diff --git a/.github/workflows/node-flow-build-application.yaml b/.github/workflows/node-flow-build-application.yaml index 714d54ce8b3c..4a759109cca6 100644 --- a/.github/workflows/node-flow-build-application.yaml +++ b/.github/workflows/node-flow-build-application.yaml @@ -83,3 +83,23 @@ jobs: gradle-cache-username: ${{ secrets.GRADLE_CACHE_USERNAME }} gradle-cache-password: ${{ secrets.GRADLE_CACHE_PASSWORD }} codecov-token: ${{ secrets.CODECOV_TOKEN }} + + deploy-ci-trigger: + name: Trigger CI Flows + runs-on: network-node-linux-medium + needs: code + if: ${{ needs.code.result == 'success' }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - name: Trigger ZXF Deploy Production Release + uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 + with: + workflow: .github/workflows/node-flow-deploy-release-artifact.yaml + repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org + ref: develop # ensure we are always using the workflow definition from the develop branch + token: ${{ secrets.GH_ACCESS_TOKEN }} + inputs: '{ "event": "${{ toJSON(github.event) }}", "ref": "${{ github.ref }}" }' diff --git a/.github/workflows/node-flow-deploy-release-artifact.yaml b/.github/workflows/node-flow-deploy-release-artifact.yaml index 3e565adf4844..b2985992ba06 100644 --- a/.github/workflows/node-flow-deploy-release-artifact.yaml +++ b/.github/workflows/node-flow-deploy-release-artifact.yaml @@ -19,14 +19,14 @@ on: push: tags: - "v[0-9]+.[0-9]+.[0-9]+-?*" - workflow_run: - workflows: - - "Node: Build Application" - branches: - - develop - types: - - completed - + workflow_dispatch: + inputs: + ref: + required: true + description: "The github ref that triggered the workflow" + event: + required: true + description: "The github event of the triggering workflow" defaults: run: @@ -103,7 +103,7 @@ jobs: release-branch: name: Release [Branch] uses: ./.github/workflows/node-zxc-build-release-artifact.yaml - if: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success'}} + if: ${{ github.event_name == 'workflow_dispatch' }} with: version-policy: branch-commit trigger-env-deploy: integration @@ -125,3 +125,41 @@ jobs: jf-docker-registry: ${{ vars.JF_DOCKER_REGISTRY }} jf-user-name: ${{ vars.JF_USER_NAME }} jf-access-token: ${{ secrets.JF_ACCESS_TOKEN }} + + deploy-ci-trigger: + name: Trigger CI Flows + runs-on: network-node-linux-medium + needs: + - release-branch + steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + fetch-depth: '0' + ref: develop + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Trigger ZXF Prepare Extended Test Suite + if: ${{ needs.release-branch.result == 'success' }} + uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 + with: + workflow: .github/workflows/zxf-prepare-extended-test-suite.yaml + repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org + ref: develop # ensure we are always using the workflow definition from the develop branch + token: ${{ secrets.GH_ACCESS_TOKEN }} + inputs: '{ "ref": "${{ inputs.ref }}" }' + + - name: Trigger ZXF Deploy Integration + if: ${{ needs.release-branch.result == 'success' }} + uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 + with: + workflow: .github/workflows/node-zxf-deploy-integration.yaml + repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org + ref: develop # ensure we are always using the workflow definition from the develop branch + token: ${{ secrets.GH_ACCESS_TOKEN }} + inputs: '{ "event": "${{ inputs.event }}" }' diff --git a/.github/workflows/node-zxf-deploy-integration.yaml b/.github/workflows/node-zxf-deploy-integration.yaml index 3f73a85132a0..4df7c2c4406f 100644 --- a/.github/workflows/node-zxf-deploy-integration.yaml +++ b/.github/workflows/node-zxf-deploy-integration.yaml @@ -17,14 +17,10 @@ name: "ZXF: [Node] Deploy Integration Network Release" on: workflow_dispatch: - - workflow_run: - workflows: - - "ZXC: [Node] Deploy Release Artifacts" - types: - - completed - branches: - - develop + inputs: + event: + description: JSON representation of the triggering GitHub event + required: true permissions: contents: read @@ -33,8 +29,6 @@ jobs: jenkins-checks: name: Build Artifact runs-on: network-node-linux-medium - if: ${{ false }} - steps: - name: Harden Runner uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 @@ -46,7 +40,7 @@ jobs: uses: fjogeleit/http-request-action@0bd00a33db6f82063a3c6befd41f232f61d66583 # v1.15.2 with: url: ${{ secrets.RELEASE_JENKINS_INTEGRATION_URL }} - data: ${{ toJSON(github.event) }} + data: ${{ inputs.event }} - name: Display Jenkins Payload env: diff --git a/.github/workflows/zxcron-extended-test-suite.yaml b/.github/workflows/zxcron-extended-test-suite.yaml index 619044caabb1..ee15b2a74b31 100644 --- a/.github/workflows/zxcron-extended-test-suite.yaml +++ b/.github/workflows/zxcron-extended-test-suite.yaml @@ -22,7 +22,12 @@ on: - cron: '0 */3 * * *' permissions: - contents: write + id-token: write + actions: read + pull-requests: write + statuses: write + checks: write + contents: read defaults: run: @@ -36,29 +41,39 @@ jobs: name: Fetch XTS Candidate Tag runs-on: network-node-linux-medium outputs: - xts_tag_exists: ${{ steps.check_tags_exist.outputs.xts_tag_exists }} - xts_tag_commit: ${{ steps.check_tags_exist.outputs.xts_tag_commit }} + xts-tag-exists: ${{ steps.check-tags-exist.outputs.xts-tag-exists }} + xts-tag-commit: ${{ steps.check-tags-exist.outputs.xts-tag-commit }} steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + # Checkout the latest from dev - name: Checkout Code uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: '0' + ref: develop + token: ${{ secrets.GH_ACCESS_TOKEN }} # Check if the xts-candidate tag exists - # the command git branch --contains xts_tag_commit | grep -q - # will return an exit code of 1 if the tag commit is not found on the develop + # the command git branch --contains xts-tag-commit | grep --quiet + # will return an exit code of 1 if the tagged commit is not found on the develop # branch. - # TODO: Should we delete the tag as part of this job? Or should it occur after XTS passes? - name: Check for tags - id: check_tags_exist + id: check-tags-exist run: | - TAG=${XTS_CANDIDATE_TAG} - if [ $(git tag -l "${TAG}") ]; then - echo "xts_tag_exists=true" >> $GITHUB_OUTPUT - XTS_COMMIT=`git rev-list -n 1 ${XTS_CANDIDATE_TAG}` - git branch --contains ${XTS_COMMIT} | grep -q develop - echo "xts_tag_commit=`${XTS_COMMIT}`" >> $GITHUB_OUTPUT + XTS_COMMIT=$(git rev-list -n 1 ${XTS_CANDIDATE_TAG}) + set +e + git branch --contains ${XTS_COMMIT} | grep --quiet develop >/dev/null 2>&1 + BRANCH_ON_DEVELOP="${?}" + set -e + if [[ -n "${XTS_COMMIT}" && "${BRANCH_ON_DEVELOP}" -eq 0 ]]; then + echo "xts-tag-exists=true" >> $GITHUB_OUTPUT + echo "xts-tag-commit=${XTS_COMMIT}" >> $GITHUB_OUTPUT + echo "### Commit has been tagged as an XTS-Candidate" >> $GITHUB_STEP_SUMMARY + echo "xts-tag-commit=${XTS_COMMIT}" >> $GITHUB_STEP_SUMMARY git tag -d ${XTS_CANDIDATE_TAG} git push --delete origin ${XTS_CANDIDATE_TAG} else @@ -69,7 +84,7 @@ jobs: name: Execute eXtended Test Suite uses: ./.github/workflows/node-zxc-compile-application-code.yaml needs: fetch-xts-candidate - if: ${{ needs.fetch-xts-candidate.result == 'success' && needs.fetch-xts-candidate.outputs.xts_tag_exists == 'true' }} + if: ${{ needs.fetch-xts-candidate.result == 'success' && needs.fetch-xts-candidate.outputs.xts-tag-exists == 'true' }} with: custom-job-label: Execute eXtended Test Suite enable-timing-sensitive-tests: true @@ -77,7 +92,7 @@ jobs: enable-hammer-tests: true enable-hapi-tests-time-consuming: true enable-network-log-capture: true - ref: ${{ needs.fetch-xts-candidate.outputs.xts_tag_commit }} + ref: ${{ needs.fetch-xts-candidate.outputs.xts-tag-commit }} secrets: access-token: ${{ secrets.GITHUB_TOKEN }} gradle-cache-username: ${{ secrets.GRADLE_CACHE_USERNAME }} @@ -87,11 +102,11 @@ jobs: name: JRS Panel uses: ./.github/workflows/zxc-jrs-regression.yaml needs: fetch-xts-candidate - if: ${{ needs.fetch-xts-candidate.result == 'success' && needs.fetch-xts-candidate.outputs.xts_tag_exists == 'true' }} + if: ${{ needs.fetch-xts-candidate.result == 'success' && needs.fetch-xts-candidate.outputs.xts-tag-exists == 'true' }} with: custom-job-name: "Platform SDK" panel-config: "configs/suites/GCP-PRCheck-Abbrev-4N.json" - ref: ${{ needs.fetch-xts-candidate.outputs.xts_tag_commit }} # pass the xts-candidate tag to the JRS panel for checkout + ref: ${{ needs.fetch-xts-candidate.outputs.xts-tag-commit }} # pass the xts-candidate tag to the JRS panel for checkout branch-name: ${{ github.head_ref || github.ref_name }} base-branch-name: ${{ github.base_ref || '' }} slack-results-channel: "regression-test" @@ -113,10 +128,10 @@ jobs: name: Hedera Node JRS Panel uses: ./.github/workflows/zxc-jrs-regression.yaml needs: fetch-xts-candidate - if: ${{ needs.fetch-xts-candidate.result == 'success' && needs.fetch-xts-candidate.outputs.xts_tag_exists == 'true' }} + if: ${{ needs.fetch-xts-candidate.result == 'success' && needs.fetch-xts-candidate.outputs.xts-tag-exists == 'true' }} with: custom-job-name: "Abbrev Update Test" - ref: ${{ needs.fetch-xts-candidate.outputs.xts_tag_commit }} # pass the xts-candidate tag to the JRS panel for checkout + ref: ${{ needs.fetch-xts-candidate.outputs.xts-tag-commit }} # pass the xts-candidate tag to the JRS panel for checkout branch-name: ${{ github.head_ref || github.ref_name }} hedera-tests-enabled: true use-branch-for-slack-channel: false @@ -137,13 +152,14 @@ jobs: name: Tag as XTS-Passing runs-on: network-node-linux-medium needs: - - abbreviated-panel +# - abbreviated-panel - extended-test-suite - fetch-xts-candidate - - hedera-node-jrs-panel - if: ${{ needs.abbreviated-panel.result == 'success' || - needs.extended-test-suite.result == 'success' || - needs.hedera-node-jrs-panel.result == 'success' }} +# - hedera-node-jrs-panel +# if: ${{ needs.abbreviated-panel.result == 'success' || +# needs.extended-test-suite.result == 'success' || +# needs.hedera-node-jrs-panel.result == 'success' }} + if: ${{ needs.extended-test-suite.result == 'success' }} steps: - name: Harden Runner uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 @@ -152,21 +168,35 @@ jobs: - name: Checkout Tagged Code id: checkout_tagged_code - if: ${{ needs.fetch-xts-candidate.outputs.xts_tag_exists == 'true' }} + if: ${{ needs.fetch-xts-candidate.outputs.xts-tag-exists == 'true' }} uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: - ref: ${{ needs.fetch-xts-candidate.outputs.xts_tag_commit }} # this becomes an input to the reusable flow + fetch-depth: '0' + ref: ${{ needs.fetch-xts-candidate.outputs.xts-tag-commit }} + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Import GPG Key + id: gpg_importer + uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 + with: + git_commit_gpgsign: true + git_tag_gpgsign: true + git_user_signingkey: true + gpg_private_key: ${{ secrets.SVCS_GPG_KEY_CONTENTS }} + passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }} # Now that the XTS suite has run we should be able to tag for promotion - name: Tag for XTS promotion run: | - EPOCH_TIME=`date -j -f "%a %b %d %T %Z %Y" "\`LC_ALL=C date\`" "+%s"` + EPOCH_TIME=$(date +%s) TAG=xts-pass-${EPOCH_TIME} - git tag --annotate ${TAG} + git tag --annotate ${TAG} --message "chore: tagging commit for build candidate promotion" git push --set-upstream origin --tags + echo "### Commit Tagged for Promotion" >> $GITHUB_STEP_SUMMARY + echo "promotion-tag=${TAG}" >> $GITHUB_STEP_SUMMARY report-failure: - name: Report XTS preparation failure + name: Report XTS execution failure runs-on: network-node-linux-medium needs: - abbreviated-panel @@ -175,11 +205,12 @@ jobs: - hedera-node-jrs-panel - tag-for-promotion - if: ${{ needs.abbreviated-panel.result != 'success' || + if: ${{ (needs.abbreviated-panel.result != 'success' || needs.extended-test-suite.result != 'success' || needs.fetch-xts-candidate.result != 'success' || needs.hedera-node-jrs-panel.result != 'success' || - needs.tag-for-promotion.result != 'success' }} + needs.tag-for-promotion.result != 'success') && + !cancelled() && always() }} steps: - name: Harden Runner uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 diff --git a/.github/workflows/zxcron-promote-build-candidate.yaml b/.github/workflows/zxcron-promote-build-candidate.yaml new file mode 100644 index 000000000000..97641513673f --- /dev/null +++ b/.github/workflows/zxcron-promote-build-candidate.yaml @@ -0,0 +1,204 @@ +## +# Copyright (C) 2023-2024 Hedera Hashgraph, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## + +name: "ZXCron: Promote Build Candidate" +on: + workflow_dispatch: + schedule: + # Runs Extended Test Suite every three hours + - cron: '0 20 * * *' + +permissions: + actions: read + contents: read + +defaults: + run: + shell: bash + +jobs: + determine-build-candidate: + name: Fetch Latest Build Candidate + runs-on: network-node-linux-medium + outputs: + build-candidate-exists: ${{ steps.find-build-candidates.outputs.build-candidate-exists }} + build-candidate-commit: ${{ steps.find-build-candidates.outputs.build-candidate-commit }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + # Checkout the latest from dev + - name: Checkout Code + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + fetch-depth: '0' + ref: develop + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Find Build Candidates + id: find-build-candidates + run: | + TAG_PATTERN="xts-pass-*" + CANDIDATE_TAG="$(git tag --list --sort=-version:refname "${TAG_PATTERN}" | head --lines 1)" + if [[ -n "${CANDIDATE_TAG}" ]]; then + CANDIDATE_COMMIT=$(git rev-list --max-count 1 ${CANDIDATE_TAG}) + if git branch --contains "${CANDIDATE_COMMIT}" | grep --quiet develop >/dev/null 2>&1; then + git tag --delete $(git tag --list "${TAG_PATTERN}") + git push --delete origin $(git tag --list "${TAG_PATTERN}") + echo "build-candidate-exists=true" >> "${GITHUB_OUTPUT}" + echo "build-candidate-commit=${CANDIDATE_COMMIT}" >> "${GITHUB_OUTPUT}" + echo "### Build Candidate Found" >> "${GITHUB_STEP_SUMMARY}" + echo "build-candidate-commit=${CANDIDATE_COMMIT}" >> "${GITHUB_STEP_SUMMARY}" + echo "build_candidate_tag=${CANDIDATE_TAG}" >> "${GITHUB_STEP_SUMMARY}" + else + gh run cancel "${{ github.run_id }}" + fi + else + gh run cancel "${{ github.run_id }}" + fi + + promote-build-candidate: + name: Promote Build Candidate + runs-on: network-node-linux-medium + needs: determine-build-candidate + if: ${{ needs.determine-build-candidate.result == 'success' && needs.determine-build-candidate.outputs.build-candidate-exists == 'true' }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - name: Checkout Tagged Code + id: checkout-tagged-code + if: ${{ needs.determine-build-candidate.build-candidate-exists == 'true' }} + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + fetch-depth: '0' + ref: ${{ needs.determine-build-candidate.outputs.build-candidate-commit }} + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Import GPG Key + id: gpg_importer + uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 + with: + git_commit_gpgsign: true + git_tag_gpgsign: true + git_user_signingkey: true + gpg_private_key: ${{ secrets.SVCS_GPG_KEY_CONTENTS }} + passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }} + + - name: Tag Build Candidate + env: + BUILD_INDEX: ${{ vars.XTS_BUILD_PROMOTION_INDEX }} + run: | + BUILD_TAG="$(printf "build-%05d" "${BUILD_INDEX}")" + git tag --annotate ${BUILD_TAG} --message "chore: tagging commit for build promotion" + git push --set-upstream origin --tags + echo "### Build Promotion Tag Information" >> "${GITHUB_STEP_SUMMARY}" + echo "build-tag=${BUILD_TAG}" >> "${GITHUB_STEP_SUMMARY}" + + - name: Increment Build Promotion Index + uses: action-pack/increment@14c9f7fbbf560e7518ccaeab781aeca7bff15069 # v2.12 + id: increment + with: + name: 'XTS_BUILD_PROMOTION_INDEX' + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Preview Next Build + env: + NEXT_BUILD_ID: ${{ steps.increment.outputs.value }} + run: | + NEXT_BUILD_TAG="$(printf "build-%05d" "${NEXT_BUILD_ID}")" + echo "### Preview Next Build Tag" >> "${GITHUB_STEP_SUMMARY}" + echo "Next build tag is: ${NEXT_BUILD_TAG}" >> "${GITHUB_STEP_SUMMARY}" + + report-failure: + name: Report XTS execution failure + runs-on: network-node-linux-medium + needs: + - determine-build-candidate + - promote-build-candidate + if: ${{ (needs.determine-build-candidate.result != 'success' || needs.promote-build-candidate.result != 'success') && !cancelled() && always() }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - name: Report failure (slack) + uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 + env: + SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CITR_WEBHOOK }} + with: + payload: | + { + "attachments": [ + { + "color": "#7647cd", + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": ":grey_exclamation: Hedera Services - Build Candidate Promotion Error Report", + "emoji": true + } + }, + { + "type": "divider" + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "*Build Candidate Promotion Job Resulted in failure. See status below.*" + }, + "fields": [ + { + "type": "plain_text", + "text": "Fetch Latest Build Candidate" + }, + { + "type": "plain_text", + "text": "${{ needs.determine-build-candidate.result }}" + }, + { + "type": "plain_text", + "text": "Promote Build Candidate" + }, + { + "type": "plain_text", + "text": "${{ needs.promote-build-candidate.result }}" + } + ] + }, + { + "type": "divider" + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "*Source Commit*: \n<${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}>" + } + } + ] + } + ] + } diff --git a/.github/workflows/zxf-prepare-extended-test-suite.yaml b/.github/workflows/zxf-prepare-extended-test-suite.yaml index 42158896471a..542df411a076 100644 --- a/.github/workflows/zxf-prepare-extended-test-suite.yaml +++ b/.github/workflows/zxf-prepare-extended-test-suite.yaml @@ -16,13 +16,11 @@ name: "ZXF: Prepare Extended Test Suite" on: - workflow_run: - workflows: - - "ZXF: Deploy Production Release" - types: - - completed - branches: - - develop + workflow_dispatch: + inputs: + ref: + description: Git Commit Reference for the XTS prep tag + required: true defaults: run: @@ -38,20 +36,38 @@ jobs: tag-for-xts: name: Tag for XTS promotion runs-on: network-node-linux-medium - if: ${{ github.event.workflow_run.conclusion == 'success' && !github.event.workflow_run.head_repository.fork && github.event.workflow_run.head_branch == 'develop'}} steps: - name: Harden Runner uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - name: Checkout code + - name: Checkout Default Branch uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: '0' - ref: ${{ github.event.workflow_run.head_sha }} + ref: 'develop' + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Validate Input Ref + id: validate-input + env: + COMMIT_ID: ${{ inputs.ref }} + run: | + if git merge-base --is-ancestor "${COMMIT_ID}" develop >/dev/null 2>&1; then + echo "commit_on_dev=true" >> $GITHUB_OUTPUT + else + echo "::error title=Branch Alignment::The provided commit (${COMMIT_ID}) is not present on the develop branch." + exit 1 + fi + + - name: Checkout Code + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + if: ${{ steps.validate-input.outputs.commit_on_dev == 'true'}} + with: + fetch-depth: '0' + ref: ${{ inputs.ref }} token: ${{ secrets.GH_ACCESS_TOKEN }} - persist-credentials: 'true' - name: Import GPG Key id: gpg_importer @@ -66,11 +82,13 @@ jobs: # move the tag if successful - name: Tag Code and push run: | - git tag --force --sign ${XTS_CANDIDATE_TAG} --message "Tagging commit for XTS promotion" + git tag --delete "${XTS_CANDIDATE_TAG}" + git push --delete origin "${XTS_CANDIDATE_TAG}" + git tag --annotate "${XTS_CANDIDATE_TAG}" --message "chore: tagging commit for XTS promotion" git push --set-upstream origin --tags - name: Report failure - if: ${{ failure() }} + if: ${{ !cancelled() && failure() && always() }} uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 env: SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK