diff --git a/.github/workflows/README.md b/.github/workflows/README.md index d6d0fef9c..7b0e28aba 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -26,8 +26,6 @@ - on pull_request update - from `/check` comment -## Tag - ## Version ## Release (`release.yml`) diff --git a/.github/workflows/command-merge.yml b/.github/workflows/command-merge.yml new file mode 100644 index 000000000..5e7744c0a --- /dev/null +++ b/.github/workflows/command-merge.yml @@ -0,0 +1,96 @@ +name: command merge + +on: + repository_dispatch: + types: [merge-command] + +permissions: + contents: write + pull-requests: write + +jobs: + merge: + runs-on: ubuntu-latest + steps: + - name: Checkout target branch + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: refs/heads/${{ github.event.client_payload.pull_request.head.ref }} + token: ${{ secrets.REPOSITORY_WRITE_PAT }} + + - name: Fail if not on release branch + if: (!startsWith(github.event.client_payload.pull_request.head.ref, 'release/v')) + run: | + echo "This command can only be run on release/v* branches." + exit 1 + + - name: Configure git for PAT + run: | + git config user.name "ReleaseBot" + git config user.email "dev-portal-poscreator@fiskaltrust.de" + git remote set-url origin https://x-access-token:${{ secrets.REPOSITORY_WRITE_PAT }}@github.com/${{ github.repository }}.git + + - name: Fetch main branch version.json + run: | + git fetch origin main + git checkout origin/main -- version.json + + - name: Commit version.json from main + run: | + git add version.json + if git diff-index --quiet HEAD -- version.json; then + echo "No changes to commit" + else + git commit -m "Update version.json from main before merge" + fi + git push origin HEAD + + - name: Check PR status checks + run: | + gh auth login --with-token <<< "${{ secrets.REPOSITORY_WRITE_PAT }}" + + # Verify all checks passed + STATUS=$(gh pr view ${{ github.event.client_payload.pull_request.number }} --json statusCheckRollup --jq '.statusCheckRollup[] | select(.conclusion != "SUCCESS" and .conclusion != "SKIPPED" and .conclusion != null) | .conclusion') + + if [ ! -z "$STATUS" ]; then + echo "Not all status checks have passed. Cannot merge." + exit 1 + fi + + - name: Merge Pull Request + run: | + gh auth login --with-token <<< "${{ secrets.REPOSITORY_WRITE_PAT }}" + gh pr merge ${{ github.event.client_payload.pull_request.number }} --merge --auto + + success: + needs: + - merge + runs-on: ubuntu-latest + if: success() + steps: + - name: Add reaction + uses: peter-evans/create-or-update-comment@v4 + with: + repository: ${{ github.event.client_payload.github.payload.repository.full_name }} + comment-id: ${{ github.event.client_payload.github.payload.comment.id }} + reactions: hooray + reactions-edit-mode: replace + + failure: + needs: + - merge + runs-on: ubuntu-latest + if: failure() + steps: + - name: Add reaction + uses: peter-evans/create-or-update-comment@v4 + with: + repository: ${{ github.event.client_payload.github.payload.repository.full_name }} + comment-id: ${{ github.event.client_payload.github.payload.comment.id }} + reactions: confused + reactions-edit-mode: replace + edit-mode: replace + body: | + /${{ github.event.client_payload.slash_command.command }} ${{ github.event.client_payload.slash_command.args.all }} + [![](https://badgen.net/static/${{ github.event.client_payload.slash_command.command }}%20${{ github.run_id }}/failure/red)](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) diff --git a/.github/workflows/command-release.yml b/.github/workflows/command-release.yml index 7b19682ce..91d114c24 100644 --- a/.github/workflows/command-release.yml +++ b/.github/workflows/command-release.yml @@ -51,6 +51,7 @@ jobs: needs: [meta] outputs: version: ${{ steps.create-release.outputs.version }} + tag: ${{ steps.create-release.outputs.tag }} steps: - uses: actions/checkout@v4 with: @@ -129,7 +130,7 @@ jobs: edit-mode: replace body: | /${{ github.event.client_payload.slash_command.command }} ${{ github.event.client_payload.slash_command.args.all }} - ![](https://badgen.net/static/release%20${{ needs.release.outputs.version }}/success/green) + [![](https://badgen.net/static/release%20${{ needs.release.outputs.version }}/success/green)](${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ needs.release.outputs.tag }}) failure: needs: diff --git a/.github/workflows/command-run.yml b/.github/workflows/command-run.yml index 00e4f24f9..5a2025033 100644 --- a/.github/workflows/command-run.yml +++ b/.github/workflows/command-run.yml @@ -24,7 +24,7 @@ jobs: secrets: inherit with: commit: ${{ github.event.client_payload.pull_request.head.sha }} - + scu-at-build: if: github.event.client_payload.slash_command.args.unnamed.arg1 == 'scu-at' && (github.event.client_payload.slash_command.args.unnamed.arg2 == 'ci' || github.event.client_payload.slash_command.args.unnamed.arg2 == 'build') uses: ./.github/workflows/scu-at-build.yml @@ -32,7 +32,6 @@ jobs: with: commit: ${{ github.event.client_payload.pull_request.head.sha }} - scu-de-build: if: github.event.client_payload.slash_command.args.unnamed.arg1 == 'scu-de' && (github.event.client_payload.slash_command.args.unnamed.arg2 == 'ci' || github.event.client_payload.slash_command.args.unnamed.arg2 == 'build') uses: ./.github/workflows/scu-de-build.yml @@ -46,7 +45,7 @@ jobs: secrets: inherit with: commit: ${{ github.event.client_payload.pull_request.head.sha }} - + scu-it-build: if: github.event.client_payload.slash_command.args.unnamed.arg1 == 'scu-it' && (github.event.client_payload.slash_command.args.unnamed.arg2 == 'ci' || github.event.client_payload.slash_command.args.unnamed.arg2 == 'build') uses: ./.github/workflows/scu-it-build.yml @@ -72,9 +71,6 @@ jobs: comment-id: ${{ github.event.client_payload.github.payload.comment.id }} reactions: hooray reactions-edit-mode: replace - edit-mode: replace - body: | - /${{ github.event.client_payload.slash_command.command }} ${{ github.event.client_payload.slash_command.args.all }} failure: needs: @@ -93,4 +89,4 @@ jobs: edit-mode: replace body: | /${{ github.event.client_payload.slash_command.command }} ${{ github.event.client_payload.slash_command.args.all }} - [![](https://badgen.net/static/${{ github.event.client_payload.slash_command.command }}%20${{ github.run_id }}/failed/red)](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) \ No newline at end of file + [![](https://badgen.net/static/${{ github.event.client_payload.slash_command.command }}%20${{ github.run_id }}/failed/red)](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) diff --git a/.github/workflows/command-version.yml b/.github/workflows/command-version.yml index 94cfc106c..0fa00514a 100644 --- a/.github/workflows/command-version.yml +++ b/.github/workflows/command-version.yml @@ -64,10 +64,6 @@ jobs: comment-id: ${{ github.event.client_payload.github.payload.comment.id }} reactions: hooray reactions-edit-mode: replace - edit-mode: replace - body: | - /${{ github.event.client_payload.slash_command.command }} ${{ github.event.client_payload.slash_command.args.all }} - [![](https://badgen.net/static/${{ github.event.client_payload.slash_command.command }}%20${{ needs.version.outputs.new-version }}/success/green)](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) failure: needs: diff --git a/.github/workflows/manual-merging.yml b/.github/workflows/manual-merging.yml new file mode 100644 index 000000000..e17026de7 --- /dev/null +++ b/.github/workflows/manual-merging.yml @@ -0,0 +1,15 @@ +name: Manual merging + +on: + pull_request_target: + branches-ignore: "release/v*" + +# This action will only run on non release branches +# We have setup this check as a requirement for merging +# That way release branches can not be manually merged because this check will always be in the waiting state +jobs: + noop: + runs-on: ubuntu-latest + steps: + - name: No-op step + run: echo 'No-op job' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e9ddb5e20..c423c300c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,12 +1,9 @@ -name: 'Release' +name: "Release" on: - push: - tags: - - queue/**/v* - - scu-at/**/v* - - scu-de/**/v* - - scu-es/**/v* - - scu-it/**/v* + release: + types: [published] + +run-name: Release ${{ github.event.release.tag_name }} permissions: checks: write @@ -15,33 +12,51 @@ permissions: contents: read jobs: + check-tag: + runs-on: ubuntu-latest + steps: + - name: Validate tag format + run: | + TAG="${{ github.event.release.tag_name }}" + if [[ "$TAG" =~ ^(queue|scu-at|scu-de|scu-es|scu-it)/.+/v.* ]]; then + echo "✅ Tag '$TAG' matches expected pattern" + else + echo "❌ Tag '$TAG' does not match expected pattern (queue|scu-at|scu-de|scu-es|scu-it)//v*" + exit 1 + fi + test-queue: - if: startsWith(github.ref, 'refs/tags/queue/') + needs: [check-tag] + if: startsWith(github.event.release.tag_name, 'queue/') uses: ./.github/workflows/queue-build.yml secrets: inherit test-scu-at: - if: startsWith(github.ref, 'refs/tags/scu-at/') + needs: [check-tag] + if: startsWith(github.event.release.tag_name, 'scu-at/') uses: ./.github/workflows/scu-at-build.yml secrets: inherit test-scu-de: - if: startsWith(github.ref, 'refs/tags/scu-de/') + needs: [check-tag] + if: startsWith(github.event.release.tag_name, 'scu-de/') uses: ./.github/workflows/scu-de-build.yml secrets: inherit test-scu-es: - if: startsWith(github.ref, 'refs/tags/scu-es/') + needs: [check-tag] + if: startsWith(github.event.release.tag_name, 'scu-es/') uses: ./.github/workflows/scu-es-build.yml secrets: inherit test-scu-it: - if: startsWith(github.ref, 'refs/tags/scu-it/') + needs: [check-tag] + if: startsWith(github.event.release.tag_name, 'scu-it/') uses: ./.github/workflows/scu-it-build.yml secrets: inherit meta: - needs: [] + needs: [check-tag] runs-on: windows-latest outputs: project: ${{ steps.meta.outputs.project }} @@ -53,7 +68,7 @@ jobs: - id: meta shell: pwsh run: | - if(!("${{ github.ref }}" -match "refs/tags/([a-z-]+)/([^/]+)/v.*")) { + if(!("${{ github.event.release.tag_name }}" -match "([a-z-]+)/([^/]+)/v.*")) { throw "Invalid tag format" } $directory = $matches[1] @@ -73,7 +88,7 @@ jobs: Write-Output "project=$project" >> $env:GITHUB_OUTPUT test-queue-acceptance: - if: startsWith(github.ref, 'refs/tags/queue/') + if: startsWith(github.event.release.tag_name, 'queue/') concurrency: group: queue-acceptance-tests needs: [meta, test-queue] @@ -82,9 +97,17 @@ jobs: with: only: fiskaltrust.Middleware.Storage.${{ needs.meta.outputs.package }}.AcceptanceTest - package: - needs: [meta, test-queue, test-queue-acceptance, test-scu-at, test-scu-de, test-scu-es, test-scu-it] + needs: + [ + meta, + test-queue, + test-queue-acceptance, + test-scu-at, + test-scu-de, + test-scu-es, + test-scu-it, + ] if: (!failure()) secrets: inherit uses: ./.github/workflows/package.yml diff --git a/.github/workflows/slash-commands.yml b/.github/workflows/slash-commands.yml index f071f3048..2704e8cdc 100644 --- a/.github/workflows/slash-commands.yml +++ b/.github/workflows/slash-commands.yml @@ -27,3 +27,4 @@ jobs: release version check + merge