wazuh-kubernetes/.github/workflows/4_bumper_repository.yml at main · wazuh/wazuh-kubernetes · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: Repository bumper 4.x
run-name: Bump ${{ github.ref_name }} (${{ inputs.id }})

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Target version (e.g. 1.2.3)'
        default: ''
        required: false
        type: string
      stage:
        description: 'Version stage (e.g. alpha0)'
        default: ''
        required: false
        type: string
      tag:
        description: 'Change branches references to tag-like references (e.g. v4.12.0-alpha7)'
        default: false
        required: false
        type: boolean
      issue-link:
        description: 'Issue link in format https://github.com/wazuh/<REPO>/issues/<ISSUE-NUMBER>'
        required: true
        type: string
      id:
        description: 'Optional identifier for the run'
        required: false
        type: string

jobs:
  bump:
    name: Repository bumper 4.x
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      pull-requests: write

    env:
      CI_COMMIT_AUTHOR: wazuhci
      CI_COMMIT_EMAIL: 22834044+wazuhci@users.noreply.github.com
      CI_GPG_PRIVATE_KEY: ${{ secrets.CI_WAZUHCI_GPG_PRIVATE }}
      GH_TOKEN: ${{ secrets.CI_WAZUHCI_BUMPER_TOKEN }}
      BUMP_SCRIPT_PATH: tools/repository_bumper.sh
      BUMP_LOG_PATH: tools

    steps:
      - name: Dump event payload
        run: |
          cat $GITHUB_EVENT_PATH | jq '.inputs'

      - name: Set up GPG key
        id: signing_setup
        run: |
          echo "${{ env.CI_GPG_PRIVATE_KEY }}" | gpg --batch --import
          KEY_ID=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec/ {print $5; exit}')
          echo "gpg_key_id=$KEY_ID" >> $GITHUB_OUTPUT

      - name: Set up git
        run: |
          git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
          git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
          git config --global commit.gpgsign true
          git config --global user.signingkey "${{ steps.signing_setup.outputs.gpg_key_id }}"
          echo "use-agent" >> ~/.gnupg/gpg.conf
          echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
          echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
          echo RELOADAGENT | gpg-connect-agent
          export DEBIAN_FRONTEND=noninteractive
          export GPG_TTY=$(tty)

      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          # Using workflow-specific GITHUB_TOKEN because currently CI_WAZUHCI_BUMPER_TOKEN
          # doesn't have all the necessary permissions
          token: ${{ env.GH_TOKEN }}

      - name: Determine branch name
        id: vars
        env:
          VERSION: ${{ inputs.version }}
          STAGE: ${{ inputs.stage }}
          TAG: ${{ inputs.tag }}
        run: |
          script_params=""
          version=${{ env.VERSION }}
          stage=${{ env.STAGE }}
          tag=${{ env.TAG }}

          # Both version and stage provided
          if [[ -n "$version" && -n "$stage" && "$tag" != "true" ]]; then
            script_params="--version ${version} --stage ${stage}"
          elif [[ -n "$version" && -n "$stage" && "$tag" == "true" ]]; then
            script_params="--version ${version} --stage ${stage} --tag ${tag}"
          fi

          issue_number=$(echo "${{ inputs.issue-link }}" | awk -F'/' '{print $NF}')
          BRANCH_NAME="enhancement/wqa${issue_number}-bump-${{ github.ref_name }}"
          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
          echo "script_params=${script_params}" >> $GITHUB_OUTPUT

      - name: Create and switch to bump branch
        run: |
          git checkout -b ${{ steps.vars.outputs.branch_name }}

      - name: Make version bump changes
        run: |
          echo "Running bump script"
          bash ${{ env.BUMP_SCRIPT_PATH }} ${{ steps.vars.outputs.script_params }}

      - name: Commit and push changes
        run: |
          git add .
          git commit -m "feat: bump ${{ github.ref_name }}"
          git push origin ${{ steps.vars.outputs.branch_name }}

      - name: Create pull request
        id: create_pr
        run: |
          gh auth setup-git
          PR_URL=$(gh pr create \
            --title "Bump ${{ github.ref_name }} branch" \
            --body "Issue: ${{ inputs.issue-link }}" \
            --base ${{ github.ref_name }} \
            --head ${{ steps.vars.outputs.branch_name }})

          echo "Pull request created: ${PR_URL}"
          echo "pull_request_url=${PR_URL}" >> $GITHUB_OUTPUT

      - name: Merge pull request
        run: |
          # Any checks for the PR are bypassed since the branch is expected to be functional (i.e. the bump process does not introduce any bugs)
          gh pr merge "${{ steps.create_pr.outputs.pull_request_url }}" --merge --admin

      - name: Show logs
        run: |
          echo "Bump complete."
          echo "Branch: ${{ steps.vars.outputs.branch_name }}"
          echo "PR: ${{ steps.create_pr.outputs.pull_request_url }}"
          echo "Bumper scripts logs:"
          cat ${BUMP_LOG_PATH}/repository_bumper*log