Merge pull request #3143 from lucasmlp/release-v2.7

Automation improvements to release-v2.7 branch

.github/workflows/pull-request.yaml

@@ -1,17 +1,23 @@
 name: CI-pullrequest
 
 on:
-  pull_request:
+  pull_request_target:
     branches:
       - dev-v*
       - release-v*
 
 jobs:
   build:
+    name: Build
     runs-on: ubuntu-latest
-
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout base branch
+        uses: actions/checkout@v3
+
+      - name: Checkout PR
+        run: gh pr checkout ${{ github.event.pull_request.number }}
+        env:
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Checkout into branch
         run: git checkout -b staging-pr-workflow
@@ -28,12 +34,36 @@ jobs:
       - name: Run Hull tests
         run: cd tests && go test -v ./...
 
+  check-images:
+    name: Check Container Images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout base branch
+        uses: actions/checkout@v3
+
+      - name: Checkout PR
+        run: gh pr checkout ${{ github.event.pull_request.number }}
+        env:
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Check container images 
         run: make check-images
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
 
+  check-rc:
+    name: Check RC Images and Charts
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout base branch
+        uses: actions/checkout@v3
+
+      - name: Checkout PR
+        run: gh pr checkout ${{ github.event.pull_request.number }}
+        env:
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Check RC images and charts
         run: make check-rc
-        if: startsWith(github.ref, 'refs/heads/upstream/release-v')
+        if: startsWith(github.ref, 'refs/heads/release-v')

.github/workflows/regsync-config.yaml

@@ -5,36 +5,75 @@
 name: Generate-Regsync-Config
 
 on:
-  pull_request_review:
-    types: [submitted, edited]
+  pull_request_target:
+    types:
+      - labeled
 
 jobs:
+  onLabelAndApproval:
+    if: github.event.label.name == 'regsync-ready' && startsWith(github.event.pull_request.base.ref, 'release-v')
+    runs-on: ubuntu-latest
+    outputs:
+      is_approved: ${{ steps.check-approval.outputs.approved }}
+    steps:
+      - name: Check if PR is approved
+        id: check-approval
+        run: |
+          IS_APPROVED=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews --jq '[.[] | select(.state == "APPROVED")] | length')
+          if [[ "$IS_APPROVED" -gt 0 ]]; then
+            echo "::set-output name=approved::true"
+          else
+            echo "::set-output name=approved::false"
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   build:
-    if: github.event.review.state == 'approved' && github.event.pull_request.base.ref == 'release-v2.7'
+    needs: onLabelAndApproval
+    if: needs.onLabelAndApproval.outputs.is_approved == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout 
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.PUSH_TOKEN }} 
+
+      - name: Set-up Ruby 3.2
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2' # Not needed with a .ruby-version file
 
       # Need to remove export version once rancher/charts gets the latest version 
-      # of charts-build-script binary.   
+      # of charts-build-script binary.
+      # Test removal of regsync.yaml, commit and push before regenerating it
       - name: Generate RegSync
         run: |
+          echo ${{ secrets.PUSH_TOKEN }} | gh auth login --with-token
+          gh pr checkout ${{ github.event.pull_request.number }}
+          git config --global user.email "${{ secrets.USER_GITHUB }}"
+          git config --global user.name "rancherbot"
           export CHARTS_BUILD_SCRIPT_VERSION=v0.4.2 
           make pull-scripts
           make regsync
-   
+
+      - name: Commit files
+        run: |
+            git add regsync.yaml
+            git commit -m "Updating resync.yaml"
+            git branch
+            git push
+
       - name: Install Regsync
         run: |
           curl --silent --fail --location --output regsync https://github.com/regclient/regclient/releases/download/v0.5.1/regsync-linux-amd64
           chmod +x regsync
 
       - name: Sync Images to Registry
-          # time ./regsync once --config regsync.yaml
         run: |
           head regsync.yaml
           ruby ./regsync-split.rb
-          time find regsync -type f -name regsync.yaml -print -exec time regsync once --config '{}' ';'
+          time find regsync -type f -name split-regsync.yaml -print -exec time regsync once --config '{}' ';'
         env:
           REGISTRY_ENDPOINT: ${{ secrets.REGISTRY_ENDPOINT }}
           REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
-          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}

.github/workflows/validation-check.yaml

@@ -0,0 +1,50 @@
+name: Validation Check
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  check-reaction:
+    name: Check for positive reaction on bot's latest validation comment
+    if: startsWith(github.event.pull_request.base.ref, 'dev-v') || startsWith(github.event.pull_request.base.ref, 'release-v')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for positive reaction on bot's latest validation comment
+        uses: actions/github-script@v4
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            // Get comments on the PR
+            const comments = await github.issues.listComments({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo
+            });
+
+            // Sort comments based on their creation datetime in descending order
+            const sortedComments = comments.data.sort((a, b) => new Date(b.created_at) - new Date(a.created_at));
+
+            // Find the latest validation comment by github-actions[bot]
+            const latestValidationComment = sortedComments.find(comment => comment.user.login === 'github-actions[bot]' && comment.body.startsWith("## Validation steps"));
+
+            if (latestValidationComment) {
+              const reactions = await github.reactions.listForIssueComment({
+                comment_id: latestValidationComment.id,
+                owner: context.repo.owner,
+                repo: context.repo.repo
+              });
+
+              // Check if there's a thumbs-up reaction on the bot's validation comment
+              const thumbsUpReaction = reactions.data.some(reaction => reaction.content === '+1');
+
+              if (thumbsUpReaction) {
+                console.log("The validation comment by github-actions[bot] has the required thumbs-up reaction.");
+              } else {
+                const createdAt = new Date(latestValidationComment.created_at).toLocaleString('en-US', { timeZoneName: 'short' });
+                console.error("Failed Check - Comment Created At:", createdAt);
+                core.setFailed("The latest validation comment by github-actions[bot] does not have the required thumbs-up reaction!");
+              }
+            } else {
+              core.setFailed("No validation comments by github-actions[bot] found.");
+            }

.github/workflows/validation-comment.yaml

@@ -0,0 +1,35 @@
+name: Validation Comment
+
+on:
+  pull_request_target:
+    branches:
+      - dev-v*
+      - release-v*
+
+jobs:
+  validation-comment:
+    name: Make validation comment on PR
+    runs-on: ubuntu-latest
+    permissions: write-all
+    steps:
+      - name: Make validation comment
+        uses: actions/github-script@v4
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body:
+              `## Validation steps
+              - Ensure all container images have repository and tag on the same level to ensure that all container images are included in rancher-images.txt which are used by airgap customers.
+              <pre>
+              Ex:- 
+                longhorn-controller:
+                  repository: rancher/hardened-sriov-cni
+                  tag: v2.6.3-build20230913
+              </pre>
+              - Add a 👍 (thumbs up) reaction to this comment once done. CI won't pass without this reaction to the github-action bot's latest validation comment.
+              - Approve the PR to run the CI check.`
+            })

regsync-split.rb

@@ -1,24 +1,24 @@
 #! /usr/bin/env ruby
-​
+
 require "json"
 require "pathname"
 require "yaml"
-​
+
 pwd = Pathname(Dir.pwd)
-​
+
 regsync = YAML.load((pwd + "regsync.yaml").read)
-​
+
 regsync["sync"].sum do |sync|
   sync["tags"]["allow"].count
 end.then do |sum|
   puts "total tags to consider: #{sum}"
 end
-​
+
 regsync["sync"].each do |sync|
   regsync.merge("sync" => [sync]).then do |regsync|
-    (pwd + "regsync" + sync["source"]).then do |dir|
+    (pwd + "split-regsync" + sync["source"]).then do |dir|
       dir.mkpath
-      (dir + "regsync.yaml").write(YAML.dump(regsync))
+      (dir + "split-regsync.yaml").write(YAML.dump(regsync))
     end
   end
 end

scripts/version

@@ -2,4 +2,4 @@
 set -e
 
 CHARTS_BUILD_SCRIPTS_REPO=https://github.com/rancher/charts-build-scripts.git
-CHARTS_BUILD_SCRIPT_VERSION="${CHARTS_BUILD_SCRIPT_VERSION:-v0.5.0}"
+CHARTS_BUILD_SCRIPT_VERSION="${CHARTS_BUILD_SCRIPT_VERSION:-v0.5.2}"