terraform-module-releaser/.github/workflows/release-start.yml at main · techpivot/terraform-module-releaser · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
name: Start Release

on:
  workflow_dispatch:
    inputs:
      release_version:
        description: Specifies the new release version (X.Y.Z)
        required: true
        type: string
  # Note: If necessary, add a push/branch to test workflow appropriately.

concurrency:
  group: release
  cancel-in-progress: true # Cancel any in-progress runs for this group

env:
  VERSION: ${{ github.event.inputs.release_version }}
  BRANCH_NAME: release/v${{ github.event.inputs.release_version }}

jobs:
  preview-release:
    name: release
    runs-on: ubuntu-latest
    permissions:
      contents: read # Required to read repo contents. Note: We leverage release-preview app for PR + commit generation
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # Get all history which is required for parsing commits
          persist-credentials: false

      - name: Setup Node.js
        id: setup-node
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: .node-version
          cache: npm

      - name: Install Dependencies
        id: npm-ci
        run: npm ci --no-fund

      - name: Validate version input
        run: |
          # Ensure the provided version strictly matches X.Y.Z where X,Y,Z are numeric to avoid injection.
          if ! [[ '${{ env.VERSION }}' =~ ^[0-9]+(\.[0-9]+){2}$ ]]; then
            echo "Error: release_version must match X.Y.Z (numeric). Got: ${{ env.VERSION }}" >&2
            exit 1
          fi

      - name: Update package.json version
        # Quote the value so the shell treats it as a single literal argument (prevents command/word splitting).
        # Flag order changed (options first) for clarity but either order works.
        run: npm version --no-git-tag-version '${{ env.VERSION }}'

      - name: Build the package
        run: npm run package

      - name: Run Tests Typescript
        run: npm run test
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Update Coverage Badge
        run: npm run coverage

      # Ensure that the package.json is formatted correctly as result of the npm version command sorting keys
      # differently from biome.continue-on-error:
      - name: Format Fix
        run: npm run check:fix

      - name: Generate Changelog
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        id: changelog
        env:
          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_READ_AND_MODELS }}
        with:
          result-encoding: json
          script: |
            const { generateChangelog } = await import('${{ github.workspace }}/scripts/changelog.js');

            try {
              const changelog = await generateChangelog("${{ env.VERSION }}");
              console.log('Generated changelog:', changelog);
              return changelog;
            } catch (error) {
              console.error('Error generating changelog:', error);
              core.setFailed(error.message);
            }

      # Pull requests created by the action using the default GITHUB_TOKEN cannot trigger other workflows.
      # If you have on: pull_request or on: push workflows acting as checks on pull requests, they will not run.
      #
      # See below for additional documentation on workarounds:
      #
      # https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs

      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        id: app-token
        with:
          app-id: ${{ secrets.RELEASE_PREVIEW_APP_ID }}
          private-key: ${{ secrets.RELEASE_PREVIEW_APP_PRIVATE_KEY }}

      - name: Get GitHub App User Details
        id: app-user
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: |
          user_name="${{ steps.app-token.outputs.app-slug }}[bot]"
          user_id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)
          {
            echo "user-name=${user_name}"
            echo "user-id=${user_id}"
            echo "email=${user_id}+${user_name}@users.noreply.github.com"
          } >> "$GITHUB_OUTPUT"

      # Note: We can't change the head branch once a PR is opened. Thus we need to delete any branches
      # that exist from any existing open pull requests. (App Perm = Pull Request: Read + Write)
      - name: Close existing release pull requests
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
            const prTitleRegex = /^chore\(release\): v\d+\.\d+\.\d+$/;

            console.log('Searching for existing open PRs ...');
            const { data: existingPRs } = await github.rest.pulls.list({
              owner: context.repo.owner,
              repo: context.repo.repo,
              per_page: 100,
              state: 'open',
              creator: 'github-actions[bot]'
            });

            for (const pr of existingPRs) {
              console.log('Analyzing PR', pr.number, pr.title, pr.user.login);

              // Check if the title matches the format and it's created by the correct user
              if (prTitleRegex.test(pr.title) && pr.user.login === '${{ steps.app-user.outputs.user-name }}') {
                console.log(`PR #${pr.number} has a valid title: ${pr.title}`);

                // Close the existing pull request
                await github.rest.pulls.update({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  pull_number: pr.number,
                  state: 'closed'
                });
                console.log(`Closed PR #${pr.number}`);

                // Now delete the branch
                const branchName = pr.head.ref;
                await github.rest.git.deleteRef({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  ref: `heads/${branchName}`
                });
                console.log(`Deleted branch '${branchName}' associated with PR #${pr.number}`);
              }
            }

      - name: Create Branch and Pull Request
        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          token: ${{ steps.app-token.outputs.token }}
          base: main
          branch: ${{ env.BRANCH_NAME }}
          title: "chore(release): v${{ env.VERSION }}"
          body: ${{ fromJSON(steps.changelog.outputs.result) }}
          commit-message: "chore(release): v${{ env.VERSION }}"
          sign-commits: true # Note: When setting sign-commits: true the action will ignore the committer and author inputs.
          delete-branch: true
          labels: release
          signoff: false # For now, this specifically adds the github-actions[bot] sign-off. Add back when we can customize the trailer