From cfd7100c8c26e47eb9542d43c7e58b46290c4aed Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Tue, 6 Jun 2023 10:36:21 +0100 Subject: [PATCH 1/4] Always use the checked out version --- .github/workflows/deploy-preprod.yml | 7 +------ .github/workflows/release-master.yml | 1 - 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/deploy-preprod.yml b/.github/workflows/deploy-preprod.yml index 57e2504ded..6ce1697d3a 100644 --- a/.github/workflows/deploy-preprod.yml +++ b/.github/workflows/deploy-preprod.yml @@ -16,12 +16,7 @@ jobs: - name: Get the latest budibase release version id: version run: | - if [ -z "${{ github.event.inputs.version }}" ]; then - git pull - release_version=$(cat lerna.json | jq -r '.version') - else - release_version=${{ github.event.inputs.version }} - fi + release_version=$(cat lerna.json | jq -r '.version') echo "RELEASE_VERSION=$release_version" >> $GITHUB_ENV - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 diff --git a/.github/workflows/release-master.yml b/.github/workflows/release-master.yml index 7cf2f99d9f..8f371a2481 100644 --- a/.github/workflows/release-master.yml +++ b/.github/workflows/release-master.yml @@ -134,7 +134,6 @@ jobs: - name: Get the latest budibase release version id: version run: | - git pull release_version=$(cat lerna.json | jq -r '.version') echo "RELEASE_VERSION=$release_version" >> $GITHUB_ENV From 8d6e8967c5a0e25cb372a62b7b1639fc5233c992 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Tue, 6 Jun 2023 11:12:29 +0100 Subject: [PATCH 2/4] Change pipelines to use tags and secure them properly --- .github/workflows/deploy-cloud.yaml | 30 ++++++++++++----------- .github/workflows/deploy-preprod.yml | 21 +++++++++++++--- .github/workflows/release-develop.yml | 7 ++++++ .github/workflows/release-master.yml | 2 +- .github/workflows/release-selfhost.yml | 16 +++++++++--- .github/workflows/release-singleimage.yml | 21 ++++++++++++---- 6 files changed, 69 insertions(+), 28 deletions(-) diff --git a/.github/workflows/deploy-cloud.yaml b/.github/workflows/deploy-cloud.yaml index fa80da846f..d8f1ee88f9 100644 --- a/.github/workflows/deploy-cloud.yaml +++ b/.github/workflows/deploy-cloud.yaml @@ -2,23 +2,29 @@ name: Budibase Deploy Production on: workflow_dispatch: - inputs: - version: - description: Budibase release version. For example - 1.0.0 - required: false jobs: release: runs-on: ubuntu-latest steps: - - name: Fail if branch is not master - if: github.ref != 'refs/heads/master' - run: | - echo "Ref is not master, you must run this job from master." - exit 1 + - name: Fail if not a tag + run: | + if [[ $GITHUB_REF != refs/tags/* ]]; then + echo "Workflow Dispatch can only be run on tags" + exit 1 + fi - uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Fail if tag is not in master + run: | + if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then + echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" + exit 1 + fi - name: Pull values.yaml from budibase-infra run: | @@ -31,11 +37,7 @@ jobs: - name: Get the latest budibase release version id: version run: | - if [ -z "${{ github.event.inputs.version }}" ]; then - release_version=$(cat lerna.json | jq -r '.version') - else - release_version=${{ github.event.inputs.version }} - fi + release_version=$(cat lerna.json | jq -r '.version') echo "RELEASE_VERSION=$release_version" >> $GITHUB_ENV - name: Configure AWS Credentials diff --git a/.github/workflows/deploy-preprod.yml b/.github/workflows/deploy-preprod.yml index 6ce1697d3a..81395bc7e3 100644 --- a/.github/workflows/deploy-preprod.yml +++ b/.github/workflows/deploy-preprod.yml @@ -1,17 +1,30 @@ name: "deploy-preprod" on: workflow_dispatch: - inputs: - version: - description: Budibase release version. For example - 1.0.0 - required: false workflow_call: jobs: deploy-to-legacy-preprod-env: runs-on: ubuntu-latest steps: + - name: Fail if not a tag + run: | + if [[ $GITHUB_REF != refs/tags/* ]]; then + echo "Workflow Dispatch can only be run on tags" + exit 1 + fi + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Fail if tag is not in master + run: | + if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then + echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" + exit 1 + fi + - name: Get the latest budibase release version id: version diff --git a/.github/workflows/release-develop.yml b/.github/workflows/release-develop.yml index 48c51e8457..503fc53194 100644 --- a/.github/workflows/release-develop.yml +++ b/.github/workflows/release-develop.yml @@ -22,6 +22,13 @@ jobs: runs-on: ubuntu-latest steps: + - name: Fail if not a tag + run: | + if [[ $GITHUB_REF != refs/tags/* ]]; then + echo "Workflow Dispatch can only be run on tags" + exit 1 + fi + - uses: actions/checkout@v2 with: submodules: true diff --git a/.github/workflows/release-master.yml b/.github/workflows/release-master.yml index 8f371a2481..a4e679e7bf 100644 --- a/.github/workflows/release-master.yml +++ b/.github/workflows/release-master.yml @@ -27,7 +27,7 @@ jobs: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} fetch-depth: 0 - - name: Fail if tag is not master + - name: Fail if tag is not in master run: | if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" diff --git a/.github/workflows/release-selfhost.yml b/.github/workflows/release-selfhost.yml index f5a2f643c3..8b1ae0c6fe 100644 --- a/.github/workflows/release-selfhost.yml +++ b/.github/workflows/release-selfhost.yml @@ -8,16 +8,24 @@ jobs: runs-on: ubuntu-latest steps: - - name: Fail if branch is not master - if: github.ref != 'refs/heads/master' + - name: Fail if not a tag run: | - echo "Ref is not master, you must run this job from master." - exit 1 + if [[ $GITHUB_REF != refs/tags/* ]]; then + echo "Workflow Dispatch can only be run on tags" + exit 1 + fi - uses: actions/checkout@v2 with: fetch_depth: 0 + - name: Fail if tag is not in master + run: | + if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then + echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" + exit 1 + fi + - name: Use Node.js 14.x uses: actions/setup-node@v1 with: diff --git a/.github/workflows/release-singleimage.yml b/.github/workflows/release-singleimage.yml index cd16574eea..fbf972a866 100644 --- a/.github/workflows/release-singleimage.yml +++ b/.github/workflows/release-singleimage.yml @@ -15,13 +15,24 @@ jobs: matrix: node-version: [14.x] steps: - - name: Fail if branch is not master - if: github.ref != 'refs/heads/master' - run: | - echo "Ref is not master, you must run this job from master." - exit 1 + - name: Fail if not a tag + run: | + if [[ $GITHUB_REF != refs/tags/* ]]; then + echo "Workflow Dispatch can only be run on tags" + exit 1 + fi - name: "Checkout" uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Fail if tag is not in master + run: | + if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then + echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" + exit 1 + fi + - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v1 with: From 9506a915f3587f782ff557db84821bf11764459e Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Tue, 6 Jun 2023 11:22:24 +0100 Subject: [PATCH 3/4] Remove git pull --- .github/workflows/release-selfhost.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release-selfhost.yml b/.github/workflows/release-selfhost.yml index 8b1ae0c6fe..9df089223e 100644 --- a/.github/workflows/release-selfhost.yml +++ b/.github/workflows/release-selfhost.yml @@ -86,7 +86,6 @@ jobs: git config user.name "Budibase Helm Bot" git config user.email "<>" git reset --hard - git pull mkdir sync echo "Packaging chart to sync dir" helm package charts/budibase --version "$RELEASE_VERSION" --app-version "$RELEASE_VERSION" --destination sync From ef9f4955faff66df1aed652f549e0d09cb2c5161 Mon Sep 17 00:00:00 2001 From: Rory Powell Date: Tue, 6 Jun 2023 11:27:08 +0100 Subject: [PATCH 4/4] Add fetch insted of pull --- .github/workflows/release-selfhost.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-selfhost.yml b/.github/workflows/release-selfhost.yml index 9df089223e..1ace297ed9 100644 --- a/.github/workflows/release-selfhost.yml +++ b/.github/workflows/release-selfhost.yml @@ -86,6 +86,7 @@ jobs: git config user.name "Budibase Helm Bot" git config user.email "<>" git reset --hard + git fetch mkdir sync echo "Packaging chart to sync dir" helm package charts/budibase --version "$RELEASE_VERSION" --app-version "$RELEASE_VERSION" --destination sync