Add release dry-run

2 years ago · 7d68acffbe
parent 666691de88
commit 7d68acffbe
7 changed files with 67 additions and 29 deletions
--- a/.github/workflows/release-ci.yml
+++ b/.github/workflows/release-ci.yml
@ -4,27 +4,27 @@ on:
  workflow_dispatch:
  schedule:
    - cron: '0 0 * * *'
-    
+
  # In case we change the some build scripts:
  push:
    branches:
      - master
    paths:
-      - 'utils/*/install.sh'
+      - 'utils/**'
      - '.ci/release-ci/**'
      - '.github/workflows/release-ci.yml'
  pull_request:
    paths:
-      - 'utils/*/install.sh'
+      - 'utils/**'
      - '.ci/release-ci/**'
      - '.github/workflows/release-ci.yml'

-concurrency: 
+concurrency:
  group: ${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

 jobs:
-  build:
+  existing:
    runs-on: ubuntu-latest
    strategy:
      matrix:
@ -50,12 +50,29 @@ jobs:
        SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" \
        make release-ci

+  # Keep in sync with `release.yml`:
+  dryrun:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        release-type:
+          - apk
+          - deb
+          - rpm
+    steps:
+    - uses: actions/checkout@v3
+    - name: Run dry run of the release process
+      run: |
+        SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" \
+        SECRETS_RELEASE_DRY_RUN=1 \
+          make release
+
  # https://github.community/t/run-github-actions-job-only-if-previous-job-has-failed/174786/2
  create-issue-on-failure:
    name: Create an issue if release-ci cron failed
    runs-on: ubuntu-latest
-    needs: [build]
-    if: ${{ github.event_name == 'schedule' && github.repository == 'sobolevn/git-secret' && always() && needs.build.result == 'failure' }}
+    needs: [existing]
+    if: ${{ github.event_name == 'schedule' && github.repository == 'sobolevn/git-secret' && always() && (needs.existing.result == 'failure' || needs.dryrun.result == 'failure') }}
    permissions:
      issues: write
    steps:
--- a/utils/apk/deploy.sh
+++ b/utils/apk/deploy.sh
@ -2,15 +2,20 @@

 set -e

+if [[ "$SECRETS_DEPLOY_DRY_RUN" == 1 ]]; then
+  echo 'dry-run finished'
+  exit 0
+fi
+
 # shellcheck disable=SC1090,SC1091
 source "$SECRETS_PROJECT_ROOT/utils/build-utils.sh"
 # shellcheck disable=SC1090,SC1091
 source "$SECRETS_PROJECT_ROOT/utils/apk/meta.sh"

-VERSION_NAME="git-secret-${SCRIPT_VERSION}.apk"
+readonly VERSION_NAME="git-secret-${SCRIPT_VERSION}.apk"

 # Artifactory location:
-BASE_API_URL='https://gitsecret.jfrog.io/artifactory'
+readonly BASE_API_URL='https://gitsecret.jfrog.io/artifactory'


 function upload_with_architecture {
@ -18,7 +23,8 @@ function upload_with_architecture {
  local file_location
  file_location="$(locate_release 'apk' "$arch")"

-  curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+  curl -sS \
+    -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
    --max-time 10 \
    --retry 3 \
    --retry-delay 5 \
@ -31,7 +37,8 @@ for architecture in "${ALPINE_ARCHITECTURES[@]}"; do
 done

 # Now, we need to trigger metadata reindex:
-curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+curl -sS \
+  -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
  --max-time 5 \
  --retry 3 \
  --retry-delay 5 \
--- a/utils/apk/meta.sh
+++ b/utils/apk/meta.sh
@ -1,7 +1,7 @@
 # Full list is here:
 # http://dl-cdn.alpinelinux.org/alpine/v3.13/main/
 # shellcheck disable=SC2034
-ALPINE_ARCHITECTURES=(
+readonly ALPINE_ARCHITECTURES=(
  'aarch64'
  'armhf'
  'armv7'
--- a/utils/build-utils.sh
+++ b/utils/build-utils.sh
@ -6,19 +6,19 @@ set -e
 source "$SECRETS_PROJECT_ROOT/src/version.sh"

 # Initializing and settings:
-READ_PERM=0644
-EXEC_PERM=0755
+readonly READ_PERM=0644
+readonly EXEC_PERM=0755

-SCRIPT_NAME='git-secret'
-SCRIPT_DESCRIPTION='Shell scripts to encrypt your private data inside a git repository.'
-SCRIPT_VERSION="$GITSECRET_VERSION"
+readonly SCRIPT_NAME='git-secret'
+readonly SCRIPT_DESCRIPTION='Shell scripts to encrypt your private data inside a git repository.'
+readonly SCRIPT_VERSION="$GITSECRET_VERSION"

 # This may be overridden:
 if [[ -z "$SCRIPT_BUILD_DIR" ]]; then
  SCRIPT_BUILD_DIR="$PWD/build"
 fi

-SCRIPT_DEST_DIR="$SCRIPT_BUILD_DIR/buildroot"
+readonly SCRIPT_DEST_DIR="$SCRIPT_BUILD_DIR/buildroot"


 function locate_release {
--- a/utils/deb/deploy.sh
+++ b/utils/deb/deploy.sh
@ -2,23 +2,30 @@

 set -e

+if [[ "$SECRETS_DEPLOY_DRY_RUN" == 1 ]]; then
+  echo 'dry-run finished'
+  exit 0
+fi
+
 # shellcheck disable=SC1090,SC1091
 source "$SECRETS_PROJECT_ROOT/utils/build-utils.sh"

 # Artifactory location:
-BASE_API_URL='https://gitsecret.jfrog.io/artifactory'
+readonly BASE_API_URL='https://gitsecret.jfrog.io/artifactory'

 # This folder should contain just one `.dev` file:
-DEB_FILE_LOCATION="$(locate_release 'deb')"
-DEB_FILE_NAME="$(basename "$DEB_FILE_LOCATION")"
+readonly DEB_FILE_LOCATION="$(locate_release 'deb')"
+readonly DEB_FILE_NAME="$(basename "$DEB_FILE_LOCATION")"


-curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+curl -sS \
+  -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
  -XPUT "$BASE_API_URL/git-secret-deb/$DEB_FILE_NAME;deb.distribution=git-secret;deb.component=main;deb.architecture=all" \
  -T "$DEB_FILE_LOCATION"

 # Now, we need to trigger metadata reindex:
-curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+curl -sS \
+  -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
  -XPOST "$BASE_API_URL/api/deb/reindex/git-secret-deb"

 echo
--- a/utils/rpm/deploy.sh
+++ b/utils/rpm/deploy.sh
@ -2,23 +2,30 @@

 set -e

+if [[ "$SECRETS_DEPLOY_DRY_RUN" == 1 ]]; then
+  echo 'dry-run finished'
+  exit 0
+fi
+
 # shellcheck disable=SC1090,SC1091
 source "$SECRETS_PROJECT_ROOT/utils/build-utils.sh"

 # Artifactory location:
-BASE_API_URL='https://gitsecret.jfrog.io/artifactory'
+readonly BASE_API_URL='https://gitsecret.jfrog.io/artifactory'

 # This folder should contain just one `.rpm` file:
-RPM_FILE_LOCATION="$(locate_release 'rpm')"
-RPM_FILE_NAME="$(basename "$RPM_FILE_LOCATION")"
+readonly RPM_FILE_LOCATION="$(locate_release 'rpm')"
+readonly RPM_FILE_NAME="$(basename "$RPM_FILE_LOCATION")"


-curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+curl -sS \
+  -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
  -XPUT "$BASE_API_URL/git-secret-rpm/rpm/$RPM_FILE_NAME" \
  -T "$RPM_FILE_LOCATION"

 # Now, we need to trigger metadata reindex:
-curl -sS -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
+curl -sS \
+  -u "$SECRETS_ARTIFACTORY_CREDENTIALS" \
  -XPOST "$BASE_API_URL/api/yum/git-secret-rpm?async=1"

 echo
--- a/utils/uninstall.sh
+++ b/utils/uninstall.sh
@ -3,7 +3,7 @@
 set -e


-PREFIX="$1"
+readonly PREFIX="$1"
 if [ -z "$PREFIX" ]; then
  echo "usage: $0 <prefix>" >&2
  exit 1