diff --git a/.github/workflows/dual-approval.yaml b/.github/workflows/dual-approval.yaml index 4412e78..ea7cbc3 100644 --- a/.github/workflows/dual-approval.yaml +++ b/.github/workflows/dual-approval.yaml @@ -20,7 +20,7 @@ jobs: steps: - name: Install dependencies - run: apt-get update -qq && apt-get install -y --no-install-recommends curl jq + run: apt-get update -qq && apt-get install -y --no-install-recommends ca-certificates curl jq - name: Check promotion approval env: @@ -28,6 +28,7 @@ jobs: PR_NUMBER: ${{ github.event.pull_request.number }} REPO: ${{ github.repository }} BASE_REF: ${{ github.base_ref }} + HEAD_REF: ${{ github.head_ref }} run: | if [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]; then echo "::notice::No PR number in context. Skipping promotion gate." @@ -59,10 +60,7 @@ jobs: GATE_NAME="QA" # For plugin repos (Pipeline A), UAT approval is needed for uat→main # Check if the source branch is uat - SOURCE_REF=$(curl -sf \ - -H "Authorization: token ${GITEA_TOKEN}" \ - -H "Accept: application/json" \ - "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.head.ref') + SOURCE_REF="${HEAD_REF}" if [ "${SOURCE_REF}" = "uat" ]; then REQUIRED_REVIEWER="pe_patty" @@ -113,4 +111,4 @@ jobs: else echo "Promotion gate failed: waiting for ${GATE_NAME} approval from ${REQUIRED_REVIEWER}." exit 1 - fi \ No newline at end of file + fi diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 44f28f3..abb903d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -4,20 +4,77 @@ on: workflow_dispatch: inputs: version: - description: 'Release version (e.g. 1.0.0)' + description: 'Release version (e.g. 1.0.1)' required: true type: string permissions: contents: write - pull-requests: write jobs: release: - uses: privilegedescalation/.github/.github/workflows/plugin-release.yaml@main - secrets: - RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }} - RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} - with: - version: ${{ inputs.version }} - upstream-repo: 'FairwindsOps/polaris' + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'pnpm' + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Build + run: pnpm run build + + - name: Get tarball path + id: tarball + run: | + # headlamp-plugin package outputs the tarball path, e.g.: + # "Packaged: /path/to/headlamp-polaris-1.0.0.tgz" + output=$(pnpm run package 2>&1) + echo "output=$output" + # Extract tarball name, e.g. headlamp-polaris-1.0.0.tgz + tarball_name=$(echo "$output" | grep -oP 'headlamp-polaris-\d+\.\d+\.\d+\.tgz' | tail -1) + echo "tarball_name=$tarball_name" >> $GITHUB_OUTPUT + + - name: Create Gitea Release + env: + GITEA_URL: https://git.farh.net + GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} + REPO: privilegedescalation/headlamp-polaris-plugin + run: | + VERSION="${{ inputs.version }}" + ASSET_NAME="headlamp-polaris-${VERSION}.tar.gz" + + # Create the release via Gitea API + RELEASE_RESPONSE=$( + curl -s -X POST \ + -H "Authorization: token ${GITEA_TOKEN}" \ + -H "Content-Type: application/json" \ + "${GITEA_URL}/api/v1/repos/${REPO}/releases" \ + -d "{ + \"tag_name\": \"v${VERSION}\", + \"name\": \"v${VERSION}\", + \"draft\": false, + \"prerelease\": false + }" + ) + echo "Release response: ${RELEASE_RESPONSE}" + + RELEASE_ID=$(echo "${RELEASE_RESPONSE}" | python3 -c "import sys, json; print(json.load(sys.stdin).get('id', ''))") + if [ -z "$RELEASE_ID" ]; then + echo "Failed to create release" + exit 1 + fi + + # Upload the tarball asset + curl -s -X POST \ + -H "Authorization: token ${GITEA_TOKEN}" \ + -H "Content-Type: application/octet-stream" \ + -T "${{ steps.tarball.outputs.tarball_name }}" \ + "${GITEA_URL}/api/v1/repos/${REPO}/releases/${RELEASE_ID}/assets?name=${ASSET_NAME}" \ No newline at end of file