Merge pull request #221 from vshn/add/ci_improvements

Improve CI Pipeline on PRs

.cruft.json

@@ -0,0 +1,20 @@
+{
+  "template": "https://github.com/vshn/appcat-cookiecutter",
+  "commit": "128d270ba199a581122ff74c2f82b8e3019490f0",
+  "checkout": null,
+  "context": {
+    "cookiecutter": {
+      "app_name": "appcat",
+      "component_repo": "vshn/component-appcat",
+      "push_upbound": false,
+      "push_package": true,
+      "push_image": true,
+      "_copy_without_render": [
+        ".github/workflows/cruft-update.yml",
+        ".github/changelog-configuration.json"
+      ],
+      "_template": "https://github.com/vshn/appcat-cookiecutter"
+    }
+  },
+  "directory": null
+}

.github/changelog-configuration.json

@@ -4,25 +4,19 @@
     {
       "title": "## 🚀 Features",
       "labels": [
-        "enhancement"
-      ]
-    },
-    {
-      "title": "## 🛠️ Minor Changes",
-      "labels": [
-        "change"
+        "minor"
       ]
     },
     {
       "title": "## 🔎 Breaking Changes",
       "labels": [
-        "breaking"
+        "major"
       ]
     },
     {
       "title": "## 🐛 Fixes",
       "labels": [
-        "bug"
+        "patch"
       ]
     },
     {

.github/workflows/cruft-update.yml

@@ -0,0 +1,79 @@
+# /.github/workflows/cruft-update.yml
+name: Update repository with Cruft
+permissions:
+  contents: write
+  pull-requests: write
+  actions: write
+on:
+  schedule:
+    - cron: "0 * * * *" # Once per hour
+  workflow_dispatch: {}
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - add-paths: .
+            body: Use this to merge the changes to this repository.
+            branch: cruft/update
+            commit-message: "chore: accept new Cruft update"
+            title: New updates detected with Cruft
+          - add-paths: .cruft.json
+            body: Use this to reject the changes in this repository.
+            branch: cruft/reject
+            commit-message: "chore: reject new Cruft update"
+            title: Reject new updates detected with Cruft
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.COMPONENT_ACCESS_TOKEN }}
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install Cruft
+        run: pip3 install cruft
+
+      - name: Check if update is available
+        continue-on-error: false
+        id: check
+        run: |
+          CHANGES=0
+          if [ -f .cruft.json ]; then
+            if ! cruft check; then
+              CHANGES=1
+            fi
+          else
+            echo "No .cruft.json file"
+          fi
+
+          echo "has_changes=$CHANGES" >> "$GITHUB_OUTPUT"
+
+      - name: Run update if available
+        if: steps.check.outputs.has_changes == '1'
+        run: |
+          git config --global user.email "githubbot@vshn.ch"
+          git config --global user.name "GitHubBot"
+
+          cruft update --skip-apply-ask --refresh-private-variables
+          git restore --staged .
+
+      - name: Create pull request
+        if: steps.check.outputs.has_changes == '1'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.COMPONENT_ACCESS_TOKEN }}
+          add-paths: ${{ matrix.add-paths }}
+          commit-message: ${{ matrix.commit-message }}
+          branch: ${{ matrix.branch }}
+          delete-branch: true
+          title: ${{ matrix.title }}
+          labels: dependency
+          body: |
+            This is an autogenerated PR. ${{ matrix.body }}
+
+            [Cruft](https://cruft.github.io/cruft/) has detected updates from the Cookiecutter repository.

.github/workflows/pr.yml

@@ -0,0 +1,217 @@
+name: PR Automation
+
+on:
+  pull_request: {}
+  pull_request_target:
+    types:
+      - closed
+    branches:
+      - master
+
+env:
+  APP_NAME: appcat
+  COMPONENT_REPO: vshn/component-appcat
+  PUSH_UPBOUND: "False"
+  PUSH_PACKAGE: "True"
+  PUSH_IMAGE: "True"
+
+jobs:
+  check-labels:
+    # Act doesn't set a pull request number by default, so we skip if it's 0
+    if: github.event.pull_request.number != 0
+    name: Check labels
+    runs-on: ubuntu-latest
+    steps:
+      - uses: docker://agilepathway/pull-request-label-checker:v1.6.51
+        with:
+          one_of: major,minor,patch,documentation,dependency
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+  publish-branch-images:
+    if: github.event.action != 'closed'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Determine Go version from go.mod
+        run: echo "GO_VERSION=$(grep "go 1." go.mod | cut -d " " -f 2)" >> $GITHUB_ENV
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - uses: actions/cache@v4
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Extract escaped branch name
+        shell: bash
+        run: echo "branch=$(echo ${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}} | sed 's/\//_/g' )" >> $GITHUB_OUTPUT
+        id: extract_branch
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build branch and push image
+        if: env.PUSH_IMAGE == 'true'
+        run: make docker-push-branchtag -e IMG_TAG="${{ steps.extract_branch.outputs.branch }}"
+
+      - name: Build branch and push package
+        if: env.PUSH_PACKAGE == 'True'
+        run: make package-push-branchtag -e IMG_TAG="${{ steps.extract_branch.outputs.branch }}"
+
+      - name: Login to Upbound
+        if: env.PUSH_UPBOUND == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: xpkg.upbound.io
+          username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
+          password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }}
+
+      - name: Build branch and push package to upbound
+        if: env.PUSH_UPBOUND == 'true' && env.PUSH_PACKAGE == 'true'
+        run: make package-push-branchtag -e IMG_TAG="${{ steps.extract_branch.outputs.branch }}" -e IMG_REPO=xpkg.upbound.io
+
+  open-pr-component:
+    if: github.event.action == 'opened'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.COMPONENT_REPO }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract branch name
+        shell: bash
+        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
+        id: extract_branch
+
+      - name: Update defaults.yml and create branch
+        run: |
+          yq e '.parameters.appcat.images.${{ env.APP_NAME }}.tag="${{ steps.extract_branch.outputs.branch }}"' class/defaults.yml | diff -B class/defaults.yml - | patch class/defaults.yml - || true
+
+          git --no-pager diff
+
+      - name: Generate new golden
+        # Act uses the host's docker to run containers, but then
+        # they can't access the files that were previously cloned.
+        if: github.event.pull_request.number != 0
+        run: |
+          make gen-golden-all
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.COMPONENT_ACCESS_TOKEN }}
+          title: 'PR for ${{ env.APP_NAME }} on ${{ steps.extract_branch.outputs.branch }}'
+          body: "${{ github.event.pull_request.body}}\nLink: ${{ github.event.pull_request.html_url }}"
+          branch: "${{ env.APP_NAME }}/${{ github.event.pull_request.number }}/${{ steps.extract_branch.outputs.branch }}"
+          base: master
+          draft: false
+  create-release:
+    if: github.event.pull_request.merged
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for patch label
+        if: contains(github.event.pull_request.labels.*.name, 'patch') || contains(github.event.pull_request.labels.*.name, 'dependency') || contains(github.event.pull_request.labels.*.name, 'documentation')
+        id: patch
+        run: |
+          echo "set=true" >> $GITHUB_OUTPUT
+      - name: Check for minor label
+        if: contains(github.event.pull_request.labels.*.name, 'minor')
+        id: minor
+        run: |
+          echo "set=true" >> $GITHUB_OUTPUT
+      - name: Check for major label
+        if: contains(github.event.pull_request.labels.*.name, 'major')
+        id: major
+        run: |
+          echo "set=true" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        with:
+          # Make sure we use the right commit to tag
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
+          # We also need to use the personal access token here. As subsequent
+          # actions will not trigger by tags/pushes that use `GITHUB_TOKEN`
+          # https://github.com/orgs/community/discussions/25702#discussioncomment-3248819
+          token: ${{ secrets.COMPONENT_ACCESS_TOKEN }}
+          # This is broken in checkout@v4...
+          # https://github.com/actions/checkout/issues/1781
+          fetch-tags: true
+
+      - name: fetch tags
+        run: |
+          git fetch --tags
+          echo "latest tag: $(git describe --tags "$(git rev-list --tags --max-count=1)")"
+          echo "TAG_VERSION=$(git describe --tags "$(git rev-list --tags --max-count=1)")" >>  $GITHUB_ENV
+
+      - name: Extract branch name
+        shell: bash
+        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
+        id: extract_branch
+
+      # We only run this if any of the release tags is set.
+      # For docs and deps we don't do automagic releases
+      - name: Increase Tag
+        id: tag
+        run: |
+          patch=${{ steps.patch.outputs.set }}
+          minor=${{ steps.minor.outputs.set }}
+          major=${{ steps.major.outputs.set }}
+
+          major_ver=$(echo '${{ env.TAG_VERSION }}' | cut -d "." -f1)
+          minor_ver=$(echo '${{ env.TAG_VERSION }}' | cut -d "." -f2)
+          patch_ver=$(echo '${{ env.TAG_VERSION }}' | cut -d "." -f3)
+
+          major_ver="${major_ver:1}"
+
+          # Check for patch label
+          [ ! -z "$patch" ] && [ -z "$minor" ] && [ -z "$major" ] && ((patch_ver++)) || true
+
+          # check for minor label
+          if [ ! -z "$minor" ] && [ -z "$major" ]; then
+            ((minor_ver++))
+            patch_ver=0
+          fi
+
+          # Check for major label
+          if [ ! -z "$major" ]; then
+            ((major_ver++))
+            minor_ver=0
+            patch_ver=0
+          fi
+
+          tag="v$major_ver.$minor_ver.$patch_ver"
+          echo "new tag $tag"
+          git tag $tag
+          git push --tags
+          echo tag=$tag >> $GITHUB_OUTPUT
+
+      - name: Checkout component
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.COMPONENT_REPO }}
+          token: ${{ secrets.COMPONENT_ACCESS_TOKEN }}
+          ref: "${{ env.APP_NAME }}/${{ github.event.pull_request.number }}/${{ steps.extract_branch.outputs.branch }}"
+
+      - name: Update tag and run golden
+        run: |
+          yq e '.parameters.appcat.images.${{ env.APP_NAME }}.tag="${{ steps.tag.outputs.tag }}"' class/defaults.yml | diff -B class/defaults.yml - | patch class/defaults.yml - || true
+          make gen-golden-all
+
+      - name: Commit & Push changes
+        uses: actions-js/push@master
+        with:
+          github_token: ${{ secrets.COMPONENT_ACCESS_TOKEN }}
+          branch: "${{ env.APP_NAME }}/${{ github.event.pull_request.number }}/${{ steps.extract_branch.outputs.branch }}"
+          message: "Update tag"
+          repository: ${{ env.COMPONENT_REPO }}
+