ci(github): connect release reorganization #12444
Conversation
karliatto
force-pushed
the
ci/refactor-order-of-connect-release
branch
2 times, most recently
from
32e940e to
5ddee00
Compare
karliatto
force-pushed
the
ci/refactor-order-of-connect-release
branch
4 times, most recently
from
d88e8f4 to
86cb240
Compare
karliatto
changed the title
|
|
||
| jobs: | ||
| bump-versions: | ||
| if: github.repository == 'trezor/trezor-suite' |
There was a problem hiding this comment.
I noticed that not all the jobs here have this check. should they have it? or is it enough only for the first job to have it?
There was a problem hiding this comment.
Good point. I actually think that if: github.repository == 'trezor/trezor-suite' should be only used in workflows that are run automatically like the tests ones, to avoid running when running in forks. But this one has to be triggered manually so I would say it is not necessarily. @vdovhanych could you confirm it?
There was a problem hiding this comment.
Yes, we can get rid of it for release workflows
karliatto
force-pushed
the
ci/refactor-order-of-connect-release
branch
from
86cb240 to
cf2d60f
Compare
| git config --global user.name "trezor-ci" | ||
| git config --global user.email "${{ secrets.TREZOR_BOT_EMAIL }}" | ||
| gh config set prompt disabled |
There was a problem hiding this comment.
@vdovhanych getting rid of "trezor-ci" git user here, since I think this was totally unnecessary.
| run: | | ||
| echo ${{ env.BRANCH_NAME }} | ||
| git checkout -b ${{ env.BRANCH_NAME }} | ||
| git push origin ${{ env.BRANCH_NAME }} |
There was a problem hiding this comment.
@vdovhanych as agreed I am not adding here the "trezor-ci" bot credential and name since this branch is going to be created by the user that triggers the action.
There was a problem hiding this comment.
How is this supposed to work? Its trying to push te code to protected branch. It wont work like this, we don't want to have automation rights to push commits to protected branch.
There was a problem hiding this comment.
the new system sounds good to me. I just pointed few nitpicks around the review, not really important ones.
Maybe please wait also for @vdovhanych and his second approval 🙏
| @@ -0,0 +1,37 @@ | |||
| name: "[Release] connect bump versions" | |||
There was a problem hiding this comment.
This will run and create a new unprotected branch with updated versions and create a pull request to the protected branch?
There was a problem hiding this comment.
This will create a new unprotected branch with update versions and create a pull request to develop.
Then we merge it to develop and once it is in develop we run the other workflow .github/workflows/release-connect-init.yml to create the protected branch release/connect/...
| run: | | ||
| echo ${{ env.BRANCH_NAME }} | ||
| git checkout -b ${{ env.BRANCH_NAME }} | ||
| git push origin ${{ env.BRANCH_NAME }} |
There was a problem hiding this comment.
How is this supposed to work? Its trying to push te code to protected branch. It wont work like this, we don't want to have automation rights to push commits to protected branch.
| @@ -0,0 +1,37 @@ | |||
| name: Check connect version match with branch | |||
There was a problem hiding this comment.
This should probably be called [Template] ...
There was a problem hiding this comment.
Also i would probably convert this to action as this is something that is quite static and wont be changing that often (but its super low priority)
There was a problem hiding this comment.
Yes, I made new action .github/actions/check-connect-version-match/action.yml
| git config --global user.name "trezor-ci" | ||
| git config --global user.email "${{ secrets.TREZOR_BOT_EMAIL }}" | ||
| gh config set prompt disabled |
|
|
||
| - name: Create and push new branch | ||
| env: | ||
| BRANCH_NAME: "release/connect/${{ needs.extract-version.outputs.version }}" |
There was a problem hiding this comment.
This is where what branch its pushing to is specified. W probably want to push the code to create-push-release-branch: branch that was created in that job at the line 46.
There was a problem hiding this comment.
This will now be done by the "trezor-ci".
| git push origin ${{ env.BRANCH_NAME }} | ||
| echo "branch_name=${{ env.BRANCH_NAME }}" >> $GITHUB_OUTPUT | ||
|
|
||
| trigger-v9-staging-release: |
There was a problem hiding this comment.
Im not sure if this will do what we want, if we trigger the workflows like this it will still be possible to approve the run by one person. I trigger release and i can approve it myself because the deploy was requested by the github-actions "user". This is valied for all following trigger jobs
There was a problem hiding this comment.
I see, I think you are right.
I am researching if there is a way of using the same user that triggered the action as the one that trigger it.
There was a problem hiding this comment.
I think I have an idea, what if instead of running those workflows using gh I will make those workflows templates that will run in the original workflow release-connect-init.yml ?
Then it will all be run by the user that is triggering the initial workflow, right?
There was a problem hiding this comment.
Now it seams even more right in my mind.
There was a problem hiding this comment.
Maybe it is problematic with "approval" since the approval are per workflow not per job. Right?
And in my mind this is design to approve each workflow at a different moment.
There was a problem hiding this comment.
Or we can do the process a bit more manual and trigger those workflows manually at least for now.
There was a problem hiding this comment.
Ok, for now I suggest get rid of the automation of triggering all the workflows from one and trigger them manually until we decide how to do it in order to achieve that each of the releases part has to be trigger by one authorize user and approve by other.
Therefore I added this fixup to remove all those trigger... jobs 3029015
@vdovhanych if you agree I will squash that fixup and we can try manually then we will see.
| env: | ||
| BRANCH_NAME: release/connect/${{ needs.extract-version.outputs.version }} | ||
|
|
||
| trigger-npm-release-connect: |
There was a problem hiding this comment.
same here with te triggering the action with github actions.
There was a problem hiding this comment.
I dont think this is resolved
There was a problem hiding this comment.
You are right, just getting rid of that file completely since this time we are going to run those workflows manually 95ffe13
| gh config set prompt disabled | ||
| gh api /user --jq .login | ||
| node ./ci/scripts/connect-release-init-npm.js ${{ github.event.inputs.semver }} | ||
| yarn tsx ./ci/scripts/connect-release-npm-init.ts ${{ github.event.inputs.deploymentType }} ${{ env.BRANCH_NAME }} |
There was a problem hiding this comment.
This again tries to push the code to the protected branch. Or I'm missing something?
There was a problem hiding this comment.
No, this is not pushing code to any protected branch. This is triggering the workflow that will initialize the release of NPM.
It requires to have a script that checks what are the dependencies that need to be updated.
Please look at the section ## Release process in the description of this PR, I am trying to explain there the process. And let' me know if you have doubts or ideas.
karliatto
force-pushed
the
ci/refactor-order-of-connect-release
branch
3 times, most recently
from
95ffe13 to
36bd85e
Compare
karliatto
force-pushed
the
ci/refactor-order-of-connect-release
branch
from
36bd85e to
db94318
Compare
Description
This PR changes the process to release connect to be like below:
release/connect/...branch and will check what versions are different in package.json and NPM and it will trigger the workflows to release those with different versionsRelease process
So the process would be:
.github/workflows/release-connect-bump-versions.ymldevelop.github/workflows/release-connect-init.ymlusing the commit hash of the previously mergedbump-versions/connect-${version}.release/connect/<version>canaryreleases.Related Issue
Related #12157