From 91e7f412c1d4dc7f694164973a96c4b7fa50e618 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eneko=20Fern=C3=A1ndez?=
 <12957664+enekofb@users.noreply.github.com>
Date: Wed, 16 Aug 2023 07:42:10 +0100
Subject: [PATCH] Implement release locking to avoid publishing helm chart
 before container image  (#3940)

* added lock around release PR as guardrail to avoid out of ordering artefacts publishing

* update pr.yaml to just be triggered when PRs

* support failure handling while updating release status check

* added comments and error propagation for release locking
---
 .github/workflows/pr.yaml              | 17 +++++++++++++++++
 .github/workflows/prepare-release.yaml | 12 ++++++++++++
 .github/workflows/release.yaml         | 12 ++++++++++++
 doc/release-process.md                 |  4 +---
 4 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 6eafcc5f94..7cb394cab9 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -267,6 +267,23 @@ jobs:
     steps:
       - run: echo "All done"
 
+  #  release step updates 'release' status check for non releases branches. See ../../doc/incidents/issues-3907 for full context.
+  release:
+    if: ${{ github.event_name == 'pull_request' && !startsWith(github.event.pull_request.head.ref, 'releases/') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Release
+        run: |
+          curl --fail --request POST \
+            --url https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \
+            --header 'authorization: Bearer ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}' \
+            --header 'content-type: application/json' \
+            --data '{
+                "state":"success",
+                "description":"release not required",
+                "context":"release"
+              }'
+
   notify-failure:
     name: Notify Slack on Failure
     runs-on: ubuntu-latest
diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml
index a5910ad590..d371a334f1 100644
--- a/.github/workflows/prepare-release.yaml
+++ b/.github/workflows/prepare-release.yaml
@@ -115,6 +115,18 @@ jobs:
            ${{ steps.github_release.outputs.changelog }}
           token: ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}
           labels: "exclude from release notes"
+      #  'Lock Release PR Merge' sets 'release' status check with pending state to avoid accidentally merging the release PR. See ../../doc/incidents/issues-3907 for full context.
+      - name: Lock Release PR
+        run: |
+          curl --fail --request POST \
+            --url https://api.github.com/repos/${{ github.repository }}/statuses/${{ steps.create-pull-request.outputs.pull-request-head-sha }} \
+            --header 'authorization: Bearer ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}' \
+            --header 'content-type: application/json' \
+            --data '{
+                "state":"pending",
+                "description":"execute the release to pass this check",
+                "context":"release"
+              }'
       - name: "Comment on pull request"
         run: |
           curl --request POST \
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a8b2b6c6cd..beb4f6f010 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -168,6 +168,18 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+      #  'Unlock Release PR Merge' sets 'release' status check state to success to unlock merging the release PR. See ../../doc/incidents/issues-3907 for full context.
+      - name: Unlock Release PR Merge
+        run: |
+          curl --fail --request POST \
+            --url https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \
+            --header 'authorization: Bearer ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}' \
+            --header 'content-type: application/json' \
+            --data '{
+                "state":"success",
+                "description":"release happened. PR ready to merge",
+                "context":"release"
+              }'
       - name: "Merge release"
         run: |
           curl --request PUT \
diff --git a/doc/release-process.md b/doc/release-process.md
index 5ab5d503d3..fbd0066aa8 100644
--- a/doc/release-process.md
+++ b/doc/release-process.md
@@ -48,9 +48,7 @@ To release a new version of Weave Gitops, you need to:
     called "Doc site preview")
 - The PR cover message contains draft release notes. Edit the cover
   message to fill in or delete blocks as appropriate. In case of making a fix release because of regressions, add a message about the regression to the release notes. Move as many PRs out of "Uncategorized" as you possibly can.
-- If everything looks good, approve the PR - do *not* merge or things
-  won't be published in the right order. This immediately kicks off the
-  release job.
+- If everything looks good, approve the PR to trigger the [release](../.github/workflows/release.yaml) workflow.
 - Wait for the action to finish, at which point the PR will be merged automatically.
 - Notify weave-gitops-dev channel that PRs are now safe to merge.