Dry run release #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dry run release | |
| permissions: | |
| actions: write | |
| contents: write | |
| packages: write | |
| id-token: write # Required for OIDC authentication with AWS | |
| on: | |
| workflow_dispatch: # Trigger on demand | |
| schedule: # Trigger weekly all Wednesdays at midnight UTC | |
| # Trigger weekly on Wednesday at midnight Austin time (Standard Time) | |
| - cron: "0 6 * * 3" | |
| jobs: | |
| setup: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| dry_run_id: ${{ steps.get_run_id.outputs.dry_run_id }} | |
| dry_run_branch_name: ${{ steps.get_run_id.outputs.dry_run_branch_name }} | |
| steps: | |
| - name: Get run-tests.yml runId | |
| id: get_run_id | |
| run: | | |
| # Fetch the list of workflow runs | |
| response=$(curl -s \ | |
| -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/liquibase/liquibase/actions/workflows/run-tests.yml/runs?branch=master&status=success&per_page=1") | |
| # Extract the last successful run ID | |
| run_id=$(echo "$response" | jq -r '.workflow_runs[0].id') | |
| echo "dry_run_id=$run_id" >> $GITHUB_OUTPUT | |
| echo "dry_run_branch_name=${{ github.ref_name }}" >> $GITHUB_OUTPUT | |
| dry-run-create-release: | |
| needs: [setup] | |
| runs-on: ubuntu-latest | |
| outputs: | |
| dry_run_zip_url: ${{ steps.wait_and_get_outputs.outputs.dry_run_zip_url }} | |
| dry_run_tar_gz_url: ${{ steps.wait_and_get_outputs.outputs.dry_run_tar_gz_url }} | |
| dry_run_release_id: ${{ steps.wait_and_get_outputs.outputs.dry_run_release_id }} | |
| steps: | |
| - name: Configure AWS credentials for vault access | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: ${{ secrets.LIQUIBASE_VAULT_OIDC_ROLE_ARN }} | |
| aws-region: us-east-1 | |
| - name: Get secrets from vault | |
| id: vault-secrets | |
| uses: aws-actions/aws-secretsmanager-get-secrets@v2 | |
| with: | |
| secret-ids: | | |
| ,/vault/liquibase | |
| parse-json-secrets: true | |
| - name: Get GitHub App token | |
| id: get-token | |
| uses: actions/create-github-app-token@v2 | |
| with: | |
| app-id: ${{ env.LIQUIBASE_GITHUB_APP_ID }} | |
| private-key: ${{ env.LIQUIBASE_GITHUB_APP_PRIVATE_KEY }} | |
| owner: ${{ github.repository_owner }} | |
| permission-contents: write | |
| permission-actions: write | |
| - name: Invoke Create Release | |
| id: trigger-step | |
| uses: the-actions-org/workflow-dispatch@v4 | |
| with: | |
| workflow: create-release.yml | |
| token: ${{ steps.get-token.outputs.token }} | |
| inputs: '{"version": "dry-run-${{ github.run_id }}", "runId": "${{ needs.setup.outputs.dry_run_id }}", "standalone_zip": "false", "dry_run": "true", "branch": "master"}' | |
| ref: master | |
| wait-for-completion: true | |
| - name: Get Release Outputs | |
| id: wait_and_get_outputs | |
| run: | | |
| # Get release info based on draft name | |
| release_name="vdry-run-${{ github.run_id }}" | |
| echo "Looking for release with name: $release_name" | |
| response=$(curl -s -H "Authorization: token ${{ steps.get-token.outputs.token }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/liquibase/liquibase/releases") | |
| echo "API Response status code: $?" | |
| echo "API Response: $response" | |
| # Find the draft release and get its assets | |
| draft_release=$(echo "$response" | jq -r --arg name "$release_name" '.[] | select(.name == $name and .draft == true)') | |
| echo "Found draft release: $draft_release" | |
| if [ -z "$draft_release" ]; then | |
| echo "Error: No draft release found with name $release_name" | |
| exit 1 | |
| fi | |
| assets_url=$(echo "$draft_release" | jq -r '.assets_url') | |
| dry_run_release_id=$(echo "$draft_release" | jq -r '.id') | |
| echo "Assets URL: $assets_url" | |
| echo "Release ID: $dry_run_release_id" | |
| # Get the assets | |
| assets_response=$(curl -s -H "Authorization: token ${{ steps.get-token.outputs.token }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "$assets_url") | |
| echo "Assets API Response status code: $?" | |
| echo "Assets API Response: $assets_response" | |
| # Get URLs for zip and tar.gz files - getting browser_download_url instead of url | |
| dry_run_zip_url=$(echo "$assets_response" | jq -r '.[] | select(.name | test("^liquibase-dry-run-.*\\.zip$")) | .browser_download_url') | |
| dry_run_tar_gz_url=$(echo "$assets_response" | jq -r '.[] | select(.name | test("^liquibase-dry-run-.*\\.tar\\.gz$")) | .browser_download_url') | |
| echo "Found zip URL: $dry_run_zip_url" | |
| echo "Found tar.gz URL: $dry_run_tar_gz_url" | |
| # Remove any newlines or spaces from URLs before setting outputs | |
| dry_run_zip_url=$(echo "$dry_run_zip_url" | tr -d '[:space:]') | |
| dry_run_tar_gz_url=$(echo "$dry_run_tar_gz_url" | tr -d '[:space:]') | |
| if [ -z "$dry_run_zip_url" ] || [ -z "$dry_run_tar_gz_url" ]; then | |
| echo "Error: Could not find both zip and tar.gz assets" | |
| exit 1 | |
| fi | |
| echo "dry_run_release_id Id is $dry_run_release_id" | |
| echo "dry_run_tar_gz_url is $dry_run_tar_gz_url" | |
| echo "dry_run_zip_url is $dry_run_zip_url" | |
| echo "dry_run_tar_gz_url=$dry_run_tar_gz_url" >> $GITHUB_OUTPUT | |
| echo "dry_run_zip_url=$dry_run_zip_url" >> $GITHUB_OUTPUT | |
| echo "dry_run_release_id=$dry_run_release_id" >> $GITHUB_OUTPUT | |
| dry-run-release-published: | |
| needs: [setup, dry-run-create-release] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Configure AWS credentials for vault access | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: ${{ secrets.LIQUIBASE_VAULT_OIDC_ROLE_ARN }} | |
| aws-region: us-east-1 | |
| - name: Get secrets from vault | |
| id: vault-secrets | |
| uses: aws-actions/aws-secretsmanager-get-secrets@v2 | |
| with: | |
| secret-ids: | | |
| ,/vault/liquibase | |
| parse-json-secrets: true | |
| - name: Get GitHub App token | |
| id: get-token | |
| uses: actions/create-github-app-token@v2 | |
| with: | |
| app-id: ${{ env.LIQUIBASE_GITHUB_APP_ID }} | |
| private-key: ${{ env.LIQUIBASE_GITHUB_APP_PRIVATE_KEY }} | |
| owner: ${{ github.repository_owner }} | |
| permission-contents: write | |
| permission-actions: write | |
| - name: Trigger release-published workflow | |
| uses: the-actions-org/workflow-dispatch@v4 | |
| with: | |
| workflow: release-published.yml | |
| token: ${{ steps.get-token.outputs.token }} | |
| inputs: '{"tag": "vdry-run-${{ github.run_id }}", "dry_run_release_id": "${{ needs.dry-run-create-release.outputs.dry_run_release_id }}", "dry_run_zip_url": "${{ needs.dry-run-create-release.outputs.dry_run_zip_url }}", "dry_run_tar_gz_url": "${{ needs.dry-run-create-release.outputs.dry_run_tar_gz_url }}", "dry_run": "true", "dry_run_branch_name": "${{ needs.setup.outputs.dry_run_branch_name }}"}' | |
| ref: master | |
| wait-for-completion: true | |
| workflow-logs: json-output | |
| cleanup: | |
| runs-on: ubuntu-latest | |
| if: always() | |
| needs: [setup, dry-run-create-release, dry-run-release-published] | |
| steps: | |
| - name: Checkout liquibase | |
| uses: actions/checkout@v5 | |
| - name: Set up Git | |
| run: | | |
| git config user.name "liquibot" | |
| git config user.email "[email protected]" | |
| - name: Delete liquibase dry-run tag | |
| if: always() | |
| run: | | |
| git push origin --delete refs/tags/vdry-run-${{ github.run_id }} | |
| echo "Remote tag vdry-run-${{ github.run_id }} deleted" | |
| - name: Delete the dry-run draft release | |
| if: always() | |
| run: | | |
| curl -X DELETE -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/${{ github.repository }}/releases/${{ needs.dry-run-create-release.outputs.dry_run_release_id}}" | |
| notify: | |
| if: failure() | |
| runs-on: ubuntu-latest | |
| needs: [setup, dry-run-create-release, dry-run-release-published, cleanup] | |
| steps: | |
| - name: Configure AWS credentials for vault access | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: ${{ secrets.LIQUIBASE_VAULT_OIDC_ROLE_ARN }} | |
| aws-region: us-east-1 | |
| - name: Get secrets from vault | |
| id: vault-secrets | |
| uses: aws-actions/aws-secretsmanager-get-secrets@v2 | |
| with: | |
| secret-ids: | | |
| ,/vault/liquibase | |
| parse-json-secrets: true | |
| - name: Notify Slack on Build Failure | |
| uses: rtCamp/action-slack-notify@v2 | |
| env: | |
| SLACK_COLOR: failure | |
| SLACK_MESSAGE: "View details on GitHub Actions: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} <@U040C8J8143> <@U04P39MS2SW> <@UHHJ6UAEQ> <@U042HRTL4DT>" # Jandro, Sailee, Jake, Filipe | |
| SLACK_TITLE: "❌ ${{ github.repository }} ❌ Build failed on branch ${{ github.ref }} for commit ${{ github.sha }} in repository ${{github.repository}}" | |
| SLACK_USERNAME: liquibot | |
| SLACK_WEBHOOK: ${{ env.DRY_RUN_RELEASE_SLACK_WEBHOOK }} | |
| SLACK_ICON_EMOJI: ":robot_face:" | |
| SLACK_FOOTER: "${{ github.repository }}" | |
| SLACK_LINK_NAMES: true |