Skip to content

Implement release locking to avoid publishing helm chart before container image #7490

Implement release locking to avoid publishing helm chart before container image

Implement release locking to avoid publishing helm chart before container image #7490

Workflow file for this run

on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch:
env:
CI_CONTAINER_REGISTRY: europe-west1-docker.pkg.dev
CI_CONTAINER_REPOSITORY: europe-west1-docker.pkg.dev/weave-gitops-clusters/weave-gitops
name: PR CI Workflow
jobs:
ci-js:
name: CI Test JS
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [16.X]
steps:
- uses: actions/checkout@v3
- name: Node modules cache
uses: actions/cache@v2
env:
cache-name: cache-node-modules
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-
${{ runner.os }}-build-
${{ runner.os }}-
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- run: make node_modules
- name: Check that package.json & package-lock.json were updated in commit
run: |
echo "Using node.js "$(node --version)
echo "Using NPM "$(npm --version)
git diff --no-ext-diff --exit-code
- run: make ui-audit
- run: make ui
- run: make ui-lint
- run: make ui-prettify-check
- run: make ui-test
- run: make ui-lib
ci-go:
name: CI Test Go
runs-on: ubuntu-latest
strategy:
matrix:
go-version: [1.20.X]
steps:
- uses: actions/checkout@v3
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version: ${{ matrix.go-version }}
- name: Setup Flux CLI
uses: fluxcd/flux2/action@main
with:
token: ${{ secrets.GITHUB_TOKEN }}
- run: make unit-tests
# - run: make lib-test
ci-static:
name: CI Check Static Checks
runs-on: ubuntu-latest
strategy:
matrix:
go-version: [1.20.X]
node-version: [16.X]
steps:
- uses: actions/checkout@v3
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version: ${{ matrix.go-version }}
- run: make check-format
- run: make lint
- run: go mod tidy
- name: Check that go mod tidy has been run
run: git diff --no-ext-diff --exit-code
- run: make proto
- name: Check that make proto has been run
run: git diff --no-ext-diff --exit-code
- run: make fakes
- name: Check that make fakes has been run
run: git diff --no-ext-diff --exit-code
ci-generate-tag:
name: CI Generate Image Tag
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.generate-tag.outputs.tag }}
steps:
- id: generate-tag
run: echo "::set-output name=tag::$(date -u +%s)-${{ github.sha }}"
ci-build-gitops-image:
name: CI Build Gitops Docker Image
runs-on: ubuntu-latest
needs: [ci-generate-tag]
strategy:
matrix:
docker-image:
- gitops
- gitops-server
steps:
- uses: actions/checkout@v3
- uses: docker/setup-buildx-action@v2
- name: Set build-time flags
run: |
echo "LDFLAGS=$(make echo-ldflags)" >> $GITHUB_ENV
echo "FLUX_VERSION=$(make echo-flux-version)" >> $GITHUB_ENV
- name: Build and export
uses: docker/build-push-action@v3
with:
tags: "${{ env.CI_CONTAINER_REPOSITORY }}/${{ matrix.docker-image }}:${{ needs.ci-generate-tag.outputs.tag }}"
outputs: type=docker,dest=/tmp/${{ matrix.docker-image }}.tar
file: ${{ matrix.docker-image }}.dockerfile
build-args: |
FLUX_VERSION=${{ env.FLUX_VERSION }}
LDFLAGS=${{ env.LDFLAGS }}
GIT_COMMIT=${{ github.sha }}
- name: Load docker image
run: docker load --input /tmp/${{ matrix.docker-image }}.tar
- name: Cache docker image
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.docker-image }}
path: /tmp/${{ matrix.docker-image }}.tar
ci-upload-images:
name: CI Upload Images
runs-on: ubuntu-latest
# Make sure we only upload images if tests etc have passed
needs: [ci-go, ci-static, ci-js, ci-build-gitops-image, ci-generate-tag]
permissions:
contents: 'read'
id-token: 'write'
if: github.event_name == 'push'
strategy:
matrix:
docker-image:
- gitops
- gitops-server
steps:
- uses: docker/setup-buildx-action@v2
- uses: google-github-actions/setup-gcloud@v1
- name: Download cached docker image
uses: actions/download-artifact@v3
with:
name: ${{ matrix.docker-image }}
path: /tmp
- name: Authenticate to Google Cloud
id: gcloud-auth
uses: google-github-actions/auth@v1
with:
service_account: ${{ secrets.service_account }}
workload_identity_provider: ${{ secrets.workload_identity_provider }}
- name: Login to gcloud for docker
run: gcloud --quiet auth configure-docker ${{ env.CI_CONTAINER_REGISTRY }}
- name: Push images to gcloud
run: |
docker load --input /tmp/${{ matrix.docker-image }}.tar
docker push "${{ env.CI_CONTAINER_REPOSITORY }}/${{ matrix.docker-image }}:${{ needs.ci-generate-tag.outputs.tag }}"
ci-upload-binary:
name: Upload Binary
runs-on: ${{matrix.os}}
needs: [ci-go, ci-static, ci-js, ci-build-gitops-image]
strategy:
matrix:
os: [ubuntu-latest, macOS-latest]
if: github.event_name == 'push'
steps:
- name: Install Go
uses: actions/setup-go@v4
with:
go-version: 1.20.X
- name: Checkout code
uses: actions/checkout@v3
- name: Clean
run: make clean
- id: gitsha
run: |
gitsha=$(git rev-parse --short ${{ github.sha }})
echo "::set-output name=sha::$gitsha"
- name: build
run: |
make gitops
- name: publish to s3
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-2
- run: |
aws s3 cp bin/gitops s3://weave-gitops/gitops-${{matrix.os}}-${{steps.gitsha.outputs.sha}}
aws s3 cp s3://weave-gitops/gitops-${{matrix.os}}-${{steps.gitsha.outputs.sha}} s3://weave-gitops/gitops-${{matrix.os}}
ci-publish-js-lib:
name: Publish js library
runs-on: ubuntu-latest
needs: [ci-js]
permissions:
packages: write
outputs:
js-version: ${{ steps.package-version.outputs.js-version }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
# avoid the merge commit that on.pull_request creates
# fallback to github.sha if not present (e.g. on.push(main))
# https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit
# We want the correct sha so we can tag the npm package correctly
ref: ${{ github.event.pull_request.head.sha || github.sha }}
fetch-depth: 0
- uses: actions/setup-node@v3
with:
node-version: "16.X"
registry-url: "https://npm.pkg.github.com"
scope: "@weaveworks"
- run: npm install
- run: make ui-lib
- name: Update package version
id: package-version
run: |
GITOPS_VERSION=$(git describe)
echo "::set-output name=js-version::$GITOPS_VERSION"
jq '.version = "'$GITOPS_VERSION'" | .name = "@weaveworks/weave-gitops-main"' < dist/package.json > dist/package-new.json
mv dist/package-new.json dist/package.json
cp .npmrc dist
- run: cd dist && npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# We only push images on merge so create a passing check if everything finished
finish-ci-pr:
name: PR CI Pipeline
runs-on: ubuntu-latest
needs:
- ci-go
- ci-static
- ci-js
- ci-build-gitops-image
if: github.event_name != 'push'
steps:
- run: echo "All done"
finish-ci-merge:
# must match https://github.com/weaveworks/corp/blob/master/github-repo-weave-gitops.tf
name: PR CI Pipeline
runs-on: ubuntu-latest
needs:
- ci-upload-images
- ci-upload-binary
- ci-publish-js-lib
steps:
- run: echo "All done"
# release step updates 'release' status check for non releases branches. See ../../doc/incidents/issues-3907 for full context.
release:
if: ${{ github.event_name == 'pull_request' && !startsWith(github.event.pull_request.head.ref, 'releases/') }}
runs-on: ubuntu-latest
steps:
- name: Release
run: |
curl --fail --request POST \
--url https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \
--header 'authorization: Bearer ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}' \
--header 'content-type: application/json' \
--data '{
"state":"success",
"description":"release not required",
"context":"release"
}'
notify-failure:
name: Notify Slack on Failure
runs-on: ubuntu-latest
needs:
- finish-ci-merge
if: ${{ failure() }}
steps:
- name: Send alert
if: github.event_name == 'push'
uses: actions-ecosystem/action-slack-notifier@fc778468d09c43a6f4d1b8cccaca59766656996a
with:
slack_token: ${{ secrets.SLACK_TOKEN_BLUETONIUM }}
message: ":sad-parrot: The <https://github.com/weaveworks/weave-gitops/commit/${{ github.sha }}|latest commit> from ${{ github.actor }} is failing on main. <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Click here> and weep."
channel: team-denim
color: red
verbose: false