Skip to content

Commit

Permalink
Update workflows to use actions that don't need organization secrets (#…
Browse files Browse the repository at this point in the history
…9126)

* Update workflows to use actions that don't need organization secrets

Each repository can only have 100 organization secrets and there are now more than 100 in our organization which causes inconsistent behavior.

Some repositories don't have the secrets they need assigned.

These composite actions use secrets stored in Vault that are available to all repositories.

- `publish-technical-documentation-next.yml` has been tested with https://github.com/grafana/writers-toolkit/blob/main/.github/workflows/publish-technical-documentation.yml.
- `publish-technical-documentation-release.yml` has been tested with https://github.com/grafana/backend-enterprise/blob/gem-release-2.13/.github/workflows/publish-technical-documentation-release.yml.

There is some copy-paste involved in the creation of these workflows. Please check:

For `publish-technical-documentation-next.yml`:

- [ ] The `on.push` `branches` and `paths` filters are correct for your repository.
- [ ] The `jobs.sync.if` repository matches your repository.
- [ ] The `jobs.sync.steps[1].with.website_directory` matches the directory you publish to in the website repository.

For `publish-technical-documentation-release.yml`:

- [ ] The `on.push` `branches`, `tags`, and `paths` filters are correct for your repository.
- [ ] The `jobs.sync.if` repository matches your repository.
- [ ] The `jobs.sync.steps[1].with.release_tag_regexp` regular expression matches your tags and captures major, minor, and patch versions from those tags.
- [ ] The `jobs.sync.steps[1].with.release_branch_regexp` regular expression matches your release branch names and captures major and minor versions from those branch names.
- [ ] The `jobs.sync.steps[1].with.release_branch_with_patch_regexp` regular expression matches your release branch names if they were to include a patch version, and that it would capture major, minor, and patch versions from those branch names.
- [ ] The `jobs.sync.steps[1].with.website_directory` matches the directory you publish to in the website repository.

We'll also need to backport this to any branches where you are maintaining documentation that you want synced to the website.

Signed-off-by: Jack Baldry <[email protected]>

* Fix repo

* Add explanatory comments

---------

Signed-off-by: Jack Baldry <[email protected]>
(cherry picked from commit bbd2a24)
  • Loading branch information
jdbaldry authored and grafanabot committed Sep 19, 2024
1 parent 512b97a commit 0641a70
Show file tree
Hide file tree
Showing 3 changed files with 66 additions and 176 deletions.
64 changes: 19 additions & 45 deletions .github/workflows/publish-technical-documentation-next.yml
Original file line number Diff line number Diff line change
@@ -1,57 +1,31 @@
name: "publish-technical-documentation-next"
name: publish-technical-documentation-next

on:
push:
branches:
- "main"
- main
paths:
- "docs/sources/helm-charts/**"
- "docs/sources/mimir/**"
- "docs/sources/helm-charts/**"
- "docs/sources/mimir/**"
workflow_dispatch:
jobs:
test:
uses: ./.github/workflows/test-docs.yml

sync:
runs-on: "ubuntu-latest"
needs: "test"
if: github.repository == 'grafana/mimir'
needs: test
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- name: "Check out code"
uses: "actions/checkout@v4"

- name: "Clone website-sync Action"
# WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires.
# It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
# GitHub administrator to update the organization secret.
# The IT helpdesk can update the organization secret.
run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync"

- name: "Publish to website repository mimir (next)"
uses: "./.github/actions/website-sync"
id: "publish-next-mimir"
with:
repository: "grafana/website"
branch: "master"
host: "github.com"
# PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires.
# It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
# GitHub administrator to update the organization secret.
# The IT helpdesk can update the organization secret.
github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}"
source_folder: "docs/sources/mimir"
target_folder: "content/docs/mimir/next"
allow_no_changes: true

- name: "Publish to website repository helm-charts/mimir-distributed (next)"
uses: "./.github/actions/website-sync"
id: "publish-next-mimir-distributed"
with:
repository: "grafana/website"
branch: "master"
host: "github.com"
# PUBLISH_TO_WEBSITE_MIMIR is a fine-grained GitHub Personal Access Token that expires.
# It must be updated in the grafanabot GitHub account.
github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}"
source_folder: "docs/sources/helm-charts/mimir-distributed"
target_folder: "content/docs/helm-charts/mimir-distributed/next"
allow_no_changes: true
- uses: actions/checkout@v4
- uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1
with:
source_directory: docs/sources/mimir
website_directory: content/docs/mimir/next
- uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1
with:
source_directory: docs/sources/helm-charts/mimir-distributed
website_directory: content/docs/helm-charts/mimir-distributed/next
Original file line number Diff line number Diff line change
@@ -1,76 +1,35 @@
name: "publish-technical-documentation-release-helm-charts"
name: publish-technical-documentation-release-helm-charts

on:
push:
tags: # this excludes pre-releases, e.g. mimir-distributed-2.2.0-weekly.192
- "mimir-distributed-[0-9]+.[0-9]+.[0-9]+"
- "mimir-distributed-[0-9]+.[0-9]+.[0-9]+"
branches: # this excludes pre-releases, e.g. mimir-distributed-2.2.0-weekly.192
- "mimir-distributed-release-[0-9]+.[0-9]+"
- "mimir-distributed-release-[0-9]+.[0-9]+"
paths:
- "docs/sources/helm-charts/**"
- "operations/helm/charts/mimir-distributed/Chart.yaml"

workflow_dispatch: # for manual testing

- "docs/sources/helm-charts/**"
- "operations/helm/charts/mimir-distributed/Chart.yaml"
workflow_dispatch:
jobs:
test:
uses: ./.github/workflows/test-docs.yml

sync:
runs-on: "ubuntu-latest"
needs: "test"
if: github.repository == 'grafana/mimir'
needs: test
# The following permissions are required to to assume roles from GitHub's OIDC which is used to fetch secrets from Vault.
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:

- name: "Checkout Mimir repo"
uses: "actions/checkout@v4"
with:
fetch-depth: 0

- name: "Checkout Actions library"
uses: "actions/checkout@v4"
with:
repository: "grafana/grafana-github-actions"
path: "./actions"

- name: "Install Actions from library"
run: "npm install --production --prefix ./actions"

- name: "Determine if there is a matching release tag"
id: "has-matching-release-tag"
uses: "./actions/has-matching-release-tag"
with:
ref_name: "${{ github.ref_name }}"
release_tag_regexp: "^mimir-distributed-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
release_branch_regexp: "^mimir-distributed-release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"

- name: "Determine technical documentation version"
if: "steps.has-matching-release-tag.outputs.bool == 'true'"
uses: "./actions/docs-target"
id: "target"
with:
ref_name: "${{ github.ref_name }}"

- name: "Clone website-sync Action"
if: "steps.has-matching-release-tag.outputs.bool == 'true'"
# WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires.
# It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
# GitHub administrator to update the organization secret.
# The IT helpdesk can update the organization secret.
run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync"

- name: "Publish to website repository (release)"
if: "steps.has-matching-release-tag.outputs.bool == 'true'"
uses: "./.github/actions/website-sync"
id: "publish-release"
with:
repository: "grafana/website"
branch: "master"
host: "github.com"
# PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires.
# It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
# GitHub administrator to update the organization secret.
# The IT helpdesk can update the organization secret.
github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}"
source_folder: "docs/sources/helm-charts/mimir-distributed"
# Append ".x" to target to produce a v<major>.<minor>.x directory.
target_folder: "content/docs/helm-charts/mimir-distributed/${{ steps.target.outputs.target }}.x"
- uses: actions/checkout@v4
with:
# Full fetch depth is required to fetch tags. The publishing workflow uses tags to prevent publishing a release branch before it has been formally released, as determined by the presence of a matching tag for the release branch.
fetch-depth: 0
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v1
with:
release_tag_regexp: "^mimir-distributed-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
release_branch_regexp: "^mimir-distributed-release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
release_branch_with_patch_regexp: "^mimir-distributed-release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
source_directory: docs/sources/helm-charts/mimir-distributed
website_directory: content/docs/helm-charts/mimir-distributed
89 changes: 23 additions & 66 deletions .github/workflows/publish-technical-documentation-release-mimir.yml
Original file line number Diff line number Diff line change
@@ -1,77 +1,34 @@
name: "publish-technical-documentation-release-mimir"
name: publish-technical-documentation-release-mimir

on:
push:
branches:
- "release-*"
- "release-*"
tags:
- "mimir-[0-9]+.[0-9]+.[0-9]+"
- "mimir-[0-9]+.[0-9]+.[0-9]+"
paths:
- "docs/sources/mimir/**"

workflow_dispatch: # for manual testing

- "docs/sources/mimir/**"
workflow_dispatch:
jobs:
test:
uses: ./.github/workflows/test-docs.yml

sync:
runs-on: "ubuntu-latest"
needs: "test"
if: github.repository == 'grafana/mimir'
needs: test
# The following permissions are required to to assume roles from GitHub's OIDC which is used to fetch secrets from Vault.
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:

- name: "Checkout Mimir repo"
uses: "actions/checkout@v4"
with:
fetch-depth: 0

- name: "Checkout Actions library"
uses: "actions/checkout@v4"
with:
repository: "grafana/grafana-github-actions"
path: "./actions"

- name: "Install Actions from library"
run: "npm install --production --prefix ./actions"

- name: "Determine if there is a matching release tag"
id: "has-matching-release-tag"
uses: "./actions/has-matching-release-tag"
with:
ref_name: "${{ github.ref_name }}"
release_tag_regexp: "^mimir-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
release_branch_regexp: "^release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"

- name: "Determine technical documentation version"
if: "steps.has-matching-release-tag.outputs.bool == 'true'"
uses: "./actions/docs-target"
id: "target"
with:
ref_name: "${{ github.ref_name }}"

- name: "Clone website-sync Action"
if: "steps.has-matching-release-tag.outputs.bool == 'true'"
# WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires.
# It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
# GitHub administrator to update the organization secret.
# The IT helpdesk can update the organization secret.
run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync"

- name: "Publish to website repository (release)"
if: "steps.has-matching-release-tag.outputs.bool == 'true'"
uses: "./.github/actions/website-sync"
id: "publish-release"
with:
repository: "grafana/website"
branch: "master"
host: "github.com"
# PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires.
# It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
# GitHub administrator to update the organization secret.
# The IT helpdesk can update the organization secret.
github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}"
source_folder: "docs/sources/mimir"
# Append ".x" to target to produce a v<major>.<minor>.x directory.
target_folder: "content/docs/mimir/${{ steps.target.outputs.target }}.x"
# Patch releases may not have any new technical documentation.
allow_no_changes: true
- uses: actions/checkout@v4
with:
# Full fetch depth is required to fetch tags. The publishing workflow uses tags to prevent publishing a release branch before it has been formally released, as determined by the presence of a matching tag for the release branch.
fetch-depth: 0
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v1
with:
release_tag_regexp: "^mimir-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
release_branch_regexp: "^release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
release_branch_with_patch_regexp: "^release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
source_directory: docs/sources/mimir
website_directory: content/docs/mimir

0 comments on commit 0641a70

Please sign in to comment.