Fix release tag validation in workflow #1498
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| pull_request: | |
| #schedule: | |
| # - cron: '0 6 * * *' | |
| env: | |
| NAMESPACE: paloaltonetworks | |
| COLLECTION_NAME: panos | |
| jobs: | |
| rc: | |
| name: Check Release Candidate | |
| if: github.event_name == 'push' && !startsWith(github.ref, 'refs/tags/') # on push to branches but not tags | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| outputs: | |
| rc: ${{ steps.rc.outputs.new_release_published }} | |
| new_release_version: ${{ steps.rc.outputs.new_release_version }} | |
| steps: | |
| - name: checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: setup node.js | |
| uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4 | |
| with: | |
| node-version: 'lts/*' | |
| - name: install dependencies | |
| run: | | |
| npm install --save-dev semantic-release | |
| npm install @semantic-release/commit-analyzer -D | |
| npm install conventional-changelog-conventionalcommits -D | |
| npm install @semantic-release/changelog -D | |
| npm install @semantic-release/git -D | |
| npm install @semantic-release/exec -D | |
| # npx semantic-release | |
| # npm ci | |
| - name: trick semantic check | |
| id: rc | |
| run: | | |
| # Trick semantic-release into thinking we're not in a CI environment | |
| OUTPUT="$(bash -c "unset GITHUB_ACTIONS && unset GITHUB_EVENT_NAME && npx semantic-release --dry-run --no-ci --branches '${GITHUB_REF#refs/heads/}'")" | |
| # print output | |
| echo "$OUTPUT" | |
| # grep with semver regex - \K means to start matching from here in Perl regex | |
| NEW_RELEASE_VERSION=$(echo "$OUTPUT" | grep -oP 'The next release version is \K(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?' || echo -n "") | |
| echo "new_release_version=$NEW_RELEASE_VERSION" >> "$GITHUB_OUTPUT" | |
| if [ -z "$NEW_RELEASE_VERSION" ]; then | |
| echo "new_release_published=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "new_release_published=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # below does NOT work because semantic-release expects branch name in the config even in dry-run | |
| # but we run rc check in non main branches | |
| # - name: rc check | |
| # id: rc | |
| # uses: cycjimmy/semantic-release-action@v4 | |
| # with: | |
| # dry_run: true | |
| # semantic_version: 17.1.1 | |
| # extra_plugins: | | |
| # conventional-changelog-conventionalcommits@^4.4.0 | |
| # @semantic-release/changelog@^5.0.1 | |
| # @semantic-release/git@^9.0.0 | |
| # @semantic-release/exec@^5.0.00 | |
| # env: | |
| # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ## Sanity is required: | |
| # | |
| # https://docs.ansible.com/ansible/latest/dev_guide/testing_sanity.html | |
| sanity: | |
| name: Sanity (Ⓐ${{ matrix.ansible }}) | |
| needs: rc | |
| if: always() && !failure() && !cancelled() # if dependent jobs are not cancelled or failed - skipped is ok. | |
| strategy: | |
| matrix: | |
| include: | |
| - ansible: "2.16" | |
| python_ver: "3.11" | |
| - ansible: "2.17" | |
| python_ver: "3.11" | |
| - ansible: "2.18" | |
| python_ver: "3.11" | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }} | |
| steps: | |
| # Just a note here: The Ansible stuff is apparently doing realpath | |
| # checks, so trying to simlink stuff and then run Ansible commands | |
| # such as ansible-test in the symlink directory fails. Thus we need | |
| # to have the real path contain ansible_collections/paloaltonetworks/panos. | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| path: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }} | |
| - name: Setup Python | |
| uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4 | |
| with: | |
| python-version: ${{ matrix.python_ver }} | |
| - name: Install Poetry | |
| uses: Gr1N/setup-poetry@15821dc8a61bc630db542ae4baf6a7c19a994844 # v8 | |
| with: | |
| poetry-version: "1.8.5" | |
| # Install the head of the given branch (devel, stable-2.10) | |
| - name: Install ansible-base (${{ matrix.ansible }}) | |
| run: poetry run pip install https://github.com/ansible/ansible/archive/stable-${{ matrix.ansible }}.tar.gz --disable-pip-version-check | |
| - name: Create lock file | |
| run: poetry lock | |
| #- name: Cache poetry dependencies | |
| # uses: actions/cache@v2 | |
| # with: | |
| # #path: ~/.cache/pypoetry/virtualenvs | |
| # #key: ${{ runner.os }}-poetry-${{ hashFiles('poetry.lock') }} | |
| # ##restore-keys: | | |
| # ## ${{ runner.os }}-poetry-${{ matrix.python-version }}- | |
| # path: ${{ steps.poetry-cache.outputs.dir }} | |
| # key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }} | |
| # restore-keys: | | |
| # ${{ runner.os }}-poetry- | |
| - name: Install dependencies | |
| run: poetry install | |
| - name: Temp update version files if new release required | |
| if: needs.rc.result == 'success' && needs.rc.outputs.rc == 'true' | |
| run: | | |
| .github/set-version.sh ${{ needs.rc.outputs.new_release_version }} | |
| - name: Temp update requirements.txt changes if any | |
| run: poetry run make reqs | |
| - name: Run sanity tests | |
| timeout-minutes: 8 | |
| run: poetry run make new-sanity | |
| # Ansible-lint is a requirement for certification, and was added to the | |
| # certification pipeline 20 June 2023 per Ansible Partner Engineering | |
| # communication emails | |
| # | |
| # Config file is .ansible-lint | |
| lint: | |
| name: Ansible Lint | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }} | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Run ansible-lint | |
| uses: ansible/ansible-lint@cb6a42235ff14e2da113f588bb088c2f68540f7b # main | |
| # Tox is used to execute linters required for Event-Driven Ansible (EDA) code: | |
| # github.com/ansible/eda-partner-testing/blob/main/README.md | |
| # Tox should only execute over <root>/extensions/eda/plugins. | |
| # Tox utilises the tox.ini file found in the local directory. | |
| # This action is taken from Ansible Partner Engineering's example: | |
| # github.com/ansible/eda-partner-testing/blob/main/.github/workflows/tox.yml | |
| # Tox is planned by Ansible Partner Engineering to cover other code in future. | |
| tox: | |
| name: Tox Checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Install deps | |
| run: python -m pip install tox | |
| - name: Move to tox conf file and run tox | |
| run: | | |
| cd .github/workflows | |
| python -m tox -- ../.. | |
| pyversion: | |
| name: Discover minimum Python version | |
| uses: ./.github/workflows/_discover_python_ver.yml | |
| format: | |
| name: Code Format Check | |
| runs-on: ubuntu-latest | |
| needs: pyversion | |
| defaults: | |
| run: | |
| working-directory: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| path: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }} | |
| - name: Setup Python | |
| uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4 | |
| with: | |
| python-version: ${{ needs.pyversion.outputs.pyversion }} | |
| - name: Install Poetry | |
| uses: Gr1N/setup-poetry@15821dc8a61bc630db542ae4baf6a7c19a994844 # v8 | |
| with: | |
| poetry-version: "1.8.5" | |
| - name: Install dependencies | |
| run: poetry install | |
| - name: Do black code format check | |
| run: poetry run make check-format | |
| requirements: | |
| needs: pyversion | |
| uses: ./.github/workflows/check_requirements.yml | |
| with: | |
| python-version: ${{ needs.pyversion.outputs.pyversion }} | |
| release: | |
| name: Release Version | |
| needs: [rc, sanity, tox, lint, format, requirements] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.rc.outputs.rc == 'true' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| new_release_published: ${{ steps.release.outputs.new_release_published }} | |
| new_release_version: ${{ steps.release.outputs.new_release_version }} | |
| new_release_git_tag: ${{ steps.release.outputs.new_release_git_tag }} | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| persist-credentials: false | |
| # New task for combined Galaxy and AutomationHub publishing | |
| - name: Set up Automation Hub and Galaxy ansible.cfg file | |
| run: | | |
| cat << EOF > ~/.ansible.cfg | |
| [galaxy] | |
| server_list = automation_hub, release_galaxy | |
| [galaxy_server.automation_hub] | |
| url=${{ secrets.AUTOMATION_HUB_URL }} | |
| auth_url=${{ secrets.AUTOMATION_HUB_SSO_URL }} | |
| token=${{ secrets.AUTOMATION_HUB_API_TOKEN }} | |
| [galaxy_server.release_galaxy] | |
| url=https://galaxy.ansible.com/ | |
| token=${{ secrets.GALAXY_API_KEY }} | |
| EOF | |
| shell: bash | |
| - name: cleanup files before packaging | |
| run: | | |
| rm -rf \ | |
| .isort.cfg | |
| - name: Create release and publish | |
| id: release | |
| uses: cycjimmy/semantic-release-action@0a51e81a6baff2acad3ee88f4121c589c73d0f0e # v4 | |
| with: | |
| semantic_version: 17.1.1 | |
| extra_plugins: | | |
| conventional-changelog-conventionalcommits@^4.4.0 | |
| @semantic-release/changelog@^5.0.1 | |
| @semantic-release/git@^9.0.0 | |
| @semantic-release/exec@^5.0.0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_PAT }} | |
| - name: Store built collection | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: collection | |
| path: | | |
| *.tar.gz | |
| docs: | |
| name: docs | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| needs: [release, pyversion] | |
| permissions: | |
| contents: write | |
| uses: ./.github/workflows/docs.yml | |
| secrets: inherit | |
| build_dev_ee: | |
| name: Dev EE | |
| needs: [rc, sanity, tox, lint, format, requirements] | |
| if: (needs.rc.outputs.rc == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/develop') | |
| permissions: | |
| contents: read | |
| packages: write | |
| uses: ./.github/workflows/ee.yml | |
| secrets: inherit | |
| build_prod_ee: | |
| name: Release EE | |
| needs: release | |
| if: needs.release.outputs.new_release_published == 'true' | |
| permissions: | |
| contents: read | |
| packages: write | |
| uses: ./.github/workflows/ee.yml | |
| with: | |
| release: true | |
| release_tag: ${{ needs.release.outputs.new_release_git_tag }} | |
| secrets: inherit |