Automate Helm Chart release on operator release (#97)

* linting, automate hc release, drop unneccessary code * only do this on tag * break out unit tests to their own file * add neccessary permissions * grant permissions to unit test job * fix indents * fix whitespacing * remove docker builds on prs * only call tests from release file for now * drop permissions on static-analysis workflow * more linting --------- Co-authored-by: jamie zieziula <[email protected]>
PrefectHQ · Sep 27, 2024 · ae3e932 · ae3e932
1 parent 46cd7e3
commit ae3e932
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 51 deletions.
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
@@ -28,12 +28,12 @@ jobs:
         run: |
           # Enable pipefail so git command failures do not result in null versions downstream
           set -x
-          echo "RELEASE_VERSION=$(date +'%Y.%-m.%-d%H%M%S')" >> $GITHUB_OUTPUT
+          echo "RELEASE_VERSION=$(date +'%Y.%-m.%-d%H%M%S')" >> $GITHUB_ENV
 
           # This ensures that the latest tag we grab will be of the operator image, and not the helm chart
           echo "IMAGE_VERSION=$(\
           git ls-remote --tags --refs --sort="v:refname" \
-          origin 'v[0-9].[0-9].[0-9]' | tail -n1 | sed 's/.*\///' | sed 's/v//')" >> $GITHUB_OUTPUT
+          origin 'v[0-9].[0-9].[0-9]' | tail -n1 | sed 's/.*\///' | sed 's/v//')" >> $GITHUB_ENV
 
       - name: Configure Git
         run: |
@@ -77,11 +77,6 @@ jobs:
             --sign --key '[email protected]' \
             --keyring $SIGN_KEYRING \
             --passphrase-file $SIGN_PASSPHRASE_FILE
-        env:
-          IMAGE_VERSION: ${{ steps.get_version.outputs.IMAGE_VERSION }}
-          RELEASE_VERSION: ${{ steps.get_version.outputs.RELEASE_VERSION }}
-          SIGN_KEYRING: ${{ env.SIGN_KEYRING }}
-          SIGN_PASSPHRASE_FILE: ${{ env.SIGN_PASSPHRASE_FILE }}
 
       - name: Update chart index
         run: |
@@ -96,8 +91,6 @@ jobs:
           git add ./index.yaml ./charts/prefect-operator-$RELEASE_VERSION.* ./charts/
           git commit -m "Release $RELEASE_VERSION"
           git push origin gh-pages
-        env:
-          RELEASE_VERSION: ${{ steps.get_version.outputs.RELEASE_VERSION }}
 
       - name: Create Github Release + Tag
         run: |
@@ -106,6 +99,4 @@ jobs:
             --notes "Packaged with prefect-operator version \
             [v$IMAGE_VERSION](https://github.com/PrefectHQ/prefect-operator/releases/tag/v$IMAGE_VERSION)"
         env:
-          IMAGE_VERSION: ${{ steps.get_version.outputs.IMAGE_VERSION }}
-          GITHUB_TOKEN: ${{ github.token }}
-          RELEASE_VERSION: ${{ steps.get_version.outputs.RELEASE_VERSION }}
+          GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/helm-unittest.yaml b/.github/workflows/helm-unittest.yaml
@@ -10,7 +10,6 @@ name: Run Helm unit tests
     paths:
       - deploy/charts/**
 
-# Do not grant jobs any permissions by default
 permissions: {}
 
 jobs:

diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
@@ -6,7 +6,7 @@ name: Labeler
       - opened
 
 jobs:
-  apply-label:
+  apply_label:
     runs-on: ubuntu-latest
     steps:
       - name: Apply prefect-operator label to all issues

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,5 +1,5 @@
 ---
-name: prefect-operator release
+name: Release Prefect Operator
 
 "on":
   push:
@@ -14,30 +14,16 @@ name: prefect-operator release
 permissions: {}
 
 jobs:
-  unit-tests:
-    name: Unit tests
-    runs-on: ubuntu-latest
+  run_unit_tests:
+    uses: ./.github/workflows/tests.yaml
     permissions:
+      # required by downstream jobs
       contents: read
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
 
-      - name: Install tool dependencies
-        uses: jdx/mise-action@v2
-        with:
-          experimental: true
-
-      - name: Build
-        run: make build
-
-      - name: Test
-        run: make test
-
-  build-and-upload-manifests:
+  build_and_upload_manifests:
     if: github.ref_type == 'tag'
-    needs: unit-tests
     permissions:
+      # required to write artifacts to a release
       contents: write
     runs-on: ubuntu-latest
     steps:
@@ -67,12 +53,9 @@ jobs:
           yq -i '(.. | select(tag == "!!str" and . == "v0.0.0")) |= "${{ github.ref_name }}"' prefect-operator.yaml
 
       - name: Upload release assets
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh release upload ${{ github.ref_name }} prefect-crds.yaml prefect-operator.yaml
 
-  build-and-push-docker-image:
-    needs: unit-tests
+  build_and_push_docker_image:
     runs-on: ubuntu-latest
     # The GitHub environments are created by Terraform and map to Docker Hub repositories:
     # - dev: https://hub.docker.com/r/prefecthq/prefect-operator-dev
@@ -117,3 +100,11 @@ jobs:
           push: true
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
+
+  create_helm_release:
+    if: github.ref_type == 'tag'
+    permissions:
+      # required by downstream jobs
+      contents: write
+    needs: build_and_push_docker_image
+    uses: ./.github/workflows/helm-release.yaml
diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml
@@ -2,7 +2,9 @@
 name: Static analysis
 
 "on":
-  pull_request:
+  pull_request: {}
+
+permissions: {}
 
 # Limit concurrency by workflow/branch combination.
 #
@@ -18,9 +20,12 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
-  pre-commit-checks:
+  pre_commit_checks:
     name: pre-commit checks
     runs-on: ubuntu-latest
+    permissions:
+      # required to read from the repo
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -0,0 +1,33 @@
+---
+name: Unit tests
+
+"on":
+  workflow_call: {}
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  unit_tests:
+    name: Unit tests
+    runs-on: ubuntu-latest
+    permissions:
+      # required to read from the repo
+      contents: read
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Install tool dependencies
+        uses: jdx/mise-action@v2
+        with:
+          experimental: true # enables the go installation backend
+
+      - name: Build
+        run: make build
+
+      - name: Test
+        run: make test
diff --git a/.github/workflows/update-helm-versions.yaml b/.github/workflows/update-helm-versions.yaml
@@ -2,7 +2,7 @@
 name: Updatecli dependency updates
 
 "on":
-  workflow_dispatch:
+  workflow_dispatch: {}
   schedule:
     # The first of each month at 10am EST
     - cron: 0 15 1 * *
@@ -13,7 +13,7 @@ jobs:
   updatecli:
     runs-on: ubuntu-latest
     permissions:
-      # required to write to the repo
+      # required to commit to a branch
       contents: write
       # required to open a pr with updatecli changes
       pull-requests: write
@@ -30,24 +30,22 @@ jobs:
         id: date
         run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
 
-      - name: create branch for helm version updates
+      - name: Create branch for helm version updates
         run: |
           git checkout -b "helm-version-${{ steps.date.outputs.date }}"
 
-      - name: install updatecli in the runner
+      - name: Install updatecli in the runner
         uses: updatecli/updatecli-action@v2
 
-      - name: run updatecli in apply mode
+      - name: Run updatecli in apply mode
         run: |
           updatecli apply --config .github/updatecli/manifest.yaml
           git commit -am "helm-version-${{ steps.date.outputs.date }}"
           git push --set-upstream origin "helm-version-${{ steps.date.outputs.date }}"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
 
-      - name: create pr
+      - name: Create pr
         run: |
           git checkout "helm-version-${{ steps.date.outputs.date }}"
           gh pr create --base main --title "helm-version-bump-${{ steps.date.outputs.date }}" -b "please run helm-docs locally to update chart readmes" --label dependencies
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/validate-updatecli-config.yaml b/.github/workflows/validate-updatecli-config.yaml
@@ -28,5 +28,3 @@ jobs:
       - name: run updatecli diff to validate config
         run: |
           updatecli diff --config .github/updatecli/manifest.yaml
-        env:
-          GITHUB_TOKEN: ${{ github.token }}