-
Notifications
You must be signed in to change notification settings - Fork 3
135 lines (131 loc) · 6.32 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Release
on:
workflow_dispatch:
inputs:
releaseVersion:
description: "Default version to use when preparing a release."
required: true
default: "A.B.C"
developmentVersion:
description: "Default version to use for new local working copy (the next version after version A.B.C)."
required: true
default: "X.Y.Z-SNAPSHOT"
jobs:
release:
runs-on: ubuntu-latest
environment: prod
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
java-version: 17
distribution: 'temurin'
cache: 'maven'
- name: Pre-Release Check - Version
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api --method GET /repos/${{github.repository}}/releases -f sort=updated -f direction=asc > releases.json
release_version_exists=$(jq -r --arg RELEASE_VERSION v${{ github.event.inputs.releaseVersion }} '.[].name|select(.|test($RELEASE_VERSION))' releases.json)
if [[ ! -z "$release_version_exists" ]]; then
echo "Version ${{ github.event.inputs.releaseVersion }} has been previously released. Please change release version."
exit 1
else
echo "New version: ${{ github.event.inputs.releaseVersion }} going to be released!"
fi
- name: Set up Python 3.8
uses: actions/setup-python@v4
with:
python-version: 3.8
cache: 'pip'
- name: Pre-Release Check - Whitesource vulnurabilities
env:
WS_APIKEY: ${{ secrets.WHITESOURCE_API_KEY }}
WS_PROJECTTOKEN: ${{ secrets.WHITESOURCE_PROJECT_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets.EMA_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.EMA_AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.EMA_AWS_DEFAULT_REGION }}
run: |
pip install --quiet --upgrade pip
export VIRTUAL_ENV=./venv
python3.8 -m venv $VIRTUAL_ENV && source $VIRTUAL_ENV/bin/activate
cd ./.github/workflows/release_scripts/ && pip install --quiet -r requirements.txt && python3.8 whitesource_vulnurability_checker.py
- name: Pre-Release Check - SonarQube Hotspots
env:
SONARQUBE_HOTSPOTS_API_URL: ${{ secrets.SONARQUBE_HOTSPOTS_API_URL }}
SONARQUBE_QUERY_TOKEN: ${{ secrets.SONARQUBE_QUERY_TOKEN }}
run: |
export VIRTUAL_ENV=./venv
python3.8 -m venv $VIRTUAL_ENV && source $VIRTUAL_ENV/bin/activate
cd ./.github/workflows/release_scripts/ && python3.8 sonarqube_vulnurability_checker.py
- name: Pre-Release Check - Prisma vulnurabilities
env:
PRISMA_ROOT_API_URL: ${{ secrets.PRISMA_ROOT_API_URL }}
DOCKER_IMAGE_TO_CHECK: ${{ secrets.PRISMA_DOCKER_IMAGE_TO_CHECK }}
PRISMA_ACCESS_KEY: ${{ secrets.PRISMA_ACCESS_KEY }}
PRISMA_ACCESS_KEY_SECRET: ${{ secrets.PRISMA_ACCESS_KEY_SECRET }}
AWS_ACCESS_KEY_ID: ${{ secrets.EMA_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.EMA_AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.EMA_AWS_DEFAULT_REGION }}
run: |
export VIRTUAL_ENV=./venv
python3.8 -m venv $VIRTUAL_ENV && source $VIRTUAL_ENV/bin/activate
cd ./.github/workflows/release_scripts/ && python3.8 prisma_vulnurability_checker.py
- name: Prepare Maven Settings
env:
MAVEN_REPO_SERVER_USERNAME: "${{ github.actor }}"
MAVEN_REPO_SERVER_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
MAVEN_REPO_SERVER_PRIVATE_KEY: "~/.ssh/id_rsa"
SSH_PRIVATE_KEY: "${{ secrets.COMMIT_KEY }}"
run: cd .github/workflows/release_scripts && ./setup-ssh.sh
- name: Set Release Configs
run: |
export SKIP_FLAGS_NON_UNIT_TESTS="-Dcheckstyle.skip -Dpmd.skip -Dcpd.skip -Dfindbugs.skip -Dspotbugs.skip"
echo "SKIP_FLAGS_NON_UNIT_TESTS=$SKIP_FLAGS_NON_UNIT_TESTS" >> $GITHUB_ENV
echo "SKIP_FLAGS_ALL_TESTS=$SKIP_FLAGS_NON_UNIT_TESTS -Dmaven.test.skip=true" >> $GITHUB_ENV
- name: Maven Release
run: mvn release:prepare release:perform -B --file service/pom.xml -DreleaseVersion=${{ github.event.inputs.releaseVersion }} -DdevelopmentVersion=${{ github.event.inputs.developmentVersion }}
- name: Changelog
uses: Bullrich/generate-release-changelog@master
id: Changelog
env:
REPO: ${{ github.repository }}
- name: Create GitHub Release
uses: ncipollo/release-action@v1
with:
tag: "v${{ github.event.inputs.releaseVersion }}"
artifacts: "**/application/target/*.jar"
generateReleaseNotes: true
makeLatest: true
body: ${{ steps.Changelog.outputs.changelog }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.EMA_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.EMA_AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.EMA_AWS_DEFAULT_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/[email protected]
- name: ECR Docker Image Release
run: |
MANIFEST=$(aws ecr batch-get-image --repository-name ${{ github.event.repository.name }} \
--image-ids imageTag=main --region ${{ secrets.EMA_AWS_DEFAULT_REGION }} --output json \
| jq --raw-output '.images[].imageManifest')
aws ecr put-image --repository-name ${{ github.event.repository.name }} \
--image-tag ${{ github.event.inputs.releaseVersion }} \
--image-manifest "$MANIFEST" --region ${{ secrets.EMA_AWS_DEFAULT_REGION }}
- name: Update Release Manifest DB
run: |
export squad="event-portal"
export repository="event-management-agent"
export release_tag=production
export version=${{ github.event.inputs.releaseVersion }}
export release_version=${{ github.event.inputs.releaseVersion }}
export image_tag=${{ github.event.inputs.releaseVersion }}
export chart_version="n/a"
export sha=${{ github.sha }}
./.github/workflows/release_scripts/update_release_manifest.sh