From 55d8933ec61b643bf30ebdb8345d9f4c9f8df59c Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Wed, 22 May 2024 11:12:37 +0200 Subject: [PATCH 1/3] Add automated release workflow --- .github/workflows/release.yml | 120 ++++++++++++++++++++++++++++++++++ README.md | 20 ++++++ 2 files changed, 140 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 000000000..f43532e6d --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,120 @@ +name: "Release New Version" +run-name: "Release ${{ inputs.version }}" + +on: + workflow_dispatch: + inputs: + version: + description: "The version to be released. This is checked for consistency with the branch name and configuration" + required: true + type: "string" + jira-version-number: + description: "JIRA version ID (e.g. 54321)" + required: true + type: "string" + +env: + # TODO: Use different token + GH_TOKEN: ${{ secrets.MERGE_UP_TOKEN }} + GIT_AUTHOR_NAME: "DBX PHP Release Bot" + GIT_AUTHOR_EMAIL: "dbx-php@mongodb.com" + default-release-message: | + The PHP team is happy to announce that version {0} of the MongoDB integration for Laravel is now available. + + **Release Highlights** + + TODO: one or more paragraphs describing important changes in this release + + A complete list of resolved issues in this release may be found in [JIRA](https://jira.mongodb.org/secure/ReleaseNote.jspa?version={1}&projectId=22488). + + **Documentation** + + Documentation for this library may be found in the [Readme](https://github.com/mongodb/laravel-mongodb/blob/$VERSION/README.md). + + **Installation** + + This library may be installed or upgraded with: + + composer require mongodb/laravel-mongodb:{0} + + Installation instructions for the `mongodb` extension may be found in the [PHP.net documentation](https://php.net/manual/en/mongodb.installation.php). + +jobs: + prepare-release: + name: "Prepare release" + runs-on: ubuntu-latest + + steps: + - name: "Create release output" + run: echo '🎬 Release process for version ${{ inputs.version }} started by @${{ github.triggering_actor }}' >> $GITHUB_STEP_SUMMARY + + - uses: actions/checkout@v4 + with: + submodules: true + token: ${{ env.GH_TOKEN }} + + - name: "Store version numbers in env variables" + run: | + echo RELEASE_VERSION=${{ inputs.version }} >> $GITHUB_ENV + echo RELEASE_BRANCH=$(echo ${{ inputs.version }} | cut -d '.' -f-2) >> $GITHUB_ENV + + - name: "Ensure release tag does not already exist" + run: | + if [[ $(git tag -l ${RELEASE_VERSION}) == ${RELEASE_VERSION} ]]; then + echo '❌ Release failed: tag for version ${{ inputs.version }} already exists' >> $GITHUB_STEP_SUMMARY + exit 1 + fi + + - name: "Fail if branch names don't match" + if: ${{ github.ref_name != env.RELEASE_BRANCH }} + run: | + echo '❌ Release failed due to branch mismatch: expected ${{ inputs.version }} to be released from ${{ env.RELEASE_BRANCH }}, got ${{ github.ref_name }}' >> $GITHUB_STEP_SUMMARY + exit 1 + + # + # Preliminary checks done - commence the release process + # + + - name: "Set git author information" + run: | + git config user.name "${GIT_AUTHOR_NAME}" + git config user.email "${GIT_AUTHOR_EMAIL}" + + # Create a draft release with release message filled in + - name: "Prepare release message" + run: | + cat > release-message <<'EOL' + ${{ format(env.default-release-message, inputs.version, inputs.jira-version-number) }} + EOL + + - name: "Create draft release" + run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --notes-file release-message --draft)" >> "$GITHUB_ENV" + + # This step creates the signed release tag + - name: "Create release tag" + uses: mongodb-labs/drivers-github-tools/garasign/git-sign@main + with: + command: "git tag -m 'Release ${{ inputs.version }}' -s --local-user=${{ vars.GPG_KEY_ID }} ${{ inputs.version }}" + garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} + garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} + artifactory_username: ${{ secrets.ARTIFACTORY_USER }} + artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} + + # TODO: Manually merge using ours strategy. This avoids merge-up pull requests being created + # Process is: + # 1. switch to next branch (according to merge-up action) + # 2. merge release branch using --strategy=ours + # 3. push next branch + # 4. switch back to release branch, then push + + - name: "Push changes from release branch" + run: git push + + # Pushing the release tag starts build processes that then produce artifacts for the release + - name: "Push release tag" + run: git push origin ${{ inputs.version }} + + - name: "Set summary" + run: | + echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY + echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY diff --git a/README.md b/README.md index 9ecf12af0..0619f387c 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,26 @@ It is compatible with Laravel 10.x. For older versions of Laravel, please refer - https://www.mongodb.com/docs/drivers/php/laravel-mongodb/ - https://www.mongodb.com/docs/drivers/php/ +## Release Integrity + +Releases are created automatically and the resulting release tag is signed using +the [PHP team's GPG key](https://pgp.mongodb.com/php-driver.asc). To verify the +tag signature, download the key and import it using `gpg`: + +```shell +gpg --import php-driver.asc +``` + +Then, in a local clone, verify the signature of a given tag (e.g. `4.4.0`): + +```shell +git show --show-signature 4.4.0 +``` + +> [!NOTE] +> Composer does not support verifying signatures as part of its installation +> process. + ## Reporting Issues Think you’ve found a bug in the library? Want to see a new feature? Please open a case in our issue management tool, JIRA: From 9867ae09ff57a3acb27b05d1bdb7c603858a9db2 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Wed, 22 May 2024 14:13:07 +0200 Subject: [PATCH 2/3] Use stable version of release tooling --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f43532e6d..59e1bd4e0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -92,7 +92,7 @@ jobs: # This step creates the signed release tag - name: "Create release tag" - uses: mongodb-labs/drivers-github-tools/garasign/git-sign@main + uses: mongodb-labs/drivers-github-tools/garasign/git-sign@v1 with: command: "git tag -m 'Release ${{ inputs.version }}' -s --local-user=${{ vars.GPG_KEY_ID }} ${{ inputs.version }}" garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} From 15b4c752c0f9c28295ad8b5c331bb2fdfa098318 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Thu, 23 May 2024 10:20:35 +0200 Subject: [PATCH 3/3] Automatically generate release notes for draft release --- .github/workflows/release.yml | 34 ++-------------------------------- 1 file changed, 2 insertions(+), 32 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 59e1bd4e0..b8df0df69 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,36 +8,12 @@ on: description: "The version to be released. This is checked for consistency with the branch name and configuration" required: true type: "string" - jira-version-number: - description: "JIRA version ID (e.g. 54321)" - required: true - type: "string" env: # TODO: Use different token GH_TOKEN: ${{ secrets.MERGE_UP_TOKEN }} GIT_AUTHOR_NAME: "DBX PHP Release Bot" GIT_AUTHOR_EMAIL: "dbx-php@mongodb.com" - default-release-message: | - The PHP team is happy to announce that version {0} of the MongoDB integration for Laravel is now available. - - **Release Highlights** - - TODO: one or more paragraphs describing important changes in this release - - A complete list of resolved issues in this release may be found in [JIRA](https://jira.mongodb.org/secure/ReleaseNote.jspa?version={1}&projectId=22488). - - **Documentation** - - Documentation for this library may be found in the [Readme](https://github.com/mongodb/laravel-mongodb/blob/$VERSION/README.md). - - **Installation** - - This library may be installed or upgraded with: - - composer require mongodb/laravel-mongodb:{0} - - Installation instructions for the `mongodb` extension may be found in the [PHP.net documentation](https://php.net/manual/en/mongodb.installation.php). jobs: prepare-release: @@ -80,15 +56,9 @@ jobs: git config user.name "${GIT_AUTHOR_NAME}" git config user.email "${GIT_AUTHOR_EMAIL}" - # Create a draft release with release message filled in - - name: "Prepare release message" - run: | - cat > release-message <<'EOL' - ${{ format(env.default-release-message, inputs.version, inputs.jira-version-number) }} - EOL - + # Create draft release with release notes - name: "Create draft release" - run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --notes-file release-message --draft)" >> "$GITHUB_ENV" + run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --generate-notes --draft)" >> "$GITHUB_ENV" # This step creates the signed release tag - name: "Create release tag"