From 4afaddaaddb337df7b33f3e33e413fb429869d50 Mon Sep 17 00:00:00 2001 From: matttrach Date: Wed, 20 Aug 2025 21:42:57 -0500 Subject: [PATCH 1/4] fix: try setting permissions at job level Signed-off-by: matttrach --- .github/workflows/release.yml | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 53c293c..ade2da1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,25 +6,26 @@ on: - release/v0 - release/v1 -permissions: - contents: write - id-token: write - issues: write - pull-requests: write - actions: read - jobs: release: runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + issues: write + pull-requests: write + actions: read outputs: release_pr: ${{ steps.release-please.outputs.pr }} steps: - uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0 https://github.com/googleapis/release-please-action/commits/main/ + name: release-please id: release-please with: release-type: go # These run only if a release PR was opened or modified, so not when the PR is merged - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main + name: wait-for-e2e if: steps.release-please.outputs.pr with: github-token: ${{secrets.GITHUB_TOKEN}} @@ -61,6 +62,7 @@ jobs: shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: make testacc - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main + name: report-tests-passed if: steps.release-please.outputs.pr && always() && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') with: github-token: ${{secrets.GITHUB_TOKEN}} @@ -72,6 +74,7 @@ jobs: body: "Tests Passed!" }) - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main + name: report-tests-failed if: steps.release-please.outputs.pr && always() && ((steps.run-unit-tests.conclusion == 'failure') || (steps.run-acc-tests.conclusion == 'failure')) with: github-token: ${{secrets.GITHUB_TOKEN}} @@ -83,14 +86,15 @@ jobs: body: "Tests Failed!" }) - name: retrieve GPG Credentials + if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') uses: rancher-eio/read-vault-secrets@main with: secrets: | - secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE; - secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID; - secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID ; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY - name: import_gpg_key - if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') + if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') env: GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }} GPG_KEY_ID: ${{ env.GPG_KEY_ID }} @@ -110,7 +114,7 @@ jobs: echo "Importing gpg key" echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; } - name: Run GoReleaser - if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') + if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action with: args: release --snapshot --clean @@ -134,8 +138,8 @@ jobs: with: secrets: | secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ; - secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID; - secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID ; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY - name: import_gpg_key if: steps.release-please.outputs.version env: From 82fc221ca2438d6d31b415047defec6127100b1f Mon Sep 17 00:00:00 2001 From: matttrach Date: Wed, 20 Aug 2025 21:48:44 -0500 Subject: [PATCH 2/4] fix: use release label Signed-off-by: matttrach --- .github/workflows/main-issue.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main-issue.yml b/.github/workflows/main-issue.yml index 6e7eb40..5ca0bd9 100644 --- a/.github/workflows/main-issue.yml +++ b/.github/workflows/main-issue.yml @@ -39,7 +39,7 @@ jobs: labels: newLabels, assignees: ['matttrach'] }); - if (versionLabel) { + if (releaseLabel) { // if version label detected, then add appropriate sub-issues const parentIssue = newIssue.data; const parentIssueTitle = parentIssue.title; From cd4ada89b7276c8ec97a4a6e69f00e3cd40ac3f8 Mon Sep 17 00:00:00 2001 From: matttrach Date: Wed, 20 Aug 2025 21:54:17 -0500 Subject: [PATCH 3/4] fix: only search open issues Signed-off-by: matttrach --- .github/workflows/backport-prs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/backport-prs.yml b/.github/workflows/backport-prs.yml index f2527df..2f41792 100644 --- a/.github/workflows/backport-prs.yml +++ b/.github/workflows/backport-prs.yml @@ -45,7 +45,7 @@ jobs: // https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-issues-and-pull-requests core.info(`Searching for 'internal/main' issue linked to PR #${pr.number}`); const { data: searchResults } = await github.request('GET /search/issues', { - q: `is:issue label:"internal/main" repo:${owner}/${repo} in:body #${pr.number}`, + q: `is:issue state:open label:"internal/main" repo:${owner}/${repo} in:body #${pr.number}`, advanced_search: true, headers: { 'X-GitHub-Api-Version': '2022-11-28' From f9a6d07c7288b857ff05b1c65518134e0a579223 Mon Sep 17 00:00:00 2001 From: matttrach Date: Wed, 20 Aug 2025 21:59:05 -0500 Subject: [PATCH 4/4] fix: link backport pr to sub issue Signed-off-by: matttrach --- .github/workflows/backport-prs.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/backport-prs.yml b/.github/workflows/backport-prs.yml index 2f41792..d065db8 100644 --- a/.github/workflows/backport-prs.yml +++ b/.github/workflows/backport-prs.yml @@ -100,8 +100,9 @@ jobs: head: newBranchName, base: targetBranch, body: "This pull request cherry-picks the changes from #" + pr.number + " into " + targetBranch + "\n" + - "WARNING!: to avoid having to resolve merge conflicts this PR is generated with `git cherry-pick -X theirs`.\n" + - "Please make sure to carefully inspect this PR so that you don't revert anything!", + "Addresses #" + subIssueNumber + "for #" + mainIssue.number + " \n\n" + + "**WARNING!**: to avoid having to resolve merge conflicts this PR is generated with `git cherry-pick -X theirs`.\n" + + "Please make sure to carefully inspect this PR so that you don't accidentally revert anything!", assignees: ['terraform-maintainers'] }); }