DM-40418: Release Management GitHub Action

[dspeck1]

Add GitHub Action to build releases. Playbook is updated to include release management instructions. This also moves the base Dockerfile into the base directory and changes naming of activator Dockerfile. Both the build base and build GitHub actions are updated accordingly.

[kfindeisen]

Sorry for the delay, it took me a while to digest things (and seeing the workflow in action on lsst-dm/next_visit_fan_out#9 was indeed useful).

My main concern is the unclear relationship between ci-release and build-service, and the policy decisions that follow from that. Is ci-release meant to replace build-service (if so, why did you create a new script from scratch instead of just injecting support for tag refs into the old one?), or is it meant to be a supplement (if so, why does it run on anything other than tags/releases)? I'd prefer the former, just to be sure that we're really building things the same way for both testing and production.

Either way, we need to clean up how latest base containers are handled before a release workflow that always uses latest is safe to merge.

[kfindeisen]

Why use push:tags instead of release:published? As far as I can tell the only difference would be if somebody pushed a tag that doesn't have a corresponding release, but the latter seems more direct.

[kfindeisen]

If you do keep push:tags, would it be useful to filter on tags that look like version numbers, to guard against somebody pushing non-release tags?

[kfindeisen]

Why make a copy of Dockerfile.activator instead of renaming it (and updating build-service to match, of course)?

[dspeck1]

The name of the Dockerfile is not an input parameter to the composite GitHub Action. It is a best practice to give each container its own sub-directory and to not re-name the Dockerfile.

[kfindeisen]

Good to know, but you didn't create subdirectories either.

I don't think it's a good idea to have two identical Dockerfiles.

[dspeck1]

I agree. The two identical Dockerfiles are there for co-existence.

I will update the base container workflow and add a sub directory.

[dspeck1]

Moved the base Dockerfile to a new base directory. Removed the redundant Dockerfile.activator and updated the build service GitHub Action.

[kfindeisen]

Should this be a subsection of "Containers" rather than another top-level section? It's true that the containers are what we're versioning, but if I were looking at the table of contents I wouldn't have thought to look here.

[dspeck1]

Moved Release instructions to a subsection of Containers. Thanks for suggestion!

[kfindeisen]

??? My question was because it was a subsection of Containers to begin with...

[kfindeisen]

When I try following the PEP 440 link, it throws up a warning saying the document is no longer current. Should this be a link to https://packaging.python.org/en/latest/specifications/version-specifiers/ instead?

It's worth noting that the compatibility implications of semantic versioning are buried pretty far down the page (https://packaging.python.org/en/latest/specifications/version-specifiers/#compatible-release). But GitHub doesn't seem to have any documentation beyond the paragraph that shows up on the New Release page, and I assume you deliberately avoided linking to semver.org.

[kfindeisen]

For the purpose of distinguishing between major and minor versions, does compatibility mean:

For Prompt Processing,

• ability to read fanned-out nextVisit messages
• schema compatibility of APDB inputs/outputs and Alert Stream outputs
• any in-code assumptions about the version(s) of the central Butler repo, but no requirements regarding dataset types, pipeline contents, etc.

For fan-out,

• ability to read incoming Summit messages
• schema compatibility of fanned-out messages

The question of compatibility for fanned-out messages is a bit problematic because, so long as we're just dumping them into a Python dataclass, almost any change is incompatible: removing a field will give an error unless the client provides a default, as usual for schemas, but adding a field will give an error unconditionally.

[dspeck1]

Fixed link to pep. Also updated instructions to use X.Y.Z for releases without prepending v to be consistent with other release numbering schemes used by LSST.

[kfindeisen]

I've confirmed on next_visit_fan_out that this step is not necessary -- publishing the release triggers the push:tags listeners.

[kfindeisen]

The "Stable Base Containers" section above this point assumes that the latest base is used for ongoing development, while production builds should use BASE_TAG_LIST if necessary.

If the responsibility for production builds is shifting from build-service to ci-release, then maybe we should do it the other way around and require that latest refer to a "known good" container (which is what we've done in practice instead of messing around with BASE_TAG_LIST). This would require changing automatic runs of build-base to not set the latest tag (in practice almost all latest bases are built manually, so this is mostly a safety net).

[kfindeisen]

Please restore the PROMPT_PROCESSING_DIR definition at the minimum; the service will not work if this is not an absolute path. I'm happy to help with testing.

I've made a few other suggestions as well (in particular, please squash all fixup-type commits before final merge).

[kfindeisen]

The comment refers to the run: block, so the new line should go above it.

Or, as I understand it, this change means the build is no longer context-free and the comment should be removed? Reversed in a fixup commit.

[kfindeisen]

Would it be possible to move the deletion of Dockerfile.activator to "Add Dockerfile for activator", so that it's clear to anyone reviewing the history that it's a move/rename rather than a creation?

[kfindeisen]

Ok, now I see what happened. No, I think releases should have their own heading (whether a top-level section, or a subsection like before). All the instructions for different things get jumbled together otherwise.

[dspeck1]

Moved release management to its own section.

[kfindeisen]

Emphasize that the tag is without the "v"?

[kfindeisen]

👍 for removing the "v", but I still say this step is unnecessary. (And, in the unlikely event that the HEAD of main moved since you created the release, you'd be altering the definition of an existing tag.)

[kfindeisen]

Suggested change

	* Any specific motivation for the release(for example, including a specific feature, preparing for a specific observing run))
	* Any specific motivation for the release (for example, including a specific feature, preparing for a specific observing run))