diff --git a/.github/actions/release-branches/action.yml b/.github/actions/release-branches/action.yml new file mode 100644 index 0000000000..6dee85a65e --- /dev/null +++ b/.github/actions/release-branches/action.yml @@ -0,0 +1,25 @@ +name: 'Release branches' +description: 'Determine branches for release & backport' +inputs: + major_version: + description: 'The version as extracted from the package.json file' + required: true + latest_tag: + description: 'The most recent tag published to the repository' + required: true +outputs: + backport_source_branch: + description: "The release branch for the given tag" + value: ${{ steps.branches.outputs.backport_source_branch }} + backport_target_branches: + description: "JSON encoded list of branches to target with backports" + value: ${{ steps.branches.outputs.backport_target_branches }} +runs: + using: "composite" + steps: + - id: branches + run: | + python ${{ github.action_path }}/release-branches.py \ + --major-version ${{ inputs.major_version }} \ + --latest-tag ${{ inputs.latest_tag }} + shell: bash diff --git a/.github/actions/release-branches/release-branches.py b/.github/actions/release-branches/release-branches.py new file mode 100644 index 0000000000..8e8bf37db5 --- /dev/null +++ b/.github/actions/release-branches/release-branches.py @@ -0,0 +1,48 @@ +import argparse +import json +import os +import subprocess + +# Name of the remote +ORIGIN = 'origin' + +OLDEST_SUPPORTED_MAJOR_VERSION = 2 + +def main(): + + parser = argparse.ArgumentParser() + parser.add_argument("--major-version", required=True, type=str, help="The major version of the release") + parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository") + args = parser.parse_args() + + major_version = args.major_version + latest_tag = args.latest_tag + + print("major_version: " + major_version) + print("latest_tag: " + latest_tag) + + # If this is a primary release, we backport to all supported branches, + # so we check whether the major_version taken from the package.json + # is greater than or equal to the latest tag pulled from the repo. + # For example... + # 'v1' >= 'v2' is False # we're operating from an older release branch and should not backport + # 'v2' >= 'v2' is True # the normal case where we're updating the current version + # 'v3' >= 'v2' is True # in this case we are making the first release of a new major version + consider_backports = ( major_version >= latest_tag.split(".")[0] ) + + with open(os.environ["GITHUB_OUTPUT"], "a") as f: + + f.write(f"backport_source_branch=releases/{major_version}\n") + + backport_target_branches = [] + + if consider_backports: + for i in range(int(major_version.strip("v"))-1, 0, -1): + branch_name = f"releases/v{i}" + if i >= OLDEST_SUPPORTED_MAJOR_VERSION: + backport_target_branches.append(branch_name) + + f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n") + +if __name__ == "__main__": + main() diff --git a/.github/actions/release-initialise/action.yml b/.github/actions/release-initialise/action.yml new file mode 100644 index 0000000000..7e554cce1c --- /dev/null +++ b/.github/actions/release-initialise/action.yml @@ -0,0 +1,33 @@ +name: 'Prepare release job' +description: 'Prepare for updating a release branch' + +runs: + using: "composite" + steps: + + - name: Dump environment + run: env + shell: bash + + - name: Dump GitHub context + env: + GITHUB_CONTEXT: '${{ toJson(github) }}' + run: echo "$GITHUB_CONTEXT" + shell: bash + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: 3.8 + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install PyGithub==1.55 requests + shell: bash + + - name: Update git config + run: | + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + shell: bash diff --git a/.github/update-release-branch.py b/.github/update-release-branch.py index 1d19c30ee9..ff65abe84d 100644 --- a/.github/update-release-branch.py +++ b/.github/update-release-branch.py @@ -13,8 +13,9 @@ """ -SOURCE_BRANCH = 'main' -TARGET_BRANCH = 'releases/v2' +# NB: This exact commit message is used to find commits for reverting during backports. +# Changing it requires a transition period where both old and new versions are supported. +BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v' # Name of the remote ORIGIN = 'origin' @@ -34,7 +35,9 @@ def branch_exists_on_remote(branch_name): return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != '' # Opens a PR from the given branch to the target branch -def open_pr(repo, all_commits, source_branch_short_sha, new_branch_name, conductor): +def open_pr( + repo, all_commits, source_branch_short_sha, new_branch_name, source_branch, target_branch, + conductor, is_primary_release, conflicted_files): # Sort the commits into the pull requests that introduced them, # and any commits that don't have a pull request pull_requests = [] @@ -56,7 +59,7 @@ def open_pr(repo, all_commits, source_branch_short_sha, new_branch_name, conduct # Start constructing the body text body = [] - body.append(f'Merging {source_branch_short_sha} into {TARGET_BRANCH}.') + body.append(f'Merging {source_branch_short_sha} into {target_branch}.') body.append('') body.append(f'Conductor for this PR is @{conductor}.') @@ -79,20 +82,38 @@ def open_pr(repo, all_commits, source_branch_short_sha, new_branch_name, conduct body.append('') body.append('Please do the following:') + if len(conflicted_files) > 0: + body.append(' - [ ] Ensure `package.json` file contains the correct version.') + body.append(' - [ ] Add commits to this branch to resolve the merge conflicts ' + + 'in the following files:') + body.extend([f' - [ ] `{file}`' for file in conflicted_files]) + body.append(' - [ ] Ensure another maintainer has reviewed the additional commits you added to this ' + + 'branch to resolve the merge conflicts.') body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.') body.append(' - [ ] Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.') - body.append(f' - [ ] Check that there are not any unexpected commits being merged into the {TARGET_BRANCH} branch.') + body.append(f' - [ ] Check that there are not any unexpected commits being merged into the {target_branch} branch.') body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.') + + if not is_primary_release: + body.append(' - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.') + body.append(' - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.') + + body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.') body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.') - body.append(' - [ ] Merge the mergeback PR that will automatically be created once this PR is merged.') - title = f'Merge {SOURCE_BRANCH} into {TARGET_BRANCH}' + if is_primary_release: + body.append(' - [ ] Merge the mergeback PR that will automatically be created once this PR is merged.') + body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.') + + title = f'Merge {source_branch} into {target_branch}' + labels = ['Update dependencies'] if not is_primary_release else [] # Create the pull request # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that # a maintainer can take the PR out of draft, thereby triggering the PR checks. - pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=TARGET_BRANCH, draft=True) - print(f'Created PR #{pr.number}') + pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True) + pr.add_to_labels(*labels) + print(f'Created PR #{str(pr.number)}') # Assign the conductor pr.add_to_assignees(conductor) @@ -102,10 +123,10 @@ def open_pr(repo, all_commits, source_branch_short_sha, new_branch_name, conduct # since the last release to the target branch. # This will not include any commits that exist on the target branch # that aren't on the source branch. -def get_commit_difference(repo): +def get_commit_difference(repo, source_branch, target_branch): # Passing split nothing means that the empty string splits to nothing: compare `''.split() == []` # to `''.split('\n') == ['']`. - commits = run_git('log', '--pretty=format:%H', f'{ORIGIN}/{TARGET_BRANCH}..{ORIGIN}/{SOURCE_BRANCH}').strip().split() + commits = run_git('log', '--pretty=format:%H', f'{ORIGIN}/{target_branch}..{ORIGIN}/{source_branch}').strip().split() # Convert to full-fledged commit objects commits = [repo.get_commit(c) for c in commits] @@ -182,6 +203,24 @@ def main(): required=True, help='The nwo of the repository, for example github/codeql-action.' ) + parser.add_argument( + '--source-branch', + type=str, + required=True, + help='Source branch for release branch update.' + ) + parser.add_argument( + '--target-branch', + type=str, + required=True, + help='Target branch for release branch update.' + ) + parser.add_argument( + '--is-primary-release', + action='store_true', + default=False, + help='Whether this update is the primary release for the current major version.' + ) parser.add_argument( '--conductor', type=str, @@ -191,18 +230,29 @@ def main(): args = parser.parse_args() + source_branch = args.source_branch + target_branch = args.target_branch + is_primary_release = args.is_primary_release + repo = Github(args.github_token).get_repo(args.repository_nwo) - version = get_current_version() + + # the target branch will be of the form releases/vN, where N is the major version number + target_branch_major_version = target_branch.strip('releases/v') + + # split version into major, minor, patch + _, v_minor, v_patch = get_current_version().split('.') + + version = f"{target_branch_major_version}.{v_minor}.{v_patch}" # Print what we intend to go - print(f'Considering difference between {SOURCE_BRANCH} and {TARGET_BRANCH}...') - source_branch_short_sha = run_git('rev-parse', '--short', f'{ORIGIN}/{SOURCE_BRANCH}').strip() - print(f'Current head of {SOURCE_BRANCH} is {source_branch_short_sha}.') + print(f'Considering difference between {source_branch} and {target_branch}...') + source_branch_short_sha = run_git('rev-parse', '--short', f'{ORIGIN}/{source_branch}').strip() + print(f'Current head of {source_branch} is {source_branch_short_sha}.') # See if there are any commits to merge in - commits = get_commit_difference(repo=repo) + commits = get_commit_difference(repo=repo, source_branch=source_branch, target_branch=target_branch) if len(commits) == 0: - print(f'No commits to merge from {SOURCE_BRANCH} to {TARGET_BRANCH}.') + print(f'No commits to merge from {source_branch} to {target_branch}.') return # The branch name is based off of the name of branch being merged into @@ -220,17 +270,80 @@ def main(): # Create the new branch and push it to the remote print(f'Creating branch {new_branch_name}.') - # If we're performing a standard release, there won't be any new commits on the target branch, - # as these will have already been merged back into the source branch. Therefore we can just - # start from the source branch. - run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{SOURCE_BRANCH}') + # The process of creating the v{Older} release can run into merge conflicts. We commit the unresolved + # conflicts so a maintainer can easily resolve them (vs erroring and requiring maintainers to + # reconstruct the release manually) + conflicted_files = [] + + if not is_primary_release: + + # the source branch will be of the form releases/vN, where N is the major version number + source_branch_major_version = source_branch.strip('releases/v') + + # If we're performing a backport, start from the target branch + print(f'Creating {new_branch_name} from the {ORIGIN}/{target_branch} branch') + run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{target_branch}') + + # Revert the commit that we made as part of the last release that updated the version number and + # changelog to refer to {older}.x.x variants. This avoids merge conflicts in the changelog and + # package.json files when we merge in the v{latest} branch. + # This commit will not exist the first time we release the v{N-1} branch from the v{N} branch, so we + # use `git log --grep` to conditionally revert the commit. + print('Reverting the version number and changelog updates from the last release to avoid conflicts') + vOlder_update_commits = run_git('log', '--grep', f'^{BACKPORT_COMMIT_MESSAGE}', '--format=%H').split() + + if len(vOlder_update_commits) > 0: + print(f' Reverting {vOlder_update_commits[0]}') + # Only revert the newest commit as older ones will already have been reverted in previous + # releases. + run_git('revert', vOlder_update_commits[0], '--no-edit') + + # Also revert the "Update checked-in dependencies" commit created by Actions. + update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0] + print(f' Reverting {update_dependencies_commit}') + run_git('revert', update_dependencies_commit, '--no-edit') + + else: + print(' Nothing to revert.') + + print(f'Merging {ORIGIN}/{source_branch} into the release prep branch') + # Commit any conflicts (see the comment for `conflicted_files`) + run_git('merge', f'{ORIGIN}/{source_branch}', allow_non_zero_exit_code=True) + conflicted_files = run_git('diff', '--name-only', '--diff-filter', 'U').splitlines() + if len(conflicted_files) > 0: + run_git('add', '.') + run_git('commit', '--no-edit') + + # Migrate the package version number from a vLatest version number to a vOlder version number + print(f'Setting version number to {version}') + subprocess.check_output(['npm', 'version', version, '--no-git-tag-version']) + run_git('add', 'package.json', 'package-lock.json') + + # Migrate the changelog notes from vLatest version numbers to vOlder version numbers + print(f'Migrating changelog notes from v{source_branch_major_version} to v{target_branch_major_version}') + subprocess.check_output(['sed', '-i', f's/^## {source_branch_major_version}\./## {target_branch_major_version}./g', 'CHANGELOG.md']) + + # Remove changelog notes from all versions that do not apply to the vOlder branch + print(f'Removing changelog notes that do not apply to v{target_branch_major_version}') + for v in range(int(source_branch_major_version), int(target_branch_major_version), -1): + print(f'Removing changelog notes that are tagged [v{v}+ only\]') + subprocess.check_output(['sed', '-i', f'/^- \[v{v}+ only\]/d', 'CHANGELOG.md']) + + # Amend the commit generated by `npm version` to update the CHANGELOG + run_git('add', 'CHANGELOG.md') + run_git('commit', '-m', f'{BACKPORT_COMMIT_MESSAGE}{version}') + else: + # If we're performing a standard release, there won't be any new commits on the target branch, + # as these will have already been merged back into the source branch. Therefore we can just + # start from the source branch. + run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{source_branch}') - print('Updating changelog') - update_changelog(version) + print('Updating changelog') + update_changelog(version) - # Create a commit that updates the CHANGELOG - run_git('add', 'CHANGELOG.md') - run_git('commit', '-m', f'Update changelog for v{version}') + # Create a commit that updates the CHANGELOG + run_git('add', 'CHANGELOG.md') + run_git('commit', '-m', f'Update changelog for v{version}') run_git('push', ORIGIN, new_branch_name) @@ -240,7 +353,11 @@ def main(): commits, source_branch_short_sha, new_branch_name, + source_branch=source_branch, + target_branch=target_branch, conductor=args.conductor, + is_primary_release=is_primary_release, + conflicted_files=conflicted_files ) if __name__ == '__main__': diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index bdeec0d733..e3259fc218 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index b6a8e73454..5460fe4ebd 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml index 505fe9cb6d..234f4df081 100644 --- a/.github/workflows/__autobuild-action.yml +++ b/.github/workflows/__autobuild-action.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 7d2ce0a355..addaabdf6f 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__cpp-deptrace-disabled.yml b/.github/workflows/__cpp-deptrace-disabled.yml index 926d5937dd..0194e50ac4 100644 --- a/.github/workflows/__cpp-deptrace-disabled.yml +++ b/.github/workflows/__cpp-deptrace-disabled.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml index d7b44159e0..ce5f20e9de 100644 --- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml +++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__cpp-deptrace-enabled.yml b/.github/workflows/__cpp-deptrace-enabled.yml index 4eb4a3b8cf..1b0d1dab4f 100644 --- a/.github/workflows/__cpp-deptrace-enabled.yml +++ b/.github/workflows/__cpp-deptrace-enabled.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index d1c1792552..50a9d1a0d3 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index 441832e741..80416657a7 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml index 002d54b8f3..26a3a360f2 100644 --- a/.github/workflows/__extractor-ram-threads.yml +++ b/.github/workflows/__extractor-ram-threads.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index 1c675864c5..9dafaffbcc 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml index ff27ee9ecc..6dae25e8ce 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml index 0fed7975e5..0b88c9dc36 100644 --- a/.github/workflows/__go-indirect-tracing-workaround.yml +++ b/.github/workflows/__go-indirect-tracing-workaround.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index 1637f9fffc..628cbc9dc9 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index 1e8a1793c5..2d7456e8ff 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index c492f73f44..0104176c7c 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml index 5199037270..d4b024b229 100644 --- a/.github/workflows/__init-with-registries.yml +++ b/.github/workflows/__init-with-registries.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml index d97ea8fa57..1e16e038cd 100644 --- a/.github/workflows/__javascript-source-root.yml +++ b/.github/workflows/__javascript-source-root.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml index ad09ba50ff..cd7328f770 100644 --- a/.github/workflows/__language-aliases.yml +++ b/.github/workflows/__language-aliases.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index 3f0abc055d..ee02328988 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 5f6df119ea..693e8735b4 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 301ed93644..7266f7875e 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index 1ad522c4cf..11cf41fa2d 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 70107fbcc7..02bcbd616c 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index 2fe580d64d..21f119f2de 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index cd09e77e73..4f8eccef6b 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index 5212739e78..8118023b8c 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml index 494ea3c970..d936ff7d68 100644 --- a/.github/workflows/__ruby.yml +++ b/.github/workflows/__ruby.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__scaling-reserved-ram.yml b/.github/workflows/__scaling-reserved-ram.yml index a05bf4fe42..02d4c006a6 100644 --- a/.github/workflows/__scaling-reserved-ram.yml +++ b/.github/workflows/__scaling-reserved-ram.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index 2a1de694ca..b616ff391c 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml index 6e0547ce5d..09f686d2be 100644 --- a/.github/workflows/__submit-sarif-failure.yml +++ b/.github/workflows/__submit-sarif-failure.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index f7e46a8964..ff48104a3a 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__test-autobuild-working-dir.yml index bb33137958..bd5d65b514 100644 --- a/.github/workflows/__test-autobuild-working-dir.yml +++ b/.github/workflows/__test-autobuild-working-dir.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml index dbe401e8cb..769a74226c 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__test-local-codeql.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__test-proxy.yml index aefaaf6307..84f6b752b6 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__test-proxy.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index fa0583f4a4..23e0c9c684 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index a0823442cb..2d6396f503 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index cf225e6e75..d72c4f4da6 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -12,7 +12,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index daf14f7539..378aa9f305 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -2,9 +2,9 @@ name: "CodeQL action" on: push: - branches: [main, releases/v2] + branches: [main, releases/v*] pull_request: - branches: [main, releases/v2] + branches: [main, releases/v*] # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened # by other workflows. types: [opened, synchronize, reopened, ready_for_review] diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index 801324ecca..bde425f220 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -9,7 +9,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/debug-artifacts-failure.yml b/.github/workflows/debug-artifacts-failure.yml index c15d92c00f..8ac02581eb 100644 --- a/.github/workflows/debug-artifacts-failure.yml +++ b/.github/workflows/debug-artifacts-failure.yml @@ -10,7 +10,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/debug-artifacts.yml b/.github/workflows/debug-artifacts.yml index 5ce95784c1..8f38343db2 100644 --- a/.github/workflows/debug-artifacts.yml +++ b/.github/workflows/debug-artifacts.yml @@ -9,7 +9,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/expected-queries-runs.yml b/.github/workflows/expected-queries-runs.yml index c195245b9f..59c36b7dad 100644 --- a/.github/workflows/expected-queries-runs.yml +++ b/.github/workflows/expected-queries-runs.yml @@ -4,7 +4,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml index 0f5c494171..c3d0b291a4 100644 --- a/.github/workflows/post-release-mergeback.yml +++ b/.github/workflows/post-release-mergeback.yml @@ -1,9 +1,9 @@ -# This workflow runs after a release of the action. It: -# 1. Merges any changes from the release back into the main branch. Typically, this is just a single -# commit that updates the changelog. -# 2. Tags the merge commit on the release branch that represents the new release with an `v2.x.y` +# This workflow runs after a merge to any release branch of the action. It: +# 1. Tags the merge commit on the release branch that represents the new release with an `vN.x.y` # tag -# 3. Updates the `v2` tag to refer to this merge commit. +# 2. Updates the `vN` tag to refer to this merge commit. +# 3. Iff vN == vLatest, merges any changes from the release back into the main branch. +# Typically, this is two commits – one to update the version number and one to update dependencies. name: Tag release and merge back on: @@ -16,7 +16,7 @@ on: push: branches: - - releases/v2 + - releases/v* jobs: merge-back: @@ -36,6 +36,8 @@ jobs: run: echo "${GITHUB_CONTEXT}" - uses: actions/checkout@v4 + with: + fetch-depth: 0 # ensure we have all tags and can push commits - uses: actions/setup-node@v4 - name: Update git config @@ -51,6 +53,8 @@ jobs: short_sha="${GITHUB_SHA:0:8}" NEW_BRANCH="mergeback/${VERSION}-to-${BASE_BRANCH}-${short_sha}" echo "newBranch=${NEW_BRANCH}" >> $GITHUB_OUTPUT + LATEST_RELEASE_BRANCH=$(git branch -r | grep -E "origin/releases/v[0-9]+$" | sed 's/origin\///g' | sort -V | tail -1 | xargs) + echo "latest_release_branch=${LATEST_RELEASE_BRANCH}" >> $GITHUB_OUTPUT - name: Dump branches env: @@ -59,6 +63,8 @@ jobs: echo "BASE_BRANCH ${BASE_BRANCH}" echo "HEAD_BRANCH ${HEAD_BRANCH}" echo "NEW_BRANCH ${NEW_BRANCH}" + echo "LATEST_RELEASE_BRANCH ${LATEST_RELEASE_BRANCH}" + echo "GITHUB_REF ${GITHUB_REF}" - name: Create mergeback branch env: @@ -89,8 +95,6 @@ jobs: env: VERSION: ${{ steps.getVersion.outputs.version }} run: | - # Unshallow the repo in order to allow pushes - git fetch --unshallow # Create the `vx.y.z` tag git tag --annotate "${VERSION}" --message "${VERSION}" # Update the `vx` tag @@ -99,13 +103,13 @@ jobs: git tag --annotate "${major_version_tag}" --message "${major_version_tag}" --force # Push the tags, using: # - `--atomic` to make sure we either update both tags or neither (an intermediate state, - # e.g. where we update the v2.x.y tag on the remote but not the v2 tag, could result in - # unwanted Dependabot updates, e.g. from v2 to v2.x.y) - # - `--force` since we're overwriting the `vx` tag + # e.g. where we update the vN.x.y tag on the remote but not the vN tag, could result in + # unwanted Dependabot updates, e.g. from vN to vN.x.y) + # - `--force` since we're overwriting the `vN` tag git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}" - name: Create mergeback branch - if: steps.check.outputs.exists != 'true' + if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }} env: VERSION: "${{ steps.getVersion.outputs.version }}" NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}" diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 508f3292a0..bfddd8b35f 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -2,7 +2,7 @@ name: PR Checks on: push: - branches: [main, releases/v2] + branches: [main, releases/v*] pull_request: # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened # by other workflows. diff --git a/.github/workflows/python-deps.yml b/.github/workflows/python-deps.yml index 540194a027..4d054a31aa 100644 --- a/.github/workflows/python-deps.yml +++ b/.github/workflows/python-deps.yml @@ -2,7 +2,7 @@ name: Test Python Package Installation on: push: - branches: [main, releases/v2] + branches: [main, releases/v*] pull_request: # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened # by other workflows. diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml index 95bd747408..d4ab319be7 100644 --- a/.github/workflows/python312-windows.yml +++ b/.github/workflows/python312-windows.yml @@ -2,7 +2,7 @@ name: Test that the workaround for python 3.12 on windows works on: push: - branches: [main, releases/v2] + branches: [main, releases/v*] pull_request: # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened # by other workflows. diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml index 81ddb91027..b13e26577b 100644 --- a/.github/workflows/query-filters.yml +++ b/.github/workflows/query-filters.yml @@ -4,7 +4,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened diff --git a/.github/workflows/test-codeql-bundle-all.yml b/.github/workflows/test-codeql-bundle-all.yml index 43bab7d243..0ea140261b 100644 --- a/.github/workflows/test-codeql-bundle-all.yml +++ b/.github/workflows/test-codeql-bundle-all.yml @@ -9,7 +9,7 @@ on: push: branches: - main - - releases/v2 + - releases/v* pull_request: types: - opened @@ -53,4 +53,4 @@ jobs: with: upload-database: false env: - CODEQL_ACTION_TEST_MODE: true \ No newline at end of file + CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml index 2f95d40540..05fc4c43c1 100644 --- a/.github/workflows/update-release-branch.yml +++ b/.github/workflows/update-release-branch.yml @@ -1,46 +1,131 @@ name: Update release branch on: # You can trigger this workflow via workflow dispatch to start a release. - # This will open a PR to update the v2 release branch. + # This will open a PR to update the latest release branch. workflow_dispatch: + # When a release is complete this workflow will open up backport PRs to older release branches. + # NB while it will trigger on any release branch update, the backport job will not proceed for + # anything other than than releases/v{latest} + push: + branches: + - releases/* + jobs: - update: - timeout-minutes: 45 + + prepare: runs-on: ubuntu-latest if: github.repository == 'github/codeql-action' + outputs: + version: ${{ steps.versions.outputs.version }} + major_version: ${{ steps.versions.outputs.major_version }} + latest_tag: ${{ steps.versions.outputs.latest_tag }} + backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }} + backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }} steps: - - name: Dump environment - run: env + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Need full history for calculation of diffs + - uses: ./.github/actions/release-initialise - - name: Dump GitHub context - env: - GITHUB_CONTEXT: '${{ toJson(github) }}' - run: echo "$GITHUB_CONTEXT" + - name: Get version tags + id: versions + run: | + VERSION="v$(jq '.version' -r 'package.json')" + echo "version=${VERSION}" >> $GITHUB_OUTPUT + MAJOR_VERSION=$(cut -d '.' -f1 <<< "${VERSION}") + echo "major_version=${MAJOR_VERSION}" >> $GITHUB_OUTPUT + LATEST_TAG=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -1) + echo "latest_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT - - uses: actions/checkout@v4 + - id: branches + name: Determine older release branches + uses: ./.github/actions/release-branches with: - # Need full history so we calculate diffs - fetch-depth: 0 + major_version: ${{ steps.versions.outputs.major_version }} + latest_tag: ${{ steps.versions.outputs.latest_tag }} + + - name: debug logging + run: | + echo 'version: ${{ steps.versions.outputs.version }}' + echo 'major_version: ${{ steps.versions.outputs.major_version }}' + echo 'latest_tag: ${{ steps.versions.outputs.latest_tag }}' + echo 'backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}' + echo 'backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}' - - name: Set up Python - uses: actions/setup-python@v4 + update: + timeout-minutes: 45 + runs-on: ubuntu-latest + if: github.event_name == 'workflow_dispatch' + needs: [prepare] + env: + REF_NAME: "${{ github.ref_name }}" + REPOSITORY: "${{ github.repository }}" + MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}" + LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}" + steps: + - uses: actions/checkout@v4 with: - python-version: 3.8 + fetch-depth: 0 # Need full history for calculation of diffs + - uses: ./.github/actions/release-initialise - - name: Install dependencies + # when the workflow has been manually triggered on main, + # we know that we definitely want the release branch to exist + - name: Ensure release branch exists run: | - python -m pip install --upgrade pip - pip install PyGithub==1.55 requests + echo "MAJOR_VERSION ${MAJOR_VERSION}" + RELEASE_BRANCH=releases/${MAJOR_VERSION} + if git checkout $RELEASE_BRANCH > /dev/null 2>&1; then + echo "Branch $RELEASE_BRANCH already exists" + echo "" + else + echo "Creating $RELEASE_BRANCH branch" + git checkout -b ${RELEASE_BRANCH} ${LATEST_TAG} + git push --set-upstream origin ${RELEASE_BRANCH} + git branch --show-current + echo "" + fi + echo "Returning to branch: ${REF_NAME}" + git checkout ${REF_NAME} - - name: Update git config + - name: Update current release branch + if: github.event_name == 'workflow_dispatch' run: | - git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --global user.name "github-actions[bot]" + echo SOURCE_BRANCH=${REF_NAME} + echo TARGET_BRANCH=releases/${MAJOR_VERSION} + python .github/update-release-branch.py \ + --github-token ${{ secrets.GITHUB_TOKEN }} \ + --repository-nwo ${{ github.repository }} \ + --source-branch '${{ env.REF_NAME }}' \ + --target-branch 'releases/${{ env.MAJOR_VERSION }}' \ + --is-primary-release \ + --conductor ${GITHUB_ACTOR} + + backport: + timeout-minutes: 45 + runs-on: ubuntu-latest + needs: [prepare] + if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }} + strategy: + fail-fast: false + matrix: + target_branch: ${{ fromJson(needs.prepare.outputs.backport_target_branches) }} + env: + SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }} + TARGET_BRANCH: ${{ matrix.target_branch }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Need full history for calculation of diffs + - uses: ./.github/actions/release-initialise - - name: Update release branch + - name: Update older release branch run: | + echo SOURCE_BRANCH=${SOURCE_BRANCH} + echo TARGET_BRANCH=${TARGET_BRANCH} python .github/update-release-branch.py \ --github-token ${{ secrets.GITHUB_TOKEN }} \ --repository-nwo ${{ github.repository }} \ + --source-branch ${SOURCE_BRANCH} \ + --target-branch ${TARGET_BRANCH} \ --conductor ${GITHUB_ACTOR} diff --git a/CHANGELOG.md b/CHANGELOG.md index ca153608b0..347cf672b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th - Update default CodeQL bundle version to 2.15.4. [#2016](https://github.com/github/codeql-action/pull/2016) +## 2.22.9 - 07 Dec 2023 + +No user facing changes. + ## 2.22.8 - 23 Nov 2023 - Update default CodeQL bundle version to 2.15.3. [#2001](https://github.com/github/codeql-action/pull/2001) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0537bd2070..67d435103c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -99,6 +99,21 @@ We typically deprecate a version of CodeQL when the GitHub Enterprise Server (GH - Add a changelog note announcing the new minimum version of CodeQL that is now required. - Example PR: https://github.com/github/codeql-action/pull/1907 +## Deprecating a CodeQL Action version (write access required) + +We sometimes maintain multiple versions of the CodeQL Action to enable customers on older but still supported versions of GitHub Enterprise Server (GHES) to continue to benefit from the latest CodeQL improvements. To accomplish this, the release process automation listens to updates to the release branch for the newest supported version. When this branch is updated, the release process automatically opens backport PRs to update the release branches for older versions. + +We typically deprecate older versions of the Action once all supported GHES versions are compatible with the version of Node.js we are using on `main`. + +To deprecate an older version of the Action: + +1. Notify any users who are still pinned to the `vN` tag of the deprecated version of the Action, giving as much notice as is practical. + - Add a changelog note announcing the deprecation. + - Implement an Actions warning for customers using the deprecated version. +1. Wait for the deprecation period to pass. +1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported. +1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [release-branches.py](.github/actions/release-branches/release-branches.py). Once this PR is merged, the release process will no longer backport changes to the deprecated release version. + ## Resources - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/) diff --git a/lib/api-compatibility.json b/lib/api-compatibility.json index 9119368988..81b3256964 100644 --- a/lib/api-compatibility.json +++ b/lib/api-compatibility.json @@ -1 +1 @@ -{ "maximumVersion": "3.11", "minimumVersion": "3.7" } +{ "maximumVersion": "3.12", "minimumVersion": "3.7" } diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json index 6d3c1aaad1..63536577ca 100644 --- a/node_modules/.package-lock.json +++ b/node_modules/.package-lock.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "2.22.9", + "version": "2.22.10", "lockfileVersion": 3, "requires": true, "packages": { diff --git a/package-lock.json b/package-lock.json index 31cc45a544..4a58b5418f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "2.22.9", + "version": "2.22.10", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "2.22.9", + "version": "2.22.10", "license": "MIT", "dependencies": { "@actions/artifact": "^1.1.2", diff --git a/package.json b/package.json index b0113149e0..fe4e353c0e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "2.22.9", + "version": "2.22.10", "private": true, "description": "CodeQL action", "scripts": { diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 3b9f69202f..31454dde45 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -162,7 +162,7 @@ def writeHeader(checkStream): }, 'on': { 'push': { - 'branches': ['main', 'releases/v2'] + 'branches': ['main', 'releases/v*'] }, 'pull_request': { 'types': ["opened", "synchronize", "reopened", "ready_for_review"] diff --git a/src/api-compatibility.json b/src/api-compatibility.json index 4266cf4581..10e4f3a195 100644 --- a/src/api-compatibility.json +++ b/src/api-compatibility.json @@ -1 +1 @@ -{"maximumVersion": "3.11", "minimumVersion": "3.7"} +{"maximumVersion": "3.12", "minimumVersion": "3.7"}