkgs.yaml index c2f3fcac..450e7f42 100644 --- a/.github/workflows/release_mondoo_pkgs.yaml +++ b/.github/workflows/release_mondoo_pkgs.yaml @@ -1,14 +1,23 @@ name: "Build & Release mondoo Meta-Package" on: - release: - types: [released] - workflow_dispatch: + workflow_call: inputs: version: - description: 'Version that should be released' + description: "Version that should be released" + required: true + default: "1.2.3" + type: string + skip-release: + description: "Skip release?" + required: false + default: false + type: boolean + secrets: + GCP_CREDENTIALS: + required: true + REPO_API_TOKEN: required: true - default: '1.2.3' jobs: build-mondoo-payloads: @@ -18,14 +27,9 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Version from Workflow Dispatch - if: github.event_name == 'workflow_dispatch' + - name: Set Version run: | echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV - - name: Version from Release Tag - if: github.event_name == 'release' - run: | - echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV - name: Unify and Validate Version id: version run: | @@ -75,23 +79,26 @@ jobs: cd helper/packages sha256sum *linux* > checksums.linux.txt - name: Upload files to releases.mondoo.com + if: ${{ ! inputs.skip-release }} run: | gsutil cp -r helper/packages/* gs://releases-us.mondoo.io/mondoo/${VERSION}/ - name: Upload files to GitHub Release Page uses: softprops/action-gh-release@v2 + if: ${{ ! inputs.skip-release }} with: tag_name: v${{ steps.version.outputs.version }} files: helper/packages/* - name: Reindex folder on releaser.mondoo.com uses: peter-evans/repository-dispatch@v3 + if: ${{ ! inputs.skip-release }} with: token: ${{ secrets.REPO_API_TOKEN }} repository: "mondoohq/releasr" event-type: reindex client-payload: '{ - "reindex-path": "mondoo/${{ steps.version.outputs.version }}", - "bucket": "releases-us.mondoo.io" + "reindex-path": "mondoo/${{ steps.version.outputs.version }}", + "bucket": "releases-us.mondoo.io" }' - name: Create Artifacts @@ -104,6 +111,7 @@ jobs: update-downstream: runs-on: ubuntu-latest needs: build-mondoo-payloads + if: ${{ ! inputs.skip-release }} ## Matrix task, repeats steps for each repo strategy: matrix: @@ -112,17 +120,8 @@ jobs: - uses: actions/checkout@v4 - name: Repository Dispatch (Workflow Dispatch) uses: peter-evans/repository-dispatch@v3 - if: github.event_name == 'workflow_dispatch' with: token: ${{ secrets.REPO_API_TOKEN }} repository: ${{ matrix.repo }} event-type: update client-payload: '{"version": "${{ needs.build-mondoo-payloads.outputs.version }}"}' - - name: Repository Dispatch (Release) - uses: peter-evans/repository-dispatch@v3 - if: github.event_name == 'release' - with: - token: ${{ secrets.REPO_API_TOKEN }} - repository: ${{ matrix.repo }} - event-type: update - client-payload: '{"version": "${{ needs.build-mondoo-payloads.outputs.version }}"}' \ No newline at end of file diff --git a/.github/workflows/test-released-all.yaml b/.github/workflows/test-released-all.yaml index 699713e3..74595f82 100644 --- a/.github/workflows/test-released-all.yaml +++ b/.github/workflows/test-released-all.yaml @@ -1,12 +1,20 @@ name: "Test Release: ALL - Trigger Release Build Tests" on: + workflow_call: + inputs: + version: + description: "Version to test" + required: true + default: "9.0.0" + type: string workflow_dispatch: inputs: version: description: "Version to test" required: true default: "9.0.0" + type: string jobs: test-arch: diff --git a/.github/workflows/test_install_sh.yml b/.github/workflows/test_install_sh.yml index 7fa78217..2fba439d 100644 --- a/.github/workflows/test_install_sh.yml +++ b/.github/workflows/test_install_sh.yml @@ -1,10 +1,10 @@ name: Test Mondoo Releases with Container Builds on: - workflow_run: - workflows: ['Update Release Version'] # runs after release - types: - - completed + workflow_call: + secrets: + DISCORD_WEBHOOK: + required: true workflow_dispatch: push: branches: diff --git a/.github/workflows/update-version.yml b/.github/workflows/update-version.yml index e3f76cc3..2d0a6144 100644 --- a/.github/workflows/update-version.yml +++ b/.github/workflows/update-version.yml @@ -1,14 +1,25 @@ name: Update Release Version on: - release: - types: [released] + workflow_call: + inputs: + version: + description: "Version that should be released" + required: true + default: "1.2.3" + type: string + skip-commit: + description: "Skip commit?" + required: false + default: false + type: boolean workflow_dispatch: inputs: version: description: 'Version that should be released' required: true default: '1.2.3' + type: string jobs: update-version: @@ -19,16 +30,10 @@ jobs: with: ref: 'main' fetch-depth: 0 - - name: Version from Workflow Dispatch - if: github.event_name == 'workflow_dispatch' + - name: Version run: | V=$(echo ${{ github.event.inputs.version }} | sed 's/v//g') echo "VERSION=${V}" >> $GITHUB_ENV - - name: Version from Release Tag - if: github.event_name == 'release' - run: | - V=$(echo ${{ github.event.release.tag_name }} | sed 's/v//g') - echo "VERSION=${V}" >> $GITHUB_ENV - name: Verify valid version id: vars run: | @@ -38,6 +43,7 @@ jobs: fi echo "version=$VERSION" >> $GITHUB_OUTPUT - name: Commit VERSION file + if: ${{ ! inputs.skip-commit }} run: | echo ${VERSION} > VERSION echo "VERSION is $VERSION" diff --git a/.gitignore b/.gitignore index ae426573..ee82bdce 100644 --- a/.gitignore +++ b/.gitignore @@ -18,4 +18,7 @@ packages/msi/v16 # Arch AUR Generated Files packages/archlinux/cnquery -packages/archlinux/cnspec \ No newline at end of file +packages/archlinux/cnspec + +# VSCode settings +.vscode