Merge pull request #1653 from luhring/unfck-releases

fix(releases): more reliable releases
chainguard-dev · Nov 15, 2024 · 5ce2bb4 · 5ce2bb4
2 parents abdfb95 + 3c84cb6
commit 5ce2bb4
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 125 deletions.
diff --git a/.github/workflows/release-scheduled.yaml b/.github/workflows/release-scheduled.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,13 +1,13 @@
-name: Create Release
+name: Release
 
 on:
-  push:
-    tags:
-      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+  schedule:
+    - cron: '0 0 * * 1' # every Monday at 00:00 UTC
+  workflow_dispatch:
 
 jobs:
-  cli:
-    name: Release the CLI
+  release:
+    name: Release
     runs-on: ubuntu-latest
 
     # https://docs.github.com/en/actions/reference/authentication-in-a-workflow
@@ -22,69 +22,57 @@ jobs:
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
+      - name: Check if any changes since last tag
+        id: check
+        run: |
+          git fetch --tags
+          if [ -z "$(git tag --points-at HEAD)" ]; then
+            echo "Nothing points at HEAD, so we need a new tag+release."
+            echo "need_release=yes" >> $GITHUB_OUTPUT
+          else
+            echo "A tag already points to head, no need for a new tag+release."
+            echo "need_release=no" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Bump version and push tag
+        id: create_tag
+        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
+        if: steps.check.outputs.need_release == 'yes'
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        if: steps.check.outputs.need_release == 'yes'
+        with:
+          ref: ${{ steps.create_tag.outputs.new_tag }}
+
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        if: steps.check.outputs.need_release == 'yes'
         with:
           go-version-file: './go.mod'
           check-latest: true
 
+      # Cosign is used by goreleaser to sign release artifacts.
       - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        if: steps.check.outputs.need_release == 'yes'
 
       - uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
+        if: steps.check.outputs.need_release == 'yes'
         with:
           version: latest
           install-only: true
 
       # Federate to create a token to authenticate with the homebrew-tap repository.
       - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
+        if: steps.check.outputs.need_release == 'yes'
         id: octo-sts
         with:
           scope: chainguard-dev/homebrew-tap
           identity: melange
 
       - name: Release
+        if: steps.check.outputs.need_release == 'yes'
         run: make release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
-
-  ko-build:
-    name: Release melange image
-    runs-on: ubuntu-latest
-    needs:
-      - cli
-
-    # https://docs.github.com/en/actions/reference/authentication-in-a-workflow
-    permissions:
-      id-token: write
-      packages: write
-      contents: read
-
-    env:
-      KO_DOCKER_REPO: ghcr.io/${{ github.repository }}
-      COSIGN_YES: "true"
-
-    steps:
-      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
-        with:
-          go-version-file: './go.mod'
-          check-latest: true
-
-      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
-
-      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
-
-      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ github.token }}
-
-      - name: Publish/Sign melange image
-        run: |
-          make sign-image
diff --git a/release.md b/release.md
@@ -1,45 +1,19 @@
 # Melange Release Process
 
-## Patch releases
-
-The most common type of release of Melange is a patch release. Generally we should aim to do these as often as necessary to release _backward compatible_ changes, especially to release updated dependencies to fix vulnerabilities.
-
 To cut a release:
-- go to https://github.com/chainguard-dev/melange/releases/new
-- click "Choose a tag" then "Find or create a new tag"
-- type a new patch version tag for the latest minor version
-  - for example, if the latest version is `v0.5.5`, create a patch release `v0.5.6`
-- click "Create new tag: v0.X.Y on publish"
-  - you can leave the release title empty
-- click "Generate release notes"
-  - make any editorial changes to the release notes you think are relevant
-- make sure "Set as the latest release" is checked
-- click **"Publish release"**
-
-### Monitor the release automation
-
-Once the tag is pushed, the [`Create Release` action](https://github.com/chainguard-dev/melange/actions/workflows/release.yaml)
-will attach the appropriate release artifacts and update release notes.
-
-At the time of this writing, the release job takes 20 to 30 minutes to execute.
-
-Make any editorial changes to the release notes you think are necessary.
-You may want to highlight certain changes or remove items that aren't interesting.
-
-Once the `Release` action has been completed successfully, find your release on
-the [releases page](https://github.com/chainguard-dev/melange/releases)
 
-## Minor releases
+1. Go to https://github.com/chainguard-dev/melange/actions/workflows/release.yaml.
+2. Click on the `Run workflow` button.
+3. In the dropdown, ensure that the `main` branch is selected.
+4. In the dropdown, click on the `Run workflow` button.
+5. Wait for the workflow to complete successfully.
 
-Occasionally there are large or breaking changes to Melange that we want to highlight with a new minor release.
-A minor release should be cut shortly after a breaking change is made, so that regular patch releases don't release breaking changes.
+### Useful things to know
 
-The process for cutting a release is exactly the same as above, except that you should pick a new minor version.
+#### Detecting whether a new release is needed
 
-For example, if the latest version is `v0.5.5`, create a minor release `v0.6.0`.
+The release workflow checks to see if there are any changes since the last release. If there are no changes, the workflow will end execution early and not create a new release.
 
-## Homebrew
+#### Automatic triggering
 
-Our release pipeline automate the process to update our [homebrew tap](https://github.com/chainguard-dev/homebrew-tap/blob/main/Formula/melange.rb),
-but it does not update the [Homebrew-core upstream repository](https://github.com/Homebrew/homebrew-core/blob/master/Formula/m/melange.rb) for that one
-we need to open a manual Pull Request.
+In addition to being triggerable manually (as described at the top of this document), the workflow also runs automatically every night. Just like with manual triggering, if there are no new changes since the last release, the workflow will end early without creating a new release.