From 70eb2eea06f42f45ca022f0ecf0262189546cd58 Mon Sep 17 00:00:00 2001 From: Jack Baldry Date: Wed, 28 Aug 2024 10:46:44 +0100 Subject: [PATCH] Update workflows to use actions that don't need organization secrets Each repository can only have 100 organization secrets and there are now more than 100 in our organization which causes inconsitent behavior. Some repositories don't have the secrets they need assigned. These composite actions use secrets stored in Vault that are available to all repositories. - `publish-technical-documentation-next.yml` has been tested with https://github.com/grafana/writers-toolkit/blob/main/.github/workflows/publish-technical-documentation.yml. - `publish-technical-documentation-release.yml` has been tested with https://github.com/grafana/backend-enterprise/blob/gem-release-2.13/.github/workflows/publish-technical-documentation-release.yml. There is some copy-paste involved in the creation of these workflows. Please check: For `publish-technical-documentation-next.yml`: - [ ] The `on.push` `branches` and `paths` filters are correct for your repository. - [ ] The `jobs.sync.if` repository matches your repository. - [ ] The `jobs.sync.steps[1].with.website_directory` matches the directory you publish to in the website repository. For `publish-technical-documentation-release.yml`: - [ ] The `on.push` `branches`, `tags`, and `paths` filters are correct for your repository. - [ ] The `jobs.sync.if` repository matches your repository. - [ ] The `jobs.sync.steps[1].with.release_tag_regexp` regular expression matches your tags and captures major, minor, and patch versions from those tags. - [ ] The `jobs.sync.steps[1].with.release_branch_regexp` regular expression matches your release branch names and captures major and minor versions from those branch names. - [ ] The `jobs.sync.steps[1].with.release_branch_with_patch_regexp` regular expression matches your release branch names if they were to include a patch version, and that it would capture major, minor, and patch versions from those branch names. - [ ] The `jobs.sync.steps[1].with.website_directory` matches the directory you publish to in the website repository. Signed-off-by: Jack Baldry --- .../workflows/publish-documentation-next.yml | 57 +++--------- .../publish-documentation-versioned.yml | 89 ------------------- ...ublish-technical-documentation-release.yml | 29 ++++++ 3 files changed, 39 insertions(+), 136 deletions(-) delete mode 100644 .github/workflows/publish-documentation-versioned.yml create mode 100644 .github/workflows/publish-technical-documentation-release.yml diff --git a/.github/workflows/publish-documentation-next.yml b/.github/workflows/publish-documentation-next.yml index 18146cb44e89..eab27c2dc834 100644 --- a/.github/workflows/publish-documentation-next.yml +++ b/.github/workflows/publish-documentation-next.yml @@ -1,58 +1,21 @@ -name: "publish-technical-documentation-next" +name: publish-technical-documentation-next on: push: branches: - main paths: - - 'docs/sources/**' + - "docs/sources/**" workflow_dispatch: - jobs: - test: - runs-on: ubuntu-latest - steps: - - name: "Check out code" - uses: actions/checkout@v4 - - name: "Build technical documentation" - run: > - docker run - --volume "${PWD}/docs/sources:/hugo/content/docs/agent/latest" - --env HUGO_REFLINKSERRORLEVEL=ERROR - --rm grafana/docs-base:latest - /bin/bash -c 'echo -e "---\\nredirectURL: /docs/agent/latest/\\ntype: redirect\\nversioned: true\\n---\\n" > /hugo/content/docs/agent/_index.md && make hugo' - sync: + if: github.repository == 'grafana/agent' + permissions: + contents: read + id-token: write runs-on: ubuntu-latest - needs: test steps: - - - name: "Checkout Agent repo" - uses: actions/checkout@v4 - - - name: "Clone website-sync Action" - # WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires. - # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization - # GitHub administrator to update the organization secret. - # The IT helpdesk can update the organization secret. - run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync" - - - name: "Publish to website repository (next)" - uses: ./.github/actions/website-sync - id: "publish_next" - with: - repository: grafana/website - branch: master - host: github.com - # PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires. - # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization - # GitHub administrator to update the organization secret. - # The IT helpdesk can update the organization secret. - github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}" - source_folder: docs/sources - target_folder: 'content/docs/agent/next' - allow_no_changes: true - - shell: bash - run: | - test -n "${{ steps.publish_next.outputs.commit_hash }}" - test -n "${{ steps.publish_next.outputs.working_directory }}" + - uses: actions/checkout@v4 + - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 + with: + website_directory: content/docs/agent diff --git a/.github/workflows/publish-documentation-versioned.yml b/.github/workflows/publish-documentation-versioned.yml deleted file mode 100644 index 3339bf59b2e5..000000000000 --- a/.github/workflows/publish-documentation-versioned.yml +++ /dev/null @@ -1,89 +0,0 @@ -name: "publish-technical-documentation-version" - -on: - push: - branches: - - 'release-*' - tags: - - 'v[0-9]+.[0-9]+.[0-9]+' - paths: - - 'docs/sources/**' - workflow_dispatch: - -jobs: - test: - runs-on: ubuntu-latest - steps: - - name: "Check out code" - uses: actions/checkout@v4 - - name: "Build technical documentation" - run: > - docker run - --volume "${PWD}/docs/sources:/hugo/content/docs/agent/latest" - --env HUGO_REFLINKSERRORLEVEL=ERROR - --rm grafana/docs-base:latest - /bin/bash -c 'echo -e "---\\nredirectURL: /docs/agent/latest/\\ntype: redirect\\nversioned: true\\n---\\n" > /hugo/content/docs/agent/_index.md && make hugo' - - sync: - runs-on: ubuntu-latest - needs: test - steps: - - - name: "Checkout Agent repo" - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: "Checkout Actions library" - uses: actions/checkout@v4 - with: - repository: "grafana/grafana-github-actions" - path: ./actions - - - name: "Install Actions from library" - run: npm install --production --prefix ./actions - - - name: "Determine if there is a matching release tag" - id: "has-matching-release-tag" - uses: "./actions/has-matching-release-tag" - with: - ref_name: "${{ github.ref_name }}" - release_tag_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" - release_branch_regexp: "^release-v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" - - - name: "Extract semver" - if: "steps.has-matching-release-tag.outputs.bool == 'true'" - uses: ./actions/docs-target - id: target - with: - ref_name: ${{ github.ref_name }} - - - name: "Clone website-sync Action" - if: "steps.has-matching-release-tag.outputs.bool == 'true'" - # WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires. - # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization - # GitHub administrator to update the organization secret. - # The IT helpdesk can update the organization secret. - run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync" - - - name: "Publish to website repository (release)" - if: "steps.has-matching-release-tag.outputs.bool == 'true'" - uses: ./.github/actions/website-sync - id: "publish_release" - with: - repository: grafana/website - branch: master - host: github.com - # PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires. - # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization - # GitHub administrator to update the organization secret. - # The IT helpdesk can update the organization secret. - github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}" - source_folder: docs/sources - target_folder: 'content/docs/agent/${{ steps.target.outputs.target }}' - allow_no_changes: true - - shell: bash - if: "steps.has-matching-release-tag.outputs.bool == 'true'" - run: | - test -n "${{ steps.publish_release.outputs.commit_hash }}" - test -n "${{ steps.publish_release.outputs.working_directory }}" diff --git a/.github/workflows/publish-technical-documentation-release.yml b/.github/workflows/publish-technical-documentation-release.yml new file mode 100644 index 000000000000..53b21bc52b01 --- /dev/null +++ b/.github/workflows/publish-technical-documentation-release.yml @@ -0,0 +1,29 @@ +name: publish-technical-documentation-release + +on: + push: + branches: + - "release-*" + tags: + - "v[0-9]+.[0-9]+.[0-9]+" + paths: + - "docs/sources/**" + workflow_dispatch: +jobs: + sync: + if: github.repository == 'grafana/agent' + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v1 + with: + release_tag_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" + release_branch_regexp: "^release-v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" + release_branch_with_patch_regexp: "^release-v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" + website_directory: content/docs/agent + version_suffix: ""