Skip to content

Commit

Permalink
[Release|CI/CD] adjust release pipelines (#6366)
Browse files Browse the repository at this point in the history
This PR contains adjustments to the release pipelines. 
- RC Automation and Branchoff pipelines now use the PGPKMS key generated
by the release team to sign related commits directly in the Github flow
- RC Automation does not use old tagging action. Instead, it creates a
tag and pushes it using git
- RC binary is going to be done on the larger github runners setup in
the` paritytech-release` org

Closes: paritytech/release-engineering#233
  • Loading branch information
EgorPopelyaev authored Nov 5, 2024
1 parent c4ef438 commit 32e116a
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 18 deletions.
3 changes: 2 additions & 1 deletion .github/scripts/common/lib.sh
Original file line number Diff line number Diff line change
Expand Up @@ -306,9 +306,10 @@ function import_gpg_keys() {
EGOR="E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3"
MORGAN="2E92A9D8B15D7891363D1AE8AF9E6C43F7F8C4CF"
PARITY_RELEASES="90BD75EBBB8E95CB3DA6078F94A4029AB4B35DAE"
PARITY_RELEASES_SIGN_COMMITS="D8018FBB3F534D866A45998293C5FB5F6A367B51"

echo "Importing GPG keys from $GPG_KEYSERVER"
for key in $SEC $EGOR $MORGAN $PARITY_RELEASES; do
for key in $SEC $EGOR $MORGAN $PARITY_RELEASES $PARITY_RELEASES_SIGN_COMMITS; do
(
echo "Importing GPG key $key"
gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key
Expand Down
47 changes: 40 additions & 7 deletions .github/workflows/release-10_rc-automation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,46 @@ jobs:
- name: "RelEng: Polkadot Release Coordination"
room: '!cqAmzdIcbOFwrdrubV:parity.io'
environment: release
env:
PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }}
PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}

steps:
- name: Install pgpkkms
run: |
# Install pgpkms that is used to sign commits
pip install git+https://github.com/paritytech-release/pgpkms.git@5a8f82fbb607ea102d8c178e761659de54c7af69
- name: Generate content write token for the release automation
id: generate_write_token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.RELEASE_AUTOMATION_APP_ID }}
private-key: ${{ secrets.RELEASE_AUTOMATION_APP_PRIVATE_KEY }}
owner: paritytech-release

- name: Checkout sources
uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
with:
fetch-depth: 0
token: ${{ steps.generate_write_token.outputs.token }}

- name: Import gpg keys
run: |
. ./.github/scripts/common/lib.sh
import_gpg_keys
- name: Config git
run: |
git config --global commit.gpgsign true
git config --global gpg.program /home/runner/.local/bin/pgpkms-git
git config --global user.name "ParityReleases"
git config --global user.email "[email protected]"
git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51"
- name: Compute next rc tag
# if: ${{ steps.get_rel_product.outputs.product == 'polkadot' }}
Expand Down Expand Up @@ -58,13 +92,12 @@ jobs:
fi
- name: Apply new tag
uses: tvdias/github-tagger@ed7350546e3e503b5e942dffd65bc8751a95e49d # v0.0.2
with:
# We can't use the normal GITHUB_TOKEN for the following reason:
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token
# RELEASE_BRANCH_TOKEN requires public_repo OAuth scope
repo-token: "${{ secrets.RELEASE_BRANCH_TOKEN }}"
tag: ${{ steps.compute_tag.outputs.new_tag }}
env:
GH_TOKEN: ${{ steps.generate_write_token.outputs.token }}
RC_TAG: ${{ steps.compute_tag.outputs.new_tag }}
run: |
git tag -s $RC_TAG -m "new rc tag $RC_TAG"
git push origin $RC_TAG
- name: Send Matrix message to ${{ matrix.channel.name }}
uses: s3krit/matrix-message-action@70ad3fb812ee0e45ff8999d6af11cafad11a6ecf # v0.0.3
Expand Down
24 changes: 15 additions & 9 deletions .github/workflows/release-branchoff-stable.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,7 @@ on:
required: true

jobs:
check-workflow-can-run:
uses: paritytech-release/sync-workflows/.github/workflows/check-syncronization.yml@main


prepare-tooling:
needs: [check-workflow-can-run]
if: needs.check-workflow-can-run.outputs.checks_passed == 'true'
runs-on: ubuntu-latest
outputs:
node_version: ${{ steps.validate_inputs.outputs.node_version }}
Expand All @@ -45,7 +39,7 @@ jobs:
runs-on: ubuntu-latest
environment: release
env:
PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }}
PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
Expand All @@ -58,32 +52,42 @@ jobs:
# Install pgpkms that is used to sign commits
pip install git+https://github.com/paritytech-release/pgpkms.git@5a8f82fbb607ea102d8c178e761659de54c7af69
- name: Generate content write token for the release automation
id: generate_write_token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.RELEASE_AUTOMATION_APP_ID }}
private-key: ${{ secrets.RELEASE_AUTOMATION_APP_PRIVATE_KEY }}
owner: paritytech-release

- name: Checkout sources
uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
with:
ref: master
token: ${{ steps.generate_write_token.outputs.token }}

- name: Import gpg keys
run: |
. ./.github/scripts/common/lib.sh
import_gpg_keys
- name: Config git
run: |
git config --global commit.gpgsign true
git config --global gpg.program /home/runner/.local/bin/pgpkms-git
git config --global user.name "ParityReleases"
git config --global user.email "[email protected]"
git config --global user.signingKey "90BD75EBBB8E95CB3DA6078F94A4029AB4B35DAE"
git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51"
- name: Create stable branch
run: |
git checkout -b "$STABLE_BRANCH_NAME"
git show-ref "$STABLE_BRANCH_NAME"
- name: Bump versions, reorder prdocs and push stable branch
env:
GH_TOKEN: ${{ steps.generate_write_token.outputs.token }}
run: |
. ./.github/scripts/release/release_lib.sh
Expand All @@ -101,4 +105,6 @@ jobs:
reorder_prdocs $STABLE_BRANCH_NAME
gh auth setup-git
git push origin "$STABLE_BRANCH_NAME"
8 changes: 8 additions & 0 deletions .github/workflows/release-build-rc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,10 @@ jobs:
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
permissions:
id-token: write
attestations: write
contents: read

build-polkadot-parachain-binary:
needs: [validate-inputs]
Expand All @@ -72,3 +76,7 @@ jobs:
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
permissions:
id-token: write
attestations: write
contents: read
2 changes: 1 addition & 1 deletion .github/workflows/release-reusable-rc-buid.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ jobs:

build-rc:
needs: [set-image]
runs-on: ubuntu-latest
runs-on: ubuntu-latest-m
environment: release
container:
image: ${{ needs.set-image.outputs.IMAGE }}
Expand Down

0 comments on commit 32e116a

Please sign in to comment.