From e544abb33b3f6ef212d7e4e1fc0cdcfd69dc2d83 Mon Sep 17 00:00:00 2001 From: Johannes <38868829+Fovty@users.noreply.github.com> Date: Tue, 10 Sep 2024 13:03:38 +0000 Subject: [PATCH 1/6] feat: additional approval on Version change --- .github/workflows/approve-version-bump.yml | 98 ++++++++++++++++++++++ .github/workflows/check-version-bump.yml | 88 +++++++++++++++++++ 2 files changed, 186 insertions(+) create mode 100644 .github/workflows/approve-version-bump.yml create mode 100644 .github/workflows/check-version-bump.yml diff --git a/.github/workflows/approve-version-bump.yml b/.github/workflows/approve-version-bump.yml new file mode 100644 index 0000000..601641a --- /dev/null +++ b/.github/workflows/approve-version-bump.yml @@ -0,0 +1,98 @@ +name: Approve Version Bump + +on: + issue_comment: + types: [created, edited] + pull_request_review: + types: [submitted] + +jobs: + check_reaction: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + issues: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Find the warning comment by the bot + id: find_comment + uses: actions/github-script@v6 + with: + script: | + const comments = await github.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + }); + + // Find the warning comment made by the bot + const warningComment = comments.data.find(comment => + comment.user.login === 'github-actions[bot]' && comment.body.includes('Warning: This PR will result in a new release') + ); + + if (warningComment) { + return { comment_id: warningComment.id }; + } else { + throw new Error('Warning comment not found.'); + } + + - name: Check if the comment has a thumbs up reaction + id: check_reaction + uses: actions/github-script@v6 + with: + script: | + const reactions = await github.reactions.listForIssueComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: ${{ steps.find_comment.outputs.comment_id }}, + }); + + const thumbsUp = reactions.data.find(reaction => reaction.content === '+1'); + return { thumbs_up: thumbsUp ? 'true' : 'false' }; + + - name: Extract maintainers from CODEOWNERS + id: get_codeowners + run: | + # Extract the maintainers from CODEOWNERS file + maintainers=$(grep -v '^#' CODEOWNERS | awk '{print $NF}' | sort | uniq) + echo "maintainers=$maintainers" >> $GITHUB_ENV + + - name: Check if the reaction is from a maintainer + if: steps.check_reaction.outputs.thumbs_up == 'true' + id: check_maintainer + run: | + # Get the login of the person who added the thumbs-up reaction + reaction_author="${{ github.event.comment.user.login }}" + maintainers="${{ env.maintainers }}" + + # Convert maintainers string to array + IFS=' ' read -r -a maintainers_array <<< "$maintainers" + + # Check if the reaction author is in the list of maintainers + if [[ " ${maintainers_array[@]} " =~ " $reaction_author " ]]; then + echo "Approval granted by maintainer: $reaction_author" + echo "is_approved=true" >> $GITHUB_ENV + else + echo "Approval not granted by a maintainer" + echo "is_approved=false" >> $GITHUB_ENV + + - name: Unblock PR if approved + if: env.is_approved == 'true' + uses: actions/github-script@v6 + with: + script: | + const pr_number = context.payload.issue.number; + await github.repos.createCommitStatus({ + owner: context.repo.owner, + repo: context.repo.repo, + sha: context.payload.pull_request.head.sha, + state: "success", # Mark the check as successful + context: "version-bump-check", + description: "Approved by maintainer", + }); + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check-version-bump.yml b/.github/workflows/check-version-bump.yml new file mode 100644 index 0000000..e1c5b1f --- /dev/null +++ b/.github/workflows/check-version-bump.yml @@ -0,0 +1,88 @@ +name: Check for Version Bump in Chart.yaml + +on: + pull_request: + branches: + - main + paths: + - deployments/chart/Chart.yaml + +jobs: + check_version_bump: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v45 + with: + files: | + deployments/chart/Chart.yaml + + - name: Check if Chart.yaml has changed + if: steps.changed-files.outputs.any_changed == 'true' + run: echo "Chart.yaml has been modified." + + - name: Extract version from Chart.yaml + id: chart_version + run: | + version=$(yq e '.version' ./deployments/chart/Chart.yaml) + echo "version=$version" >> $GITHUB_ENV + echo "Current Chart version: $version" + + - name: Get latest Git tag + id: get_latest_tag + run: | + latest_tag=$(git describe --tags --abbrev=0 || echo "0.0.0") + echo "latest_tag=$latest_tag" >> $GITHUB_ENV + echo "Latest Git tag: $latest_tag" + + - name: Compare versions + id: compare_versions + run: | + chart_version=${{ env.version }} + git_tag_version=${{ env.latest_tag }} + + # Strip any leading 'v' from the Git tag to compare versions numerically + git_tag_version="${git_tag_version#v}" + + if [ "$chart_version" != "$git_tag_version" ]; then + echo "Version bump detected: Chart version ($chart_version) differs from latest Git tag ($git_tag_version)" + echo "version_bump=true" >> $GITHUB_ENV + else + echo "No version bump detected." + echo "version_bump=false" >> $GITHUB_ENV + + - name: Post warning comment + if: env.version_bump == 'true' + uses: peter-evans/create-or-update-comment@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + issue-number: ${{ github.event.pull_request.number }} + body: "Warning: This PR will result in a new release because the version in Chart.yaml (`${{ env.version }}`) is different from the latest Git tag (`${{ env.latest_tag }}`). Please confirm before merging." + + - name: Set PR as blocked (requires thumbs up from maintainer) + if: env.version_bump == 'true' + uses: actions/github-script@v6 + with: + script: | + const sha = context.payload.pull_request.head.sha; + await github.repos.createCommitStatus({ + owner: context.repo.owner, + repo: context.repo.repo, + sha: sha, + state: 'failure', + context: 'version-bump-check', + description: 'Version bump detected. Awaiting maintainer approval.', + }); + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + From 0c84fd88afc53c16a41954dfab5347a146f90ea7 Mon Sep 17 00:00:00 2001 From: Johannes <38868829+Fovty@users.noreply.github.com> Date: Wed, 11 Sep 2024 11:56:37 +0000 Subject: [PATCH 2/6] fix: combine version bump check and approve by label --- .github/workflows/approve-version-bump.yml | 98 ---------------------- .github/workflows/check-version-bump.yml | 80 ++++++------------ 2 files changed, 27 insertions(+), 151 deletions(-) delete mode 100644 .github/workflows/approve-version-bump.yml diff --git a/.github/workflows/approve-version-bump.yml b/.github/workflows/approve-version-bump.yml deleted file mode 100644 index 601641a..0000000 --- a/.github/workflows/approve-version-bump.yml +++ /dev/null @@ -1,98 +0,0 @@ -name: Approve Version Bump - -on: - issue_comment: - types: [created, edited] - pull_request_review: - types: [submitted] - -jobs: - check_reaction: - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - issues: write - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Find the warning comment by the bot - id: find_comment - uses: actions/github-script@v6 - with: - script: | - const comments = await github.issues.listComments({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - }); - - // Find the warning comment made by the bot - const warningComment = comments.data.find(comment => - comment.user.login === 'github-actions[bot]' && comment.body.includes('Warning: This PR will result in a new release') - ); - - if (warningComment) { - return { comment_id: warningComment.id }; - } else { - throw new Error('Warning comment not found.'); - } - - - name: Check if the comment has a thumbs up reaction - id: check_reaction - uses: actions/github-script@v6 - with: - script: | - const reactions = await github.reactions.listForIssueComment({ - owner: context.repo.owner, - repo: context.repo.repo, - comment_id: ${{ steps.find_comment.outputs.comment_id }}, - }); - - const thumbsUp = reactions.data.find(reaction => reaction.content === '+1'); - return { thumbs_up: thumbsUp ? 'true' : 'false' }; - - - name: Extract maintainers from CODEOWNERS - id: get_codeowners - run: | - # Extract the maintainers from CODEOWNERS file - maintainers=$(grep -v '^#' CODEOWNERS | awk '{print $NF}' | sort | uniq) - echo "maintainers=$maintainers" >> $GITHUB_ENV - - - name: Check if the reaction is from a maintainer - if: steps.check_reaction.outputs.thumbs_up == 'true' - id: check_maintainer - run: | - # Get the login of the person who added the thumbs-up reaction - reaction_author="${{ github.event.comment.user.login }}" - maintainers="${{ env.maintainers }}" - - # Convert maintainers string to array - IFS=' ' read -r -a maintainers_array <<< "$maintainers" - - # Check if the reaction author is in the list of maintainers - if [[ " ${maintainers_array[@]} " =~ " $reaction_author " ]]; then - echo "Approval granted by maintainer: $reaction_author" - echo "is_approved=true" >> $GITHUB_ENV - else - echo "Approval not granted by a maintainer" - echo "is_approved=false" >> $GITHUB_ENV - - - name: Unblock PR if approved - if: env.is_approved == 'true' - uses: actions/github-script@v6 - with: - script: | - const pr_number = context.payload.issue.number; - await github.repos.createCommitStatus({ - owner: context.repo.owner, - repo: context.repo.repo, - sha: context.payload.pull_request.head.sha, - state: "success", # Mark the check as successful - context: "version-bump-check", - description: "Approved by maintainer", - }); - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check-version-bump.yml b/.github/workflows/check-version-bump.yml index e1c5b1f..9d8352b 100644 --- a/.github/workflows/check-version-bump.yml +++ b/.github/workflows/check-version-bump.yml @@ -1,14 +1,12 @@ -name: Check for Version Bump in Chart.yaml +name: Check for Version Bump and appVersion in Chart.yaml on: pull_request: - branches: - - main - paths: - - deployments/chart/Chart.yaml + types: [opened, synchronize, labeled] jobs: check_version_bump: + name: Version Bump Check runs-on: ubuntu-latest permissions: contents: write @@ -20,69 +18,45 @@ jobs: with: fetch-depth: 0 - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v45 - with: - files: | - deployments/chart/Chart.yaml - - - name: Check if Chart.yaml has changed - if: steps.changed-files.outputs.any_changed == 'true' - run: echo "Chart.yaml has been modified." - - - name: Extract version from Chart.yaml + - name: Extract Chart Version id: chart_version run: | version=$(yq e '.version' ./deployments/chart/Chart.yaml) echo "version=$version" >> $GITHUB_ENV - echo "Current Chart version: $version" - + - name: Get latest Git tag id: get_latest_tag run: | - latest_tag=$(git describe --tags --abbrev=0 || echo "0.0.0") + latest_tag=$(git describe --tags --abbrev=0 || echo "No tags found") echo "latest_tag=$latest_tag" >> $GITHUB_ENV - echo "Latest Git tag: $latest_tag" - - name: Compare versions - id: compare_versions + # Compare versions and fail if there is a version bump + - name: Compare versions and fail if there is a version bump + if: ${{ !contains(github.event.pull_request.labels.*.name, 'approved-for-merge') }} run: | - chart_version=${{ env.version }} - git_tag_version=${{ env.latest_tag }} - - # Strip any leading 'v' from the Git tag to compare versions numerically - git_tag_version="${git_tag_version#v}" - - if [ "$chart_version" != "$git_tag_version" ]; then - echo "Version bump detected: Chart version ($chart_version) differs from latest Git tag ($git_tag_version)" - echo "version_bump=true" >> $GITHUB_ENV + if [ "v${{ env.version }}" != "${{ env.latest_tag }}" ]; then + echo "Version bump detected. Failing the job." + exit 1 else echo "No version bump detected." - echo "version_bump=false" >> $GITHUB_ENV + fi + # Check for changes in the appVersion between PR and main + - name: Check for appVersion changes + if: ${{ !contains(github.event.pull_request.labels.*.name, 'approved-for-merge') }} + run: | + if git diff main -- deployments/chart/Chart.yaml | grep -qe "^[+-]appVersion: "; then + echo "appVersion has changed. Failing the job." + exit 1 + else + echo "No appVersion changes detected." + fi + + # Post warning comment if there is a failure - name: Post warning comment - if: env.version_bump == 'true' + if: ${{ failure() && !contains(github.event.pull_request.labels.*.name, 'approved-for-merge') }} uses: peter-evans/create-or-update-comment@v4 with: token: ${{ secrets.GITHUB_TOKEN }} issue-number: ${{ github.event.pull_request.number }} - body: "Warning: This PR will result in a new release because the version in Chart.yaml (`${{ env.version }}`) is different from the latest Git tag (`${{ env.latest_tag }}`). Please confirm before merging." - - - name: Set PR as blocked (requires thumbs up from maintainer) - if: env.version_bump == 'true' - uses: actions/github-script@v6 - with: - script: | - const sha = context.payload.pull_request.head.sha; - await github.repos.createCommitStatus({ - owner: context.repo.owner, - repo: context.repo.repo, - sha: sha, - state: 'failure', - context: 'version-bump-check', - description: 'Version bump detected. Awaiting maintainer approval.', - }); - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - + body: "Warning: This PR will result in a new release because the version in Chart.yaml (`${{ env.version }}`) or the appVersion has changed. Please confirm before merging." From 4db40f733a5b120af06a78b2c5c7e48c87f8666f Mon Sep 17 00:00:00 2001 From: Johannes <38868829+Fovty@users.noreply.github.com> Date: Wed, 11 Sep 2024 12:05:04 +0000 Subject: [PATCH 3/6] fix: adjust label name --- .github/workflows/check-version-bump.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/check-version-bump.yml b/.github/workflows/check-version-bump.yml index 9d8352b..63b70f0 100644 --- a/.github/workflows/check-version-bump.yml +++ b/.github/workflows/check-version-bump.yml @@ -32,7 +32,7 @@ jobs: # Compare versions and fail if there is a version bump - name: Compare versions and fail if there is a version bump - if: ${{ !contains(github.event.pull_request.labels.*.name, 'approved-for-merge') }} + if: ${{ !contains(github.event.pull_request.labels.*.name, 'release') }} run: | if [ "v${{ env.version }}" != "${{ env.latest_tag }}" ]; then echo "Version bump detected. Failing the job." @@ -43,7 +43,7 @@ jobs: # Check for changes in the appVersion between PR and main - name: Check for appVersion changes - if: ${{ !contains(github.event.pull_request.labels.*.name, 'approved-for-merge') }} + if: ${{ !contains(github.event.pull_request.labels.*.name, 'release') }} run: | if git diff main -- deployments/chart/Chart.yaml | grep -qe "^[+-]appVersion: "; then echo "appVersion has changed. Failing the job." @@ -54,7 +54,7 @@ jobs: # Post warning comment if there is a failure - name: Post warning comment - if: ${{ failure() && !contains(github.event.pull_request.labels.*.name, 'approved-for-merge') }} + if: ${{ failure() && !contains(github.event.pull_request.labels.*.name, 'release') }} uses: peter-evans/create-or-update-comment@v4 with: token: ${{ secrets.GITHUB_TOKEN }} From f2da22a3383ccde50a8d66140cbe7c5ad87cf33f Mon Sep 17 00:00:00 2001 From: Johannes <38868829+Fovty@users.noreply.github.com> Date: Wed, 11 Sep 2024 13:05:58 +0000 Subject: [PATCH 4/6] fix: remove tag comparison --- .github/workflows/check-version-bump.yml | 33 +++++++----------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/.github/workflows/check-version-bump.yml b/.github/workflows/check-version-bump.yml index 63b70f0..65ebab2 100644 --- a/.github/workflows/check-version-bump.yml +++ b/.github/workflows/check-version-bump.yml @@ -17,35 +17,22 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + ref: main # Ensure the main branch is fetched - - name: Extract Chart Version - id: chart_version - run: | - version=$(yq e '.version' ./deployments/chart/Chart.yaml) - echo "version=$version" >> $GITHUB_ENV - - - name: Get latest Git tag - id: get_latest_tag - run: | - latest_tag=$(git describe --tags --abbrev=0 || echo "No tags found") - echo "latest_tag=$latest_tag" >> $GITHUB_ENV + - name: Fetch the latest from the main branch + run: git fetch origin main - # Compare versions and fail if there is a version bump - - name: Compare versions and fail if there is a version bump - if: ${{ !contains(github.event.pull_request.labels.*.name, 'release') }} + - name: Extract Chart appVersion + id: extract_appversion run: | - if [ "v${{ env.version }}" != "${{ env.latest_tag }}" ]; then - echo "Version bump detected. Failing the job." - exit 1 - else - echo "No version bump detected." - fi + appversion=$(yq e '.appVersion' ./deployments/chart/Chart.yaml) + echo "appversion=$appversion" >> $GITHUB_ENV # Check for changes in the appVersion between PR and main - name: Check for appVersion changes if: ${{ !contains(github.event.pull_request.labels.*.name, 'release') }} run: | - if git diff main -- deployments/chart/Chart.yaml | grep -qe "^[+-]appVersion: "; then + if git diff origin/main -- deployments/chart/Chart.yaml | grep -qe "^[+-]appVersion: "; then echo "appVersion has changed. Failing the job." exit 1 else @@ -54,9 +41,9 @@ jobs: # Post warning comment if there is a failure - name: Post warning comment - if: ${{ failure() && !contains(github.event.pull_request.labels.*.name, 'release') }} + if: ${{ failure() }} uses: peter-evans/create-or-update-comment@v4 with: token: ${{ secrets.GITHUB_TOKEN }} issue-number: ${{ github.event.pull_request.number }} - body: "Warning: This PR will result in a new release because the version in Chart.yaml (`${{ env.version }}`) or the appVersion has changed. Please confirm before merging." + body: "⚠️ Warning: This PR will result in a new release because the `appVersion` in Chart.yaml has changed to `${{ env.appversion }}`. Please confirm before merging." From 1523dcfd3983d941c19f1e340c8ab353850abcf0 Mon Sep 17 00:00:00 2001 From: Johannes <38868829+Fovty@users.noreply.github.com> Date: Wed, 11 Sep 2024 13:51:25 +0000 Subject: [PATCH 5/6] fix: base_ref --- .github/workflows/check-version-bump.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/check-version-bump.yml b/.github/workflows/check-version-bump.yml index 65ebab2..d4d1347 100644 --- a/.github/workflows/check-version-bump.yml +++ b/.github/workflows/check-version-bump.yml @@ -17,10 +17,6 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - ref: main # Ensure the main branch is fetched - - - name: Fetch the latest from the main branch - run: git fetch origin main - name: Extract Chart appVersion id: extract_appversion @@ -28,11 +24,12 @@ jobs: appversion=$(yq e '.appVersion' ./deployments/chart/Chart.yaml) echo "appversion=$appversion" >> $GITHUB_ENV - # Check for changes in the appVersion between PR and main + # Check for changes in the appVersion between PR and base branch - name: Check for appVersion changes if: ${{ !contains(github.event.pull_request.labels.*.name, 'release') }} run: | - if git diff origin/main -- deployments/chart/Chart.yaml | grep -qe "^[+-]appVersion: "; then + echo "Checking for appVersion changes..." + if git diff origin/${{ github.base_ref }} -- deployments/chart/Chart.yaml | grep -qe "^[+-]appVersion: "; then echo "appVersion has changed. Failing the job." exit 1 else From 43a98006b5f808137c9596d20b976990ef427952 Mon Sep 17 00:00:00 2001 From: Johannes <38868829+Fovty@users.noreply.github.com> Date: Thu, 12 Sep 2024 05:49:57 +0000 Subject: [PATCH 6/6] fix: some naming changes --- .../{check-version-bump.yml => check-for-release.yaml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename .github/workflows/{check-version-bump.yml => check-for-release.yaml} (94%) diff --git a/.github/workflows/check-version-bump.yml b/.github/workflows/check-for-release.yaml similarity index 94% rename from .github/workflows/check-version-bump.yml rename to .github/workflows/check-for-release.yaml index d4d1347..eb74c73 100644 --- a/.github/workflows/check-version-bump.yml +++ b/.github/workflows/check-for-release.yaml @@ -1,4 +1,4 @@ -name: Check for Version Bump and appVersion in Chart.yaml +name: Check for new release on: pull_request: @@ -6,7 +6,7 @@ on: jobs: check_version_bump: - name: Version Bump Check + name: Check For Relase runs-on: ubuntu-latest permissions: contents: write