mirror of
https://github.com/we-promise/sure.git
synced 2026-07-12 12:55:20 +00:00
* Fix prerelease version bump workflow
* Fix prerelease version-bump job: add PR fallback for protected branches
### Motivation
- The prerelease version bump job was failing when it could not push to protected release branches, causing the workflow to error instead of progressing.
- The job needs permission and robust push logic so prerelease automation can update `.sure-version` and `charts/sure/Chart.yaml` even when direct pushes are blocked.
### Description
- Grant the `bump-pre_release-version` job `pull-requests: write` permission so it may open an automated PR when direct pushes are disallowed.
- Harden the bump step: enable `set -euo pipefail`, pass `GH_TOKEN` into the job environment, and use fully-qualified branch refs for pushes.
- Add retry + rebase logic for direct pushes and a fallback path that pushes the changes to an `automation/bump-version-after-...` branch and opens a PR with `gh pr create` when direct push attempts fail.
- Preserve existing validations that ensure `.sure-version` and `charts/sure/Chart.yaml` exist and the prerelease portion is parsed before writing the bump.
### Testing
- Verified workflow YAML parses with `ruby -e 'require "yaml"; YAML.load_file(".github/workflows/publish.yml"); puts "YAML OK"'` and it succeeded.
- Confirmed the bump job has the expected permission with `ruby -e 'require "yaml"; workflow=YAML.load_file(".github/workflows/publish.yml"); abort("missing bump job") unless workflow.dig("jobs", "bump-pre_release-version", "permissions", "pull-requests") == "write"; puts "bump permissions OK"'` and it succeeded.
- Ran ActionLint via `go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.8 .github/workflows/publish.yml` and received no actionable errors.
- Ran `git diff --check` to ensure no whitespace/format issues and it succeeded.
* Harden pre-release bump job: validation, retries and PR fallback
### Motivation
- Make the `bump-pre_release-version` job more robust by validating prerelease version formats and failing early on unexpected inputs.
- Handle protected branches gracefully by attempting direct pushes with retries and falling back to creating a pull request when direct push is blocked.
- Ensure the workflow has the permissions required to open PRs when needed.
### Description
- Added `pull-requests: write` to the job `permissions` so the workflow can create PRs when required.
- Hardened the bump script with `set -euo pipefail` and a strict regex that validates and extracts `BASE_VERSION`, prerelease tag, and number using `BASH_REMATCH` before incrementing the prerelease counter.
- Simplified and made file reads safer by using input redirection for `tr` and improved error messages for missing or malformed version files.
- Reworked commit/push logic to set a commit message variable, attempt direct pushes with exponential backoff and detection of branch-protection errors, and when rejected create a dedicated bump branch and open a PR via `gh pr create`.
### Testing
- Validated the modified workflow YAML with a YAML linter; no syntax errors were reported.
- Executed the updated bump logic in a CI dry-run (workflow syntax validation on GitHub Actions) and the workflow file was accepted by the Actions syntax checks.
* Add manual workflow triggers and robust pre-release bump with protected-branch fallback
### Motivation
- Allow manual invocation of PR and chart CI workflows via `workflow_dispatch` for on-demand runs.
- Make the pre-release version bump process more robust and reliable when `refs/tags/v*` releases are published.
- Ensure the bump can proceed even when the target branch is protected by creating an automated pull request and running PR checks.
### Description
- Added `workflow_dispatch` to `.github/workflows/pr.yml` and `.github/workflows/chart-ci.yml` to support manual runs.
- Extended `bump-pre_release-version` job in `.github/workflows/publish.yml` to request `actions: write` and `pull-requests: write` permissions.
- Rewrote the bump script to use `set -euo pipefail` and a single regex validation to parse and increment prerelease versions (e.g. `1.2.3-alpha.4`), update `.sure-version`, and update `charts/sure/Chart.yaml` reliably.
- Improved commit and push flow by adding `GH_TOKEN`, using a consistent commit message variable, attempting direct pushes with retry and rebase, detecting branch-protection failures, and falling back to creating a bumped branch and an automated PR via `gh pr create`; the workflow also dispatches `pr.yml` and `chart-ci.yml` runs for the created branch.
### Testing
- No automated tests were run as part of this change; behavior will be exercised when the workflow creates a bump PR or when workflows are manually triggered via the new `workflow_dispatch` events.
91 lines
2.8 KiB
YAML
91 lines
2.8 KiB
YAML
name: Chart CI
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
pull_request:
|
|
paths:
|
|
- 'charts/**'
|
|
- '.sure-version'
|
|
- '.github/workflows/chart-ci.yml'
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- 'charts/**'
|
|
- '.sure-version'
|
|
- '.github/workflows/chart-ci.yml'
|
|
|
|
jobs:
|
|
version-sync:
|
|
name: Verify Helm ↔ Rails version sync
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Check version alignment
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
RAILS_VERSION=$(cat .sure-version | tr -d '[:space:]')
|
|
if [ -z "$RAILS_VERSION" ]; then
|
|
echo "::error::Could not read version from .sure-version"
|
|
exit 1
|
|
fi
|
|
CHART_VERSION=$(sed -n 's/^version: //p' charts/sure/Chart.yaml | head -n 1)
|
|
APP_VERSION=$(sed -n 's/^appVersion: "\{0,1\}\([^"]*\)"\{0,1\}/\1/p' charts/sure/Chart.yaml | head -n 1)
|
|
|
|
echo "App version (.sure-version): $RAILS_VERSION"
|
|
echo "Helm chart version (Chart.yaml): $CHART_VERSION"
|
|
echo "Helm appVersion (Chart.yaml): $APP_VERSION"
|
|
|
|
ERRORS=0
|
|
|
|
if [ "$RAILS_VERSION" != "$CHART_VERSION" ]; then
|
|
echo "::error::Chart version ($CHART_VERSION) does not match Rails version ($RAILS_VERSION)"
|
|
ERRORS=$((ERRORS + 1))
|
|
fi
|
|
|
|
if [ "$RAILS_VERSION" != "$APP_VERSION" ]; then
|
|
echo "::error::Chart appVersion ($APP_VERSION) does not match Rails version ($RAILS_VERSION)"
|
|
ERRORS=$((ERRORS + 1))
|
|
fi
|
|
|
|
if [ "$ERRORS" -gt 0 ]; then
|
|
echo ""
|
|
echo "To fix: ensure version in .sure-version matches"
|
|
echo "both 'version' and 'appVersion' in charts/sure/Chart.yaml"
|
|
exit 1
|
|
fi
|
|
|
|
echo "All versions are in sync."
|
|
|
|
helm-checks:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Install Helm
|
|
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
|
|
|
|
- name: Add chart dependencies repositories
|
|
run: |
|
|
helm repo add cloudnative-pg https://cloudnative-pg.github.io/charts
|
|
helm repo add ot-helm https://ot-container-kit.github.io/helm-charts
|
|
helm repo update
|
|
|
|
- name: Build chart dependencies
|
|
run: helm dependency build charts/sure
|
|
|
|
- name: Lint chart
|
|
run: helm lint charts/sure
|
|
|
|
- name: Render templates
|
|
run: helm template sure charts/sure --kube-version 1.25.0 >/tmp/sure-chart-rendered.yaml
|