Merge pull request #238 from SpringQL/ci/release-workflow-test

ci(fix): automate release workflow
SpringQL · Sep 21, 2022 · 12f0c58 · 12f0c58
2 parents 92abd52 + e086a11
commit 12f0c58
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 10 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,7 +8,7 @@ on:
         required: true
         type: string
       release_version:
-        description: 'release version number (example `0.15.1`)'
+        description: 'release version number (example `0.16.0`)'
         required: true
         type: string
 
@@ -17,6 +17,7 @@ jobs:
     env:
       CURRENT_VERSION: ${{ github.event.inputs.current_version }}
       RELEASE_VERSION: ${{ github.event.inputs.release_version }}
+      TARGET_BRANCH: main
     permissions:
       contents: write
     runs-on: ubuntu-latest
@@ -25,7 +26,8 @@ jobs:
       - name: checkout code
         uses: actions/checkout@v2
         with:
-          ref: main
+          ref: ${{ env.TARGET_BRANCH }}
+          token: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }}
 
       - name: Show initial git status 
         run: |
@@ -71,7 +73,6 @@ jobs:
           rm Cargo.toml.org
           cd ..
 
-
       - name: commit changes
         run: |
           git add .
@@ -87,8 +88,6 @@ jobs:
       - name: git tag
         run: |
           git tag "v${RELEASE_VERSION}"
-          git tag "springql@${RELASE_VERSION}"
-          git tag "springql-core@${RELASE_VERSION}"
 
       - name: Show final git status 
         run: |
@@ -97,13 +96,35 @@ jobs:
           git status -v >> $GITHUB_STEP_SUMMARY
           echo '```' >> $GITHUB_STEP_SUMMARY
 
+      - name: Turn off enforce admin
+        env: 
+          # We wanted to use PAT of SpringQL-bot account but could not.
+          # SpringQL organization requires 2FA for each member but
+          # SpringQL-bot does not have an appropriate way to finish 2FA.
+          #
+          # So use a PAT from an account eligible as a release manager.
+          GITHUB_TOKEN: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }}
+          REPO: ${{ github.repository }}
+          BRANCH: ${{ env.TARGET_BRANCH }}
+        run: |
+          source .github/workflows/scripts/github-branch-protection.bash
+          enforce_admins_off
+
       - name: git push
         run: |
-          git remote set-url origin https://github-actions:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}
-          git push -v origin main
-          git push -v origin "v${RELEASE_VERSION}"
-          git push -v origin "springql@${RELEASE_VERSION}"
-          git push -v origin "springql-core@${RELEASE_VERSION}"
+          git remote set-url origin "https://github-actions:${{ secrets.GHPAT_FOR_PUSH_RELEASE }}@github.com/${GITHUB_REPOSITORY}"
+          git push -v --force origin ${{ env.TARGET_BRANCH }}
+          git push -v --force origin "v${RELEASE_VERSION}"
+
+      - name: Turn on enforce admin
+        if: always()
+        env: 
+          GITHUB_TOKEN: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }}
+          REPO: ${{ github.repository }}
+          BRANCH: ${{ env.TARGET_BRANCH }}
+        run: |
+          source .github/workflows/scripts/github-branch-protection.bash
+          enforce_admins_on
 
       - name: cargo publish
         run: |

diff --git a/.github/workflows/scripts/github-branch-protection.bash b/.github/workflows/scripts/github-branch-protection.bash
@@ -0,0 +1,46 @@
+function get_current_branch_protection_setting() {
+    #
+    # gets branch protections setting, reformats put api body json
+    #
+    # environment variables
+    #
+    # REPO : github repository name for Owner/RepoName syntax
+    # BRANCH:
+    gh api --method GET repos/${REPO}/branches/${BRANCH}/protection | jq '
+    {
+        required_status_checks: null,
+        restrictions: { 
+            users: .restrictions.users | [.[].login],
+            teams: .restrictions.teams | [.[].slug],
+            apps: .restrictions.apps | [.[].slug]
+        },
+        enforce_admins: .enforce_admins.enabled ,
+        required_pull_request_reviews: {
+            dismiss_stale_reviews: .required_pull_request_reviews.dismiss_stale_reviews,
+            require_code_owner_reviews: .required_pull_request_reviews.require_code_owner_reviews,
+            required_approving_review_count: .required_pull_request_reviews.required_approving_review_count
+        },
+        required_linear_history: .required_linear_history.enabled,
+        required_signatures: .required_signatures.enabled,
+        allow_force_pushes: .allow_force_pushes.enabled,
+        allow_deletions: .allow_deletions.enabled,
+        block_reations: .block_creations.enabled,
+        required_conversation_resolution: .required_conversation_resolution.enabled
+    }'
+}
+
+function apply_branch_protection_setting() {
+    gh api --method PUT -H "Accept: application/vnd.github+json" --input - repos/${REPO}/branches/${BRANCH}/protection
+}
+
+function enforce_admins_off() {
+    get_current_branch_protection_setting | jq '.enforce_admins = false' | apply_branch_protection_setting
+}
+
+export -f enforce_admins_off
+
+function enforce_admins_on() {
+    get_current_branch_protection_setting | jq '.enforce_admins = true' | apply_branch_protection_setting
+}
+
+export -f enforce_admins_on