fix: Correct token enables scripts to run authenticated git commands … #719
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release Charts | |
on: | |
push: | |
branches: | |
- master | |
# Weekly nri-bundle release | |
schedule: | |
- cron: "0 12 * * 2" # Tuesday at 12pm UTC or 5am PT | |
# Prevent two release workflows from running concurrently, which might cause WAR race conditions in the repository | |
# Ref: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#concurrency | |
concurrency: helm-release | |
env: | |
ORIGINAL_REPO_NAME: ${{ github.event.repository.full_name }} | |
jobs: | |
# Sometimes chart-releaser might fetch an outdated index.yaml from gh-pages, causing a WAW hazard on the repo | |
# This job checks the remote file is up to date with the local one on release | |
validate-gh-pages-index: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
with: | |
ref: gh-pages | |
- name: Download remote index file and check equality | |
run: | | |
curl -vsSL https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/index.yaml > index.yaml.remote | |
LOCAL="$(md5sum < index.yaml)" | |
REMOTE="$(md5sum < index.yaml.remote)" | |
echo "$LOCAL" = "$REMOTE" | |
test "$LOCAL" = "$REMOTE" | |
release: | |
runs-on: ubuntu-latest | |
needs: [ validate-gh-pages-index ] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
# chart-releaser need all the history of the repo to see what changed in the file tree and evaluate which charts need to be released | |
with: | |
fetch-depth: 0 | |
- name: Add helm repositories | |
run: | | |
helm repo add newrelic-helm-charts https://newrelic.github.io/helm-charts | |
helm repo add newrelic-cdn-helm-charts https://helm-charts.newrelic.com | |
helm repo add newrelic-infrastructure https://newrelic.github.io/nri-kubernetes | |
helm repo add nri-prometheus https://newrelic.github.io/nri-prometheus | |
helm repo add newrelic-prometheus-configurator https://newrelic.github.io/newrelic-prometheus-configurator | |
helm repo add nri-metadata-injection https://newrelic.github.io/k8s-metadata-injection | |
helm repo add newrelic-k8s-metrics-adapter https://newrelic.github.io/newrelic-k8s-metrics-adapter | |
helm repo add kube-state-metrics https://kubernetes.github.io/kube-state-metrics | |
helm repo add nri-kube-events https://newrelic.github.io/nri-kube-events | |
helm repo add pixie-operator-chart https://pixie-operator-charts.storage.googleapis.com | |
helm repo add newrelic-infra-operator https://newrelic.github.io/newrelic-infra-operator | |
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts | |
- name: Configure Git | |
run: | | |
git config user.name "$GITHUB_ACTOR" | |
git config user.email "[email protected]" | |
- name: Merge Renovate PR updating bundle dependencies | |
if: github.event_name == 'schedule' | |
# GITHUB_TOKEN does not allow to merge PRs with admin | |
# privilege, so use alternative token | |
# Source: https://stackoverflow.com/questions/74274130/allow-github-actions-to-merge-prs-on-protected-branch | |
env: | |
CR_TOKEN: "${{ secrets.K8S_AGENTS_BOT_TOKEN }}" | |
run: | | |
PR_NUMBER=$(gh pr list --search "is:pr is:open author:app/renovate 'Update bundle dependencies' in:title" --json="number" --jq '.[0].number') | |
if [[ -n "${PR_NUMBER}" ]]; then | |
echo "Proceeding to merge PR #${PR_NUMBER}" | |
gh pr merge ${PR_NUMBER} \ | |
--admin \ | |
--body "Automatically merged by github-actions" \ | |
--delete-branch \ | |
--squash | |
else | |
echo "No PR found. Nothing to merge" | |
fi | |
# As of today, there is no way to filter/exclude charts to be released. Config does not support it: | |
# https://github.com/helm/chart-releaser/blob/4eb598f96aa53d1c0b8234af2087834e1f2275e1/pkg/config/config.go#L40-L61 | |
# So we delete the Chart.yaml to filter the chart: https://github.com/helm/chart-releaser-action/pull/18 | |
- name: remove the chart template as it should not be deployed | |
run: | | |
rm ./library/CHART-TEMPLATE/Chart.yaml | |
- name: Release library charts | |
uses: helm/[email protected] | |
with: | |
charts_dir: library | |
env: | |
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- name: Release workload charts | |
uses: helm/[email protected] | |
env: | |
# GITHUB_TOKEN does not allow to create a new workflow run, | |
# so use alternative token to allow post-release workflow to run | |
# Source: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow | |
CR_TOKEN: "${{ secrets.K8S_AGENTS_BOT_TOKEN }}" | |
notify-failure: | |
if: ${{ always() && failure() && (github.event_name == 'schedule') }} | |
needs: [validate-gh-pages-index, release] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Notify failure via Slack | |
uses: archive/[email protected] | |
with: | |
slack-bot-user-oauth-access-token: ${{ secrets.K8S_AGENTS_SLACK_TOKEN }} | |
slack-channel: ${{ secrets.K8S_AGENTS_SLACK_CHANNEL }} | |
slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: <${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }}|'Release Charts' failed>." |