ZXCron: Promote Build Candidate #13
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# Copyright (C) 2023-2024 Hedera Hashgraph, LLC | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
## | |
name: "ZXCron: Promote Build Candidate" | |
on: | |
workflow_dispatch: | |
schedule: | |
# Runs Promote Build Candidate at 2000 hours | |
- cron: '0 20 * * *' | |
permissions: | |
actions: write | |
contents: write | |
statuses: write | |
defaults: | |
run: | |
shell: bash | |
env: | |
XTS_PASS_GREP_PATTERN: "xts-pass-*" | |
PROMOTED_GREP_PATTERN: "build-.{5}" | |
jobs: | |
determine-build-candidate: | |
name: Fetch Latest Build Candidate | |
runs-on: network-node-linux-medium | |
outputs: | |
build-candidate-exists: ${{ steps.find-build-candidates.outputs.build-candidate-exists }} | |
build-candidate-commit: ${{ steps.find-build-candidates.outputs.build-candidate-commit }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | |
with: | |
egress-policy: audit | |
# Checkout the latest from dev | |
- name: Checkout Code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: '0' | |
ref: develop | |
token: ${{ secrets.GH_ACCESS_TOKEN }} | |
- name: Find Build Candidates | |
id: find-build-candidates | |
env: | |
GH_TOKEN: ${{ github.token }} | |
TAG_PATTERN: ${{ env.XTS_PASS_GREP_PATTERN }} | |
BUILD_PROMO_PATTERN: ${{ env.PROMOTED_GREP_PATTERN }} | |
run: | | |
CANDIDATE_TAG="$(git tag --list --sort=-version:refname "${TAG_PATTERN}" | head --lines 1)" | |
if [[ -n "${CANDIDATE_TAG}" ]]; then | |
set +e | |
CANDIDATE_COMMIT=$(git rev-list --max-count 1 ${CANDIDATE_TAG}) | |
BUILD_PROMOTED_TAGGED=$(git tag --contains "${CANDIDATE_COMMIT}" | grep -E "${BUILD_PROMO_PATTERN}") | |
set -e | |
# Use -n; if the BUILD_PROMOTED_TAGGED flag is not empty than the commit has been tagged. | |
if [[ -n "${BUILD_PROMOTED_TAGGED}" ]]; then | |
gh run cancel ${{ github.run_id }} | |
fi | |
# Verify the commit is on develop and continue | |
if git branch --contains "${CANDIDATE_COMMIT}" | grep --quiet develop >/dev/null 2>&1; then | |
git push --delete origin $(git tag --list "${TAG_PATTERN}") | |
git tag --delete $(git tag --list "${TAG_PATTERN}") | |
echo "build-candidate-exists=true" >> "${GITHUB_OUTPUT}" | |
echo "build-candidate-commit=${CANDIDATE_COMMIT}" >> "${GITHUB_OUTPUT}" | |
echo "### Build Candidate Found" >> "${GITHUB_STEP_SUMMARY}" | |
echo "build-candidate-commit=${CANDIDATE_COMMIT}" >> "${GITHUB_STEP_SUMMARY}" | |
echo "build_candidate_tag=${CANDIDATE_TAG}" >> "${GITHUB_STEP_SUMMARY}" | |
else | |
gh run cancel "${{ github.run_id }}" | |
fi | |
else | |
gh run cancel "${{ github.run_id }}" | |
fi | |
promote-build-candidate: | |
name: Promote Build Candidate | |
runs-on: network-node-linux-medium | |
needs: determine-build-candidate | |
if: ${{ needs.determine-build-candidate.result == 'success' && needs.determine-build-candidate.outputs.build-candidate-exists == 'true' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | |
with: | |
egress-policy: audit | |
- name: Checkout Tagged Code | |
id: checkout-tagged-code | |
if: ${{ needs.determine-build-candidate.outputs.build-candidate-exists == 'true' }} | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: '0' | |
ref: ${{ needs.determine-build-candidate.outputs.build-candidate-commit }} | |
token: ${{ secrets.GH_ACCESS_TOKEN }} | |
- name: Import GPG Key | |
id: gpg_importer | |
uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 | |
with: | |
git_commit_gpgsign: true | |
git_tag_gpgsign: true | |
git_user_signingkey: true | |
gpg_private_key: ${{ secrets.SVCS_GPG_KEY_CONTENTS }} | |
passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }} | |
- name: Tag Build Candidate | |
env: | |
BUILD_INDEX: ${{ vars.XTS_BUILD_PROMOTION_INDEX }} | |
run: | | |
BUILD_TAG="$(printf "build-%05d" "${BUILD_INDEX}")" | |
git tag --annotate ${BUILD_TAG} --message "chore: tagging commit for build promotion" | |
git push --set-upstream origin --tags | |
echo "### Build Promotion Tag Information" >> "${GITHUB_STEP_SUMMARY}" | |
echo "build-tag=${BUILD_TAG}" >> "${GITHUB_STEP_SUMMARY}" | |
- name: Increment Build Promotion Index | |
uses: action-pack/increment@14c9f7fbbf560e7518ccaeab781aeca7bff15069 # v2.12 | |
id: increment | |
with: | |
name: 'XTS_BUILD_PROMOTION_INDEX' | |
token: ${{ secrets.GH_ACCESS_TOKEN }} | |
- name: Preview Next Build | |
env: | |
NEXT_BUILD_ID: ${{ steps.increment.outputs.value }} | |
run: | | |
NEXT_BUILD_TAG="$(printf "build-%05d" "${NEXT_BUILD_ID}")" | |
echo "### Preview Next Build Tag" >> "${GITHUB_STEP_SUMMARY}" | |
echo "Next build tag is: ${NEXT_BUILD_TAG}" >> "${GITHUB_STEP_SUMMARY}" | |
report-failure: | |
name: Report XTS execution failure | |
runs-on: network-node-linux-medium | |
needs: | |
- determine-build-candidate | |
- promote-build-candidate | |
if: ${{ (needs.determine-build-candidate.result != 'success' || needs.promote-build-candidate.result != 'success') && !cancelled() && always() }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | |
with: | |
egress-policy: audit | |
- name: Report failure (slack) | |
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 | |
env: | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CITR_WEBHOOK }} | |
with: | |
payload: | | |
{ | |
"attachments": [ | |
{ | |
"color": "#7647cd", | |
"blocks": [ | |
{ | |
"type": "header", | |
"text": { | |
"type": "plain_text", | |
"text": ":grey_exclamation: Hedera Services - Build Candidate Promotion Error Report", | |
"emoji": true | |
} | |
}, | |
{ | |
"type": "divider" | |
}, | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "*Build Candidate Promotion Job Resulted in failure. See status below.*" | |
}, | |
"fields": [ | |
{ | |
"type": "plain_text", | |
"text": "Fetch Latest Build Candidate" | |
}, | |
{ | |
"type": "plain_text", | |
"text": "${{ needs.determine-build-candidate.result }}" | |
}, | |
{ | |
"type": "plain_text", | |
"text": "Promote Build Candidate" | |
}, | |
{ | |
"type": "plain_text", | |
"text": "${{ needs.promote-build-candidate.result }}" | |
} | |
] | |
}, | |
{ | |
"type": "divider" | |
}, | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "*Source Commit*: \n<${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}>" | |
} | |
} | |
] | |
} | |
] | |
} |