From 19c12c97ea657ed7d77659175ee5a88bd4df22f1 Mon Sep 17 00:00:00 2001 From: Tom Herbers Date: Thu, 14 Mar 2024 22:51:20 +0100 Subject: [PATCH 1/6] ci: build: update softprops/action-gh-release: v1 -> v2 (#58) (cherry picked from commit eda181a9b785fe56cbadcbcf4ec891eccf55d598) --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ddca4bc..9fb6b89 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -511,7 +511,7 @@ jobs: gluon-gha-data/release-artifacts/* - name: Create GitHub Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v2 with: body_path: gluon-gha-data/release-notes.md files: | From e74ee930d8aaf3f21ab4ce62d0e5cca9d2888a27 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Tue, 6 Aug 2024 20:51:47 +0000 Subject: [PATCH 2/6] build-meta: support build of deployment tags (#94) When building for a special (automatic deployment) we want to enable the autoupdater. Signed-off-by: David Bauer (cherry picked from commit a424d74490a3c18474b2f06f9bce0856e26446e8) --- .github/build-meta.sh | 16 ++++++++++++++++ .github/workflows/build.yml | 3 +++ 2 files changed, 19 insertions(+) diff --git a/.github/build-meta.sh b/.github/build-meta.sh index 1cf8c48..e859d61 100644 --- a/.github/build-meta.sh +++ b/.github/build-meta.sh @@ -19,6 +19,9 @@ DEPLOY="0" # Don't release by default. Enable for tags. CREATE_RELEASE="0" +# This is not the latest release by default. +LATEST_RELEASE="0" + # Target whitelist if [ -n "$WORKFLOW_DISPATCH_TARGETS" ]; then # Get targets from dispatch event @@ -36,6 +39,8 @@ TESTING_TAG_RE="^[2-9].[0-9]-[0-9]{8}$" CUSTOM_TESTING_TAG_RE="^[2-9].[0-9]-[0-9]{8}" # Regex for release firmware tag RELEASE_TAG_RE="^[2-9].[0-9].[0-9]$" +# Regex for release deployment firmware tag +RELEASE_DEPLOYMENT_TAG_RE="^[2-9].[0-9].[0-9]" # Get Gluon version information if [ -n "$WORKFLOW_DISPATCH_REPOSITORY" ] && [ -n "$WORKFLOW_DISPATCH_REFERENCE" ]; then @@ -110,9 +115,19 @@ elif [ "$GITHUB_EVENT_NAME" = "push" ] && [ "$GITHUB_REF_TYPE" = "tag" ]; then MANIFEST_BETA="1" SIGN_MANIFEST="1" + LATEST_RELEASE="1" + RELEASE_VERSION="$GITHUB_REF_NAME" BROKEN="0" DEPLOY="1" + elif [[ "$GITHUB_REF_NAME" =~ $RELEASE_DEPLOYMENT_TAG_RE ]]; then + # Deployment release - autoupdater Branch is stable and enabled + AUTOUPDATER_ENABLED="1" + AUTOUPDATER_BRANCH="stable" + + RELEASE_VERSION="$GITHUB_REF_NAME" + BROKEN="1" + DEPLOY="0" else # Unknown release - Disable autoupdater AUTOUPDATER_ENABLED="0" @@ -169,6 +184,7 @@ echo "manifest-testing=$MANIFEST_TESTING" >> "$BUILD_META_OUTPUT" echo "sign-manifest=$SIGN_MANIFEST" >> "$BUILD_META_OUTPUT" echo "deploy=$DEPLOY" >> "$BUILD_META_OUTPUT" echo "create-release=$CREATE_RELEASE" >> "$BUILD_META_OUTPUT" +echo "latest-release=$LATEST_RELEASE" >> "$BUILD_META_OUTPUT" echo "target-whitelist=$TARGET_WHITELIST" >> "$BUILD_META_OUTPUT" # Copy over to GITHUB_OUTPUT diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9fb6b89..85fc7cf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,6 +46,8 @@ jobs: ${{ steps.build-metadata.outputs.sign-manifest }} create-release: >- ${{ steps.build-metadata.outputs.create-release }} + latest-release: >- + ${{ steps.build-metadata.outputs.latest-release }} deploy: >- ${{ steps.build-metadata.outputs.deploy }} target-whitelist: >- @@ -514,5 +516,6 @@ jobs: uses: softprops/action-gh-release@v2 with: body_path: gluon-gha-data/release-notes.md + make_latest: ${{ needs.build-meta.outputs.latest-release == '1' }} files: | gluon-gha-data/release-artifacts/* From ff562ba0a201cc226ad9adbbc614895642514a20 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Fri, 9 Aug 2024 12:46:36 +0000 Subject: [PATCH 3/6] ci: provide means to override build-meta output (#95) Provide a way to override properties determined in the build-meta step. This allows to alter specific settings for a build if a special build for e.g. a automatic installation image is desired. Signed-off-by: David Bauer (cherry picked from commit 5ba8447c21d51c4c88df914fff32924f99d0aa0c) --- .github/build-meta.sh | 50 ++++++++++++++++++++---------- .github/overrides/build-meta/.keep | 0 .github/validate-overrides.sh | 28 +++++++++++++++++ .github/workflows/build.yml | 11 +++++++ 4 files changed, 72 insertions(+), 17 deletions(-) create mode 100644 .github/overrides/build-meta/.keep create mode 100644 .github/validate-overrides.sh diff --git a/.github/build-meta.sh b/.github/build-meta.sh index e859d61..f29e410 100644 --- a/.github/build-meta.sh +++ b/.github/build-meta.sh @@ -4,6 +4,22 @@ set -euxo pipefail SCRIPT_DIR="$(dirname "$0")" +OVERRIDES_DIR="$SCRIPT_DIR/overrides/build-meta" + +function set_output_value() { + local output_file="$1" + local name="$2" + local value="$3" + + # Check if override is defined + if [ -f "$OVERRIDES_DIR/$name" ]; then + value="$(cat "$OVERRIDES_DIR/$name")" + echo "::notice::Overriding $name with value \"$value\"" + fi + + echo "$name=$value" >> "$output_file" +} + # Get Git short hash for repo at $SCRIPT_DIR GIT_SHORT_HASH="$(git -C "$SCRIPT_DIR" rev-parse --short HEAD)" @@ -169,23 +185,23 @@ BUILD_META_OUTPUT="$BUILD_META_TMP_DIR/build-meta.txt" # shellcheck disable=SC2129 # Not the nicest way to do this, but it works. -echo "build-meta-output=$BUILD_META_TMP_DIR" >> "$BUILD_META_OUTPUT" -echo "container-version=$CONTAINER_VERSION" >> "$BUILD_META_OUTPUT" -echo "gluon-repository=$GLUON_REPOSITORY" >> "$BUILD_META_OUTPUT" -echo "gluon-commit=$GLUON_COMMIT" >> "$BUILD_META_OUTPUT" -echo "site-version=$SITE_VERSION" >> "$BUILD_META_OUTPUT" -echo "release-version=$RELEASE_VERSION" >> "$BUILD_META_OUTPUT" -echo "autoupdater-enabled=$AUTOUPDATER_ENABLED" >> "$BUILD_META_OUTPUT" -echo "autoupdater-branch=$AUTOUPDATER_BRANCH" >> "$BUILD_META_OUTPUT" -echo "broken=$BROKEN" >> "$BUILD_META_OUTPUT" -echo "manifest-stable=$MANIFEST_STABLE" >> "$BUILD_META_OUTPUT" -echo "manifest-beta=$MANIFEST_BETA" >> "$BUILD_META_OUTPUT" -echo "manifest-testing=$MANIFEST_TESTING" >> "$BUILD_META_OUTPUT" -echo "sign-manifest=$SIGN_MANIFEST" >> "$BUILD_META_OUTPUT" -echo "deploy=$DEPLOY" >> "$BUILD_META_OUTPUT" -echo "create-release=$CREATE_RELEASE" >> "$BUILD_META_OUTPUT" -echo "latest-release=$LATEST_RELEASE" >> "$BUILD_META_OUTPUT" -echo "target-whitelist=$TARGET_WHITELIST" >> "$BUILD_META_OUTPUT" +set_output_value "$BUILD_META_OUTPUT" "build-meta-output" "$BUILD_META_TMP_DIR" +set_output_value "$BUILD_META_OUTPUT" "container-version" "$CONTAINER_VERSION" +set_output_value "$BUILD_META_OUTPUT" "gluon-repository" "$GLUON_REPOSITORY" +set_output_value "$BUILD_META_OUTPUT" "gluon-commit" "$GLUON_COMMIT" +set_output_value "$BUILD_META_OUTPUT" "site-version" "$SITE_VERSION" +set_output_value "$BUILD_META_OUTPUT" "release-version" "$RELEASE_VERSION" +set_output_value "$BUILD_META_OUTPUT" "autoupdater-enabled" "$AUTOUPDATER_ENABLED" +set_output_value "$BUILD_META_OUTPUT" "autoupdater-branch" "$AUTOUPDATER_BRANCH" +set_output_value "$BUILD_META_OUTPUT" "broken" "$BROKEN" +set_output_value "$BUILD_META_OUTPUT" "manifest-stable" "$MANIFEST_STABLE" +set_output_value "$BUILD_META_OUTPUT" "manifest-beta" "$MANIFEST_BETA" +set_output_value "$BUILD_META_OUTPUT" "manifest-testing" "$MANIFEST_TESTING" +set_output_value "$BUILD_META_OUTPUT" "sign-manifest" "$SIGN_MANIFEST" +set_output_value "$BUILD_META_OUTPUT" "deploy" "$DEPLOY" +set_output_value "$BUILD_META_OUTPUT" "create-release" "$CREATE_RELEASE" +set_output_value "$BUILD_META_OUTPUT" "latest-release" "$LATEST_RELEASE" +set_output_value "$BUILD_META_OUTPUT" "target-whitelist" "$TARGET_WHITELIST" # Copy over to GITHUB_OUTPUT cat "$BUILD_META_OUTPUT" >> "$GITHUB_OUTPUT" diff --git a/.github/overrides/build-meta/.keep b/.github/overrides/build-meta/.keep new file mode 100644 index 0000000..e69de29 diff --git a/.github/validate-overrides.sh b/.github/validate-overrides.sh new file mode 100644 index 0000000..afd02da --- /dev/null +++ b/.github/validate-overrides.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# Validate no files in .github/overrides/build-meta contain newlines + +set -euo pipefail + +SCRIPT_DIR="$(dirname "$0")" + +OVERRIDES_DIR="$SCRIPT_DIR/overrides/build-meta" + +FILES_WITH_TWO_LINES="" + +# Find all files which contain at lest two lines +while IFS= read -r -d '' file +do + if [ "$(wc -l < "$file")" -gt 1 ]; then + FILES_WITH_TWO_LINES="$FILES_WITH_TWO_LINES $file" + fi +done < <(find "$OVERRIDES_DIR" -type f -print0) + +# Check for newlines in overrides +if [ -n "$FILES_WITH_TWO_LINES" ]; then + echo "The following files contain newlines:" + echo "$FILES_WITH_TWO_LINES" + exit 1 +fi + +exit 0 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 85fc7cf..19f65a6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,18 @@ on: required: false jobs: + validate-overrides: + runs-on: ubuntu-22.04 + name: Validate CI overrides + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Validate overrides + run: | + bash .github/validate-overrides.sh + build-meta: + needs: validate-overrides outputs: container-version: >- ${{ steps.build-metadata.outputs.container-version }} From e58cad18cf68b71f29ec385425e6f7b141b8be63 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Fri, 9 Aug 2024 12:07:15 +0200 Subject: [PATCH 4/6] ci: print warning when signing should happen in fork Currently the CI pipeline fails when the image is built in a fork with a tag that matches a release that should be signed. This is due to the signing keys missing in the fork. This might break cases where a sign in a fork is desired, however we do not support this and probably also don't want this. If other people desire to use the script, they can exchange UPSTREAM_REPO_NAME with their own GitHub repo name. Inform the user if this happens with a warning message. Signed-off-by: David Bauer (cherry picked from commit b334be45338ea18e0e6e026c65397c8d332c2ab4) --- .github/build-meta.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/build-meta.sh b/.github/build-meta.sh index f29e410..e41ab98 100644 --- a/.github/build-meta.sh +++ b/.github/build-meta.sh @@ -3,6 +3,7 @@ set -euxo pipefail SCRIPT_DIR="$(dirname "$0")" +UPSTREAM_REPO_NAME="freifunk-darmstadt/site-ffda" OVERRIDES_DIR="$SCRIPT_DIR/overrides/build-meta" @@ -175,6 +176,14 @@ if [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then SIGN_MANIFEST="0" fi +# Signing should only happen when pushed to the upstream repository. +# Skip this step for the pipeline to succeed but inform the user. +if [ "$GITHUB_REPOSITORY" != "$UPSTREAM_REPO_NAME" ] && [ "$SIGN_MANIFEST" != "0" ]; then + SIGN_MANIFEST="0" + + echo "::warning::Skip manifest signature due to action running in fork." +fi + # Determine Version to use RELEASE_VERSION="${RELEASE_VERSION:-$DEFAULT_RELEASE_VERSION}" From e0e00a8f11f18690149d049fca9949d132f63f3e Mon Sep 17 00:00:00 2001 From: David Bauer Date: Fri, 9 Aug 2024 12:34:50 +0200 Subject: [PATCH 5/6] ci: skip deployment in forks Even when the tag matches a release, we should never deploy in a fork. Signed-off-by: David Bauer (cherry picked from commit 08a00c21f355b2c52525f71b4586de60d344d8c5) --- .github/build-meta.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/build-meta.sh b/.github/build-meta.sh index e41ab98..bc08ee9 100644 --- a/.github/build-meta.sh +++ b/.github/build-meta.sh @@ -184,6 +184,13 @@ if [ "$GITHUB_REPOSITORY" != "$UPSTREAM_REPO_NAME" ] && [ "$SIGN_MANIFEST" != "0 echo "::warning::Skip manifest signature due to action running in fork." fi +# We should neither deploy in a fork, as the workflow is hard-coding out firmware-server +if [ "$GITHUB_REPOSITORY" != "$UPSTREAM_REPO_NAME" ] && [ "$DEPLOY" != "0" ]; then + DEPLOY="0" + + echo "::warning::Skip deployment due to action running in fork." +fi + # Determine Version to use RELEASE_VERSION="${RELEASE_VERSION:-$DEFAULT_RELEASE_VERSION}" From 33e9bf427974529f24169acca8bc319f8db26aa5 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sat, 10 Aug 2024 14:51:36 +0000 Subject: [PATCH 6/6] contrib: create annotated tags (#97) This makes the tag-based refs work again. Closes #11 Signed-off-by: David Bauer (cherry picked from commit 9fdcb5f3c69aa1ad330f959ce81a928bab8d3d62) --- contrib/create-release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/create-release.sh b/contrib/create-release.sh index aae4097..d0512e7 100755 --- a/contrib/create-release.sh +++ b/contrib/create-release.sh @@ -53,7 +53,7 @@ check_input_y "Proceed to tag firmware release for '$RELEASE_NAME' (Tag: '$TAG_N echo "Proceeding to tag firmware release with $RELEASE_NAME" -git tag "$TAG_NAME" +git tag -a -m "$TAG_NAME" "$TAG_NAME" echo "Tag was created" echo "Push with 'git push origin $TAG_NAME'"