-
Notifications
You must be signed in to change notification settings - Fork 4
245 lines (231 loc) · 12.1 KB
/
os-extension-automated-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
name: Automated OS Extension Release
on:
workflow_call:
inputs:
version:
description: 'Version to release (4.26.0, 4.26.1, etc.))'
required: true
type: string
repositories:
description: 'Comma separated list of repositories to release'
required: false
default: '["liquibase-bigquery","liquibase-cache","liquibase-cassandra","liquibase-cosmosdb","liquibase-db2i","liquibase-filechangelog","liquibase-nochangeloglock","liquibase-hanadb","liquibase-maxdb","liquibase-modify-column","liquibase-mssql","liquibase-oracle","liquibase-postgresql","liquibase-redshift","liquibase-sqlfire","liquibase-teradata","liquibase-vertica","liquibase-yugabytedb","liquibase-hibernate","liquibase-parent-pom"]'
type: string
jobs:
check-security-vulnerabilities:
# 1. Parse the input repositories into an array.
# 2. Initialize a flag to track if there are security vulnerabilities.
# 3. Check for open Dependabot security alerts.
# 4. Print the status of security vulnerabilities for each repository.
# 5. Set the flag if security vulnerabilities are found in any repository.
# 6. If security vulnerabilities are found in any repository, print an error message and exit with an error code.
runs-on: ubuntu-latest
name: Check Security Vulnerabilities
strategy:
fail-fast: false # Continue running jobs even if one fails
matrix:
repository: ${{ fromJson(inputs.repositories) }}
steps:
- name: Security
run: |
security_fail=false
echo "Checking repository: ${{ matrix.repository }}"
security_url="https://api.github.com/repos/liquibase/${{ matrix.repository }}/dependabot/alerts?state=open"
response=$(curl -s -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${{ secrets.BOT_TOKEN }}" $security_url | jq length)
echo "Open Alerts: $response"
if [[ $response == "0" ]]; then
echo "Security vulnerabilities for ${{ matrix.repository }} are addressed."
else
echo "Security vulnerabilities for ${{ matrix.repository }} are not addressed."
security_fail=true
fi
if [[ $security_fail == true ]]; then
echo "Security vulnerabilities are not addressed for ${{ matrix.repository }}"
exit 1
fi
run-extensions-dependabot:
needs: check-security-vulnerabilities
runs-on: ubuntu-latest
name: Dependabot
strategy:
matrix:
repository: ${{ fromJson(inputs.repositories) }}
steps:
- name: Install Dependabot CLI
run: |
#https://github.com/dependabot/cli
wget https://github.com/dependabot/cli/releases/download/v1.39.0/dependabot-v1.39.0-linux-amd64.tar.gz
tar xvzf dependabot-v1.39.0-linux-amd64.tar.gz
sudo mv dependabot /usr/local/bin/
- name: Run dependabot on extension
run: |
echo "Running Dependabot on repository: ${{ matrix.repository }}"
dependabot update maven "liquibase/${{ matrix.repository }}"
update-pom:
needs: check-security-vulnerabilities
runs-on: ubuntu-latest
name: Update pom.xml
strategy:
matrix:
repository: ${{ fromJson(inputs.repositories) }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
repository: "liquibase/${{ matrix.repository }}"
token: ${{ secrets.BOT_TOKEN }}
- name: Set up Git
run: |
git config --unset-all http.https://github.com/.extraheader
git config --local user.email "64099989+liquibot@users.noreply.github.com"
git config --local user.name "liquibot"
# look for dependencies in maven
- name: maven-settings-xml-action
uses: whelk-io/maven-settings-xml-action@v22
with:
repositories: |
[
{
"id": "liquibase",
"url": "https://maven.pkg.github.com/liquibase/liquibase",
"releases": {
"enabled": "true"
},
"snapshots": {
"enabled": "true",
"updatePolicy": "always"
}
},
{
"id": "liquibase-pro",
"url": "https://maven.pkg.github.com/liquibase/liquibase-pro",
"releases": {
"enabled": "true"
},
"snapshots": {
"enabled": "true",
"updatePolicy": "always"
}
}
]
servers: |
[
{
"id": "liquibase-pro",
"username": "liquibot",
"password": "${{ secrets.LIQUIBOT_PAT }}"
},
{
"id": "liquibase",
"username": "liquibot",
"password": "${{ secrets.LIQUIBOT_PAT }}"
}
]
- name: Update extension version to next SNAPSHOT
if: ${{ matrix.repository != 'liquibase-parent-pom' }}
run: mvn versions:set -DnewVersion=${{ inputs.version }}-SNAPSHOT
- name: Update pom.xml
env:
GH_TOKEN: ${{ secrets.BOT_TOKEN }}
run: |
sed -i "s/<liquibase.version>.*<\/liquibase.version>/<liquibase.version>${{ inputs.version }}<\/liquibase.version>/" pom.xml
git add pom.xml
# Check if there are changes before committing
if git diff-index --quiet HEAD --; then
echo "No changes to commit."
else
git commit -m "Update liquibase.version to ${{ inputs.version }}"
git remote set-url origin https://liquibot:${{ secrets.BOT_TOKEN }}@github.com/liquibase/${{ matrix.repository }}.git
git push
fi
release-draft-releases:
# 1. Initialize a flag to track if the specified version is found.
# 2. If draft releases are found, check if they contain the specified version to release.
# 3. If the version is found publish it as the latest release.
# 4. Print relevant information about the process.
needs: update-pom
runs-on: ubuntu-latest
name: Release Draft
strategy:
matrix:
repository: ${{ fromJson(inputs.repositories) }}
steps:
- name: Check for Artifact in Draft Releases
run: |
sleep 180
published_drafts_file=published_drafts.txt
found=false
echo "Checking repository: ${{ matrix.repository }}"
assets=$(curl -s -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${{ secrets.BOT_TOKEN }}" "https://api.github.com/repos/liquibase/${{ matrix.repository }}/releases" | jq -r '.[] | select(.draft == true)' | jq -r '.assets[]')
echo "Assets: $assets"
# check if assests are empty
if [ -z "$assets" ]; then
echo "No assets found"
else
if echo "$assets" | jq -e '.name | contains("${{ inputs.version }}")' > /dev/null; then
found=true
echo "Found an asset containing '${{ inputs.version }}'"
else
echo "No asset containing '${{ inputs.version }}' found"
fi
if [ "$found" = true ] ; then
# Get the draft release ID
RELEASE_ID=$(curl -s -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${{ secrets.BOT_TOKEN }}" "https://api.github.com/repos/liquibase/${{ matrix.repository }}/releases" | jq -r '[.[] | select(.draft == true)] | sort_by(.created_at) | last | .id')
echo "Newest Draft release ID: $RELEASE_ID"
RELEASE_TITLE="v${{ inputs.version }}"
# Update the release title
# echo "Updating release title to $RELEASE_TITLE... for ${{ matrix.repository }}"
# curl -s -X PATCH -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${{ secrets.BOT_TOKEN }}" -d '{"name": "'"$RELEASE_TITLE"'"}' "https://api.github.com/repos/liquibase/${{ matrix.repository }}/releases/$RELEASE_ID"
# Publish the draft release as the latest release
echo "Publishing the draft release as the latest release to https://api.github.com/repos/liquibase/${{ matrix.repository }}/releases/$RELEASE_ID"
curl -s -X PATCH -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${{ secrets.BOT_TOKEN }}" -d '{"draft": false}' "https://api.github.com/repos/liquibase/${{ matrix.repository }}/releases/$RELEASE_ID"
echo "Draft release published as the latest release for ${{ matrix.repository }}"
echo "${{ matrix.repository }}: v${{ inputs.version }}" >> $published_drafts_file
else
echo "No artifact containing '${{ inputs.version }}' found in the last draft release."
fi
fi
create-and-close-nexus-stagging:
# 1. This job pauses the workflow for 60 seconds, allowing time for Sonatype Nexus stagging repos to be ready.
# 2. The job uses the Sonatype Nexus API to retrieve information about staging repositories.
# 3. It extracts the IDs of repositories containing the string "liquibase."
# 4. For each repository, it checks if it is an extension by examining its relative path.
# 5. If an extension is detected, the repository is closed using the Sonatype Nexus API.
# 6. A sleep of 120 seconds follows the closure before the final release step (commented out for safety).
needs: release-draft-releases
runs-on: ubuntu-latest
name: Nexus
steps:
- name: Wait for Sonatype Nexus
run: sleep 120
- name: Publish OSS Extensions
run: |
closed_nexus_repos_file=closed_nexus_repos.txt
api_output=$(curl -s -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_TOKEN }}" "https://oss.sonatype.org/service/local/staging/profile_repositories")
# Extract ids of repositories-item containing the string "liquibase"
repositories=$(echo "$api_output" | grep -B 8 "liquibase" | grep "<repositoryId>" | awk -F"<|>" '{print $3}')
echo "Repository IDs containing 'liquibase': $repositories"
# Loop through each repository and close it
for repo_id in $repositories; do
echo "Check if $repo_id repository is an extension"
api_output=$(curl -s -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_TOKEN }}" "https://oss.sonatype.org/service/local/repositories/$repo_id/content/org/liquibase/")
relative_path=$(echo "$api_output" | grep -oP '<relativePath>\K[^<]+' | awk 'NR==1')
echo "Relative path: $relative_path"
if [[ "$relative_path" == *"/org/liquibase/ext/"* ]]; then
echo "Relative path contains '/org/liquibase/ext/'. It is an extension."
curl -s -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_TOKEN }}" -H "Accept: application/json" -H "Content-Type: application/json" -d '{"data":{"stagedRepositoryIds":["'"$repo_id"'"],"description":"Closing '"$repo_id"'."}}' https://oss.sonatype.org/service/local/staging/bulk/close
api_output=$(curl -s -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_TOKEN }}" "https://oss.sonatype.org/service/local/repositories/$repo_id/content/org/liquibase/ext/")
relative_path=$(echo "$api_output" | grep -oP '<relativePath>\K[^<]+' | awk 'NR==1')
echo "Closed repository: $repo_id - $relative_path" >> $closed_nexus_repos_file
#sleep 120
#curl -s -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_TOKEN }}" -H "Accept: application/json" -H "Content-Type: application/json" -d '{"data":{"stagedRepositoryIds":["'"$repo_id"'"],"description":"Releasing '"$repo_id"'."}}' https://oss.sonatype.org/service/local/staging/bulk/promote
#echo "Released repository: $repo_id"
else
echo "Relative path does not contain '/org/liquibase/ext/'. It is not an extension."
fi
done
- name: Archive closed_nexus_repos.txt
uses: actions/upload-artifact@v4
with:
name: closed_nexus_repos
path: closed_nexus_repos.txt