From 9a17b0db968c1bac45f1eed6b70990f957df6ae1 Mon Sep 17 00:00:00 2001 From: Kazuhiko Kikuchi Date: Sun, 24 Jul 2022 09:34:10 +0900 Subject: [PATCH 01/10] use PAT for checkout --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 282ade68..92555659 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@v2 with: ref: main + token: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }} - name: Show initial git status run: | From 3289ae269be8966ba5d1ecfbdbb008c4323f2af8 Mon Sep 17 00:00:00 2001 From: Kazuhiko Kikuchi Date: Sun, 24 Jul 2022 09:56:18 +0900 Subject: [PATCH 02/10] git push remote with PAT --- .github/workflows/release.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 92555659..60eb6db8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,8 +88,6 @@ jobs: - name: git tag run: | git tag "v${RELEASE_VERSION}" - git tag "springql@${RELASE_VERSION}" - git tag "springql-core@${RELASE_VERSION}" - name: Show final git status run: | @@ -100,11 +98,9 @@ jobs: - name: git push run: | - git remote set-url origin https://github-actions:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY} + git remote set-url origin "https://github-actions:${{ secrets.GHPAT_FOR_PUSH_RELEASE }}@github.com/${GITHUB_REPOSITORY}" git push -v origin main git push -v origin "v${RELEASE_VERSION}" - git push -v origin "springql@${RELEASE_VERSION}" - git push -v origin "springql-core@${RELEASE_VERSION}" - name: cargo publish run: | From a05d284f9b8818ee0843a8e3ed37b75314927869 Mon Sep 17 00:00:00 2001 From: Kazuhiko Kikuchi Date: Sun, 24 Jul 2022 14:40:17 +0900 Subject: [PATCH 03/10] add force push option --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 60eb6db8..1acdf5e3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,8 +99,8 @@ jobs: - name: git push run: | git remote set-url origin "https://github-actions:${{ secrets.GHPAT_FOR_PUSH_RELEASE }}@github.com/${GITHUB_REPOSITORY}" - git push -v origin main - git push -v origin "v${RELEASE_VERSION}" + git push -v --force origin main + git push -v --force origin "v${RELEASE_VERSION}" - name: cargo publish run: | From 366e8bc3fbc7486e20daf0e8a18003b58aaee389 Mon Sep 17 00:00:00 2001 From: Kazuhiko Kikuchi Date: Sun, 24 Jul 2022 18:17:41 +0900 Subject: [PATCH 04/10] enforce admins off/on for push --- .github/workflows/release.yml | 14 +++++++ .../scripts/github-branch-protection.bash | 39 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 .github/workflows/scripts/github-branch-protection.bash diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1acdf5e3..5a608ca0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -96,12 +96,26 @@ jobs: git status -v >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY + - name: Turn off enforce admin + env: + GITHUB_TOKEN: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }} + run: | + source .github/workflows/scripts/github-branch-protection.bash + enforce_admins_off + - name: git push run: | git remote set-url origin "https://github-actions:${{ secrets.GHPAT_FOR_PUSH_RELEASE }}@github.com/${GITHUB_REPOSITORY}" git push -v --force origin main git push -v --force origin "v${RELEASE_VERSION}" + - name: Turn on enforce admin + env: + GITHUB_TOKEN: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }} + run: | + source .github/workflows/scripts/github-branch-protection.bash + enforce_admins_on + - name: cargo publish run: | # load helper script diff --git a/.github/workflows/scripts/github-branch-protection.bash b/.github/workflows/scripts/github-branch-protection.bash new file mode 100644 index 00000000..8389166f --- /dev/null +++ b/.github/workflows/scripts/github-branch-protection.bash @@ -0,0 +1,39 @@ +function get_current_branch_protection_setting() { + gh api --method GET repos/${OWNER}/${REPO}/branches/${BRANCH}/protection | jq ' + { + required_status_checks: null, + restrictions: { + users: .restrictions.users | [.[].login], + teams: .restrictions.teams | [.[].slug], + apps: .restrictions.apps | [.[].slug] + }, + enforce_admins: .enforce_admins.enabled , + required_pull_request_reviews: { + dismiss_stale_reviews: .required_pull_request_reviews.dismiss_stale_reviews, + require_code_owner_reviews: .required_pull_request_reviews.require_code_owner_reviews, + required_approving_review_count: .required_pull_request_reviews.required_approving_review_count + }, + required_linear_history: .required_linear_history.enabled, + required_signatures: .required_signatures.enabled, + allow_force_pushes: .allow_force_pushes.enabled, + allow_deletions: .allow_deletions.enabled, + block_reations: .block_creations.enabled, + required_conversation_resolution: .required_conversation_resolution.enabled + }' +} + +function apply_branch_protection_setting() { + gh api --method PUT -H "Accept: application/vnd.github+json" --input - repos/${OWNER}/${REPO}/branches/${BRANCH}/protection +} + +function enfore_admins_off() { + get_current_branch_protection_setting | jq '.enforce_admins = false' | apply_branch_protection_setting +} + +export -f enfore_admins_off + +function enfore_admins_on() { + get_current_branch_protection_setting | jq '.enforce_admins = true' | apply_branch_protection_setting +} + +export -f enfore_admins_on From 41c0b3799b5eedf9a9a46573014c963ac4d6e3e6 Mon Sep 17 00:00:00 2001 From: Kazuhiko Kikuchi Date: Wed, 27 Jul 2022 09:38:54 +0900 Subject: [PATCH 05/10] merge parameter for Owner/Repo --- .github/workflows/release.yml | 9 +++++++-- .../scripts/github-branch-protection.bash | 17 ++++++++++++----- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5a608ca0..5082e674 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,7 @@ jobs: env: CURRENT_VERSION: ${{ github.event.inputs.current_version }} RELEASE_VERSION: ${{ github.event.inputs.release_version }} + TARGET_BRANCH: main permissions: contents: write runs-on: ubuntu-latest @@ -25,7 +26,7 @@ jobs: - name: checkout code uses: actions/checkout@v2 with: - ref: main + ref: ${{ env.TARGET_BRANCH }} token: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }} - name: Show initial git status @@ -99,6 +100,8 @@ jobs: - name: Turn off enforce admin env: GITHUB_TOKEN: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }} + REPO: ${{ github.repository }} + BRANCH: ${{ env.TARGET_BRANCH }} run: | source .github/workflows/scripts/github-branch-protection.bash enforce_admins_off @@ -106,12 +109,14 @@ jobs: - name: git push run: | git remote set-url origin "https://github-actions:${{ secrets.GHPAT_FOR_PUSH_RELEASE }}@github.com/${GITHUB_REPOSITORY}" - git push -v --force origin main + git push -v --force origin ${{ env.TARGET_BRANCH }} git push -v --force origin "v${RELEASE_VERSION}" - name: Turn on enforce admin env: GITHUB_TOKEN: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }} + REPO: ${{ github.repository }} + BRANCH: ${{ env.TARGET_BRANCH }} run: | source .github/workflows/scripts/github-branch-protection.bash enforce_admins_on diff --git a/.github/workflows/scripts/github-branch-protection.bash b/.github/workflows/scripts/github-branch-protection.bash index 8389166f..f0ee9b16 100644 --- a/.github/workflows/scripts/github-branch-protection.bash +++ b/.github/workflows/scripts/github-branch-protection.bash @@ -1,5 +1,12 @@ function get_current_branch_protection_setting() { - gh api --method GET repos/${OWNER}/${REPO}/branches/${BRANCH}/protection | jq ' + # + # gets branch protections setting, reformats put api body json + # + # environment variables + # + # REPO : github repository name for Owner/RepoName syntax + # BRANCH: + gh api --method GET repos/${REPO}/branches/${BRANCH}/protection | jq ' { required_status_checks: null, restrictions: { @@ -9,9 +16,9 @@ function get_current_branch_protection_setting() { }, enforce_admins: .enforce_admins.enabled , required_pull_request_reviews: { - dismiss_stale_reviews: .required_pull_request_reviews.dismiss_stale_reviews, - require_code_owner_reviews: .required_pull_request_reviews.require_code_owner_reviews, - required_approving_review_count: .required_pull_request_reviews.required_approving_review_count + dismiss_stale_reviews: .required_pull_request_reviews.dismiss_stale_reviews, + require_code_owner_reviews: .required_pull_request_reviews.require_code_owner_reviews, + required_approving_review_count: .required_pull_request_reviews.required_approving_review_count }, required_linear_history: .required_linear_history.enabled, required_signatures: .required_signatures.enabled, @@ -23,7 +30,7 @@ function get_current_branch_protection_setting() { } function apply_branch_protection_setting() { - gh api --method PUT -H "Accept: application/vnd.github+json" --input - repos/${OWNER}/${REPO}/branches/${BRANCH}/protection + gh api --method PUT -H "Accept: application/vnd.github+json" --input - repos//${REPO}/branches/${BRANCH}/protection } function enfore_admins_off() { From a463e98d30f20604b4673515dfa02482c9bba5d4 Mon Sep 17 00:00:00 2001 From: kazuhiko kikuchi Date: Thu, 18 Aug 2022 09:09:32 +0900 Subject: [PATCH 06/10] fix typo --- .github/workflows/scripts/github-branch-protection.bash | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scripts/github-branch-protection.bash b/.github/workflows/scripts/github-branch-protection.bash index f0ee9b16..c368b815 100644 --- a/.github/workflows/scripts/github-branch-protection.bash +++ b/.github/workflows/scripts/github-branch-protection.bash @@ -33,14 +33,14 @@ function apply_branch_protection_setting() { gh api --method PUT -H "Accept: application/vnd.github+json" --input - repos//${REPO}/branches/${BRANCH}/protection } -function enfore_admins_off() { +function enforce_admins_off() { get_current_branch_protection_setting | jq '.enforce_admins = false' | apply_branch_protection_setting } -export -f enfore_admins_off +export -f enforce_admins_off -function enfore_admins_on() { +function enforce_admins_on() { get_current_branch_protection_setting | jq '.enforce_admins = true' | apply_branch_protection_setting } -export -f enfore_admins_on +export -f enforce_admins_on From 491d96c49dfa684eb17d281afb76cee3ed7313f8 Mon Sep 17 00:00:00 2001 From: kazuhiko kikuchi Date: Thu, 18 Aug 2022 09:23:23 +0900 Subject: [PATCH 07/10] remove OWNER env --- .github/workflows/scripts/github-branch-protection.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/github-branch-protection.bash b/.github/workflows/scripts/github-branch-protection.bash index c368b815..76eefd17 100644 --- a/.github/workflows/scripts/github-branch-protection.bash +++ b/.github/workflows/scripts/github-branch-protection.bash @@ -30,7 +30,7 @@ function get_current_branch_protection_setting() { } function apply_branch_protection_setting() { - gh api --method PUT -H "Accept: application/vnd.github+json" --input - repos//${REPO}/branches/${BRANCH}/protection + gh api --method PUT -H "Accept: application/vnd.github+json" --input - repos/${REPO}/branches/${BRANCH}/protection } function enforce_admins_off() { From a71d48effa8e502a86fb494d7073720482783710 Mon Sep 17 00:00:00 2001 From: Kazuhiko Kikuchi Date: Wed, 24 Aug 2022 07:56:43 +0900 Subject: [PATCH 08/10] add always to enforce admin ON --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5082e674..37989c83 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -113,6 +113,7 @@ jobs: git push -v --force origin "v${RELEASE_VERSION}" - name: Turn on enforce admin + if: always() env: GITHUB_TOKEN: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }} REPO: ${{ github.repository }} From 6285c7871c39e591290798d5809092902e604f5a Mon Sep 17 00:00:00 2001 From: Kazuhiko Kikuchi Date: Wed, 31 Aug 2022 09:39:29 +0900 Subject: [PATCH 09/10] change example version --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 37989c83..18555ced 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,7 @@ on: required: true type: string release_version: - description: 'release version number (example `0.15.1`)' + description: 'release version number (example `0.16.0`)' required: true type: string From e086a115aa94212881e42a70803993dc1cc3167a Mon Sep 17 00:00:00 2001 From: Sho Nakatani Date: Wed, 21 Sep 2022 19:57:52 +0900 Subject: [PATCH 10/10] docs: GHPAT_FOR_PUSH_RELEASE --- .github/workflows/release.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 18555ced..fe0a2cb0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,7 +73,6 @@ jobs: rm Cargo.toml.org cd .. - - name: commit changes run: | git add . @@ -99,6 +98,11 @@ jobs: - name: Turn off enforce admin env: + # We wanted to use PAT of SpringQL-bot account but could not. + # SpringQL organization requires 2FA for each member but + # SpringQL-bot does not have an appropriate way to finish 2FA. + # + # So use a PAT from an account eligible as a release manager. GITHUB_TOKEN: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }} REPO: ${{ github.repository }} BRANCH: ${{ env.TARGET_BRANCH }}