From 03eeef6ee12548e37c710aba4cb9708f09fef561 Mon Sep 17 00:00:00 2001 From: Dan Luhring Date: Fri, 15 Nov 2024 13:21:15 -0500 Subject: [PATCH 1/4] fix(releases): more reliable releases - Consolidate release workflows into one - Continue to use a scheduled check for new changes - Also allow manual triggering of release creation Signed-off-by: Dan Luhring --- .github/workflows/release-scheduled.yaml | 41 ------------ .github/workflows/release.yaml | 84 ++++++++++-------------- 2 files changed, 36 insertions(+), 89 deletions(-) delete mode 100644 .github/workflows/release-scheduled.yaml diff --git a/.github/workflows/release-scheduled.yaml b/.github/workflows/release-scheduled.yaml deleted file mode 100644 index a3541d964..000000000 --- a/.github/workflows/release-scheduled.yaml +++ /dev/null @@ -1,41 +0,0 @@ -name: release - -on: - schedule: - - cron: '0 0 * * *' # daily at 00:00 - workflow_dispatch: - -permissions: - contents: read - -jobs: - release: - name: release - runs-on: ubuntu-latest - - permissions: - contents: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Check if any changes since last tag - id: check - run: | - git fetch --tags - if [ -z "$(git tag --points-at HEAD)" ]; then - echo "Nothing points at HEAD, bump a new tag" - echo "bump=yes" >> $GITHUB_OUTPUT - else - echo "A tag already points to head, don't bump" - echo "bump=no" >> $GITHUB_OUTPUT - fi - - name: Bump patch version and push tag - uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 - if: steps.check.outputs.bump == 'yes' - with: - github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 31831410d..f988e28a4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,13 +1,13 @@ -name: Create Release +name: Release on: - push: - tags: - - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 + schedule: + - cron: '0 0 * * *' # daily at 00:00 + workflow_dispatch: jobs: - cli: - name: Release the CLI + release: + name: Release runs-on: ubuntu-latest # https://docs.github.com/en/actions/reference/authentication-in-a-workflow @@ -22,69 +22,57 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Check if any changes since last tag + id: check + run: | + git fetch --tags + if [ -z "$(git tag --points-at HEAD)" ]; then + echo "Nothing points at HEAD, so we need a new tag+release." + echo "need_release=yes" >> $GITHUB_OUTPUT + else + echo "A tag already points to head, no need for a new tag+release." + echo "need_release=no" >> $GITHUB_OUTPUT + fi + + - name: Bump version and push tag + id: create_tag + uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 + if: steps.check.outputs.need_release == 'yes' + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + if: steps.check.outputs.need_release == 'yes' + with: + ref: ${{ steps.create_tag.outputs.new_tag }} + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + if: steps.check.outputs.need_release == 'yes' with: go-version-file: './go.mod' check-latest: true + # Cosign is used by goreleaser to sign release artifacts. - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + if: steps.check.outputs.need_release == 'yes' - uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 + if: steps.check.outputs.need_release == 'yes' with: version: latest install-only: true # Federate to create a token to authenticate with the homebrew-tap repository. - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 + if: steps.check.outputs.need_release == 'yes' id: octo-sts with: scope: chainguard-dev/homebrew-tap identity: melange - name: Release + if: steps.check.outputs.need_release == 'yes' run: make release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} - - ko-build: - name: Release melange image - runs-on: ubuntu-latest - needs: - - cli - - # https://docs.github.com/en/actions/reference/authentication-in-a-workflow - permissions: - id-token: write - packages: write - contents: read - - env: - KO_DOCKER_REPO: ghcr.io/${{ github.repository }} - COSIGN_YES: "true" - - steps: - - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 - with: - go-version-file: './go.mod' - check-latest: true - - - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 - - - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - - - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ github.token }} - - - name: Publish/Sign melange image - run: | - make sign-image From d89edf5537007e980ceaca85cd4ceba32b1158ff Mon Sep 17 00:00:00 2001 From: Dan Luhring Date: Fri, 15 Nov 2024 13:33:00 -0500 Subject: [PATCH 2/4] docs(release): update release.md based on new workflow design Signed-off-by: Dan Luhring --- release.md | 46 ++++++++++------------------------------------ 1 file changed, 10 insertions(+), 36 deletions(-) diff --git a/release.md b/release.md index f57f37d9c..9a9884e82 100644 --- a/release.md +++ b/release.md @@ -1,45 +1,19 @@ # Melange Release Process -## Patch releases - -The most common type of release of Melange is a patch release. Generally we should aim to do these as often as necessary to release _backward compatible_ changes, especially to release updated dependencies to fix vulnerabilities. - To cut a release: -- go to https://github.com/chainguard-dev/melange/releases/new -- click "Choose a tag" then "Find or create a new tag" -- type a new patch version tag for the latest minor version - - for example, if the latest version is `v0.5.5`, create a patch release `v0.5.6` -- click "Create new tag: v0.X.Y on publish" - - you can leave the release title empty -- click "Generate release notes" - - make any editorial changes to the release notes you think are relevant -- make sure "Set as the latest release" is checked -- click **"Publish release"** - -### Monitor the release automation - -Once the tag is pushed, the [`Create Release` action](https://github.com/chainguard-dev/melange/actions/workflows/release.yaml) -will attach the appropriate release artifacts and update release notes. - -At the time of this writing, the release job takes 20 to 30 minutes to execute. - -Make any editorial changes to the release notes you think are necessary. -You may want to highlight certain changes or remove items that aren't interesting. - -Once the `Release` action has been completed successfully, find your release on -the [releases page](https://github.com/chainguard-dev/melange/releases) -## Minor releases +1. Go to https://github.com/chainguard-dev/melange/actions/workflows/release.yaml. +2. Click on the `Run workflow` button. +3. In the dropdown, ensure that the `main` branch is selected. +4. In the dropdown, click on the `Run workflow` button. +5. Wait for the workflow to complete successfully. -Occasionally there are large or breaking changes to Melange that we want to highlight with a new minor release. -A minor release should be cut shortly after a breaking change is made, so that regular patch releases don't release breaking changes. +### Useful things to know -The process for cutting a release is exactly the same as above, except that you should pick a new minor version. +#### Detecting whether a new release is needed -For example, if the latest version is `v0.5.5`, create a minor release `v0.6.0`. +The release workflow checks to see if there are any changes since the last release. If there are no changes, the workflow will end execution early and not create a new release. -## Homebrew +#### Automatic triggering -Our release pipeline automate the process to update our [homebrew tap](https://github.com/chainguard-dev/homebrew-tap/blob/main/Formula/melange.rb), -but it does not update the [Homebrew-core upstream repository](https://github.com/Homebrew/homebrew-core/blob/master/Formula/m/melange.rb) for that one -we need to open a manual Pull Request. +In addition to being triggerable manually (as described at the top of this document), the workflow also runs automatically every night. Just like with manual triggering, if there are no new changes since the last release, the workflow will end early without creating a new release. From 43b51b3af2791a365a23778a119d87fc91f03b5c Mon Sep 17 00:00:00 2001 From: Dan Luhring Date: Fri, 15 Nov 2024 16:10:24 -0500 Subject: [PATCH 3/4] review feedback Signed-off-by: Dan Luhring --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f988e28a4..e6cc3438f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,7 +2,7 @@ name: Release on: schedule: - - cron: '0 0 * * *' # daily at 00:00 + - cron: '0 0 * * *' # daily at 00:00 UTC workflow_dispatch: jobs: From 3c84cb6a9518bc32e8d1fc369a918d83575608f6 Mon Sep 17 00:00:00 2001 From: Dan Luhring Date: Fri, 15 Nov 2024 16:21:10 -0500 Subject: [PATCH 4/4] change release frequency to weekly Signed-off-by: Dan Luhring --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e6cc3438f..f63c4e754 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,7 +2,7 @@ name: Release on: schedule: - - cron: '0 0 * * *' # daily at 00:00 UTC + - cron: '0 0 * * 1' # every Monday at 00:00 UTC workflow_dispatch: jobs: