Adds automatic release action #17594

sgiehl · 2021-05-19T15:29:44Z

This PR aims to set up a automatic build process.

What this action does:

This action always needs to be triggered manually in the actions tab. This is possible with two purposes:

New release in the current major version

When a new release has to be done this action simply needs to be triggered manually, without setting a version.
The action will then:

Check if the user who triggered the action is in the team matomo-org/release-team
--> If this is not the case the action will abort with an error
The version contained in the file core/Version.php will be extracted and used
--> If a tag with the determined version already exists the action will abort with an error
A new tag for that version will be created
A new build will be created using the script .github/scripts/build-package.sh
--> This will create piwik and matomo release archives in zip and tar.gz as well as signature files ending on .asc
In addition to this a new release will be created in the repository and the matomo release archives and signatures will be attached. Depending on the version this will be automatically marked as pre-release or not. The release message for each release type can be adjusted if needed. The result can be seen in my fork: Pre-Release | Normal release

Release in LTS version (or re-release of a broken one)

When releasing a LTS version we can't simply trigger the action. Instead we need to create the tag manually first. After this has been done, the actions needs to be triggered while providing the tagged version number in the according input:

The action will then:

Check if the user who triggered the action is in the team matomo-org/release-team
--> If this is not the case the action will abort with an error
The action now checks if a tag for the given version exists
--> If no tag exists the action will abort with an error
A new build will be created using the script .github/scripts/build-package.sh
--> This will create piwik and matomo release archives in zip and tar.gz as well as signature files ending on .asc
As above a new release in the repo will be created for the tag

Additionally the action could also be used to re-release a "broken" release. Even though this should be an uncommon use case, it's possible to simply trigger the action with a version number that already exists. For pre-releases the script should simply run through and recreate the archives. They should then be replaced in the repo release. For stable releases this currently won't work as the build script aborts if the version is already available on our build server

Requirements:

The team matomo-org/release-team needs to be filled with the persons who should be able to trigger this action. This is currently a private group, so no one can directly see who actually has the permission

The action requires the following repository tokens to be set up:

secret name	secret value description
GPG_CERTIFICATE	ASCII armored or Base64 encoded GPG certificate that is used to create the signatures for the archives
GPG_CERTIFICATE_PASS	Passphrase of the GPG key
RELEASE_PASSWORD	Password required to trigger the release action

Testing / Feedback

If someone wants to test the process feel free to get in touch on slack. It's set up on my fork and uses a slightly adjusted build script that uploads the releases to another account. Can give you access...

fixes matomo-org/matomo-package#119

mattab · 2021-05-19T21:11:56Z

Great to see this progress!

Btw another important step to complete at the end will be to update the instructions at: https://matomo.org/blog/2014/11/verify-signatures-piwik-packages/

flamisz · 2021-05-30T21:48:44Z

Is it ready to review? I see the needs review label but it's still in draft.

sgiehl · 2021-05-31T06:58:51Z

@flamisz That's because it requires some setup before it could be merged. It's also only a suggestion from my side how the process could work. So it has the needs review and rfc label actually to get some feedback.

sgiehl · 2021-06-25T08:32:14Z

@mattab @tsteur would be awesome if you can find some time to look into this, so we maybe could set up the automatic release soon.

mattab · 2021-06-25T20:52:05Z

From my end it looks fantastic @sgiehl - great work! Will save us all time and make our release process faster 🚀

tsteur · 2021-07-20T01:12:06Z

@sgiehl what's the status here? can we configure (probably requires @mattab for some keys) and merge and test it?

sgiehl · 2021-07-20T06:58:06Z

@tsteur Not sure if someone wants to do a code review. Otherwise we can configure it

.github/workflows/release.yml

tsteur · 2021-07-20T07:13:27Z

👍 wasn't sure as it was set to draft. Generally had a look over it and looked ok-ish but don't know the details. I guess we'd mostly want to test it to ensure it works. Maybe in beginning we wouldn't test it with ssh piwik-builds but some other account.

.github/workflows/release.yml

github-actions · 2021-08-02T01:46:44Z

This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers

… next_release

sgiehl · 2022-02-18T14:37:07Z

@Findus23 applied some of the fixes

tsteur

Left a few minor comments. The password check we could add after it's been merged.

Otherwise looks all good to merge from my perspective once the comments have been addressed and once the process of using this is documented and how it works (eg how to allow someone to release etc)

.github/workflows/release.yml

tsteur · 2022-02-22T20:51:18Z

👍

sgiehl · 2022-02-23T18:50:56Z

Guess we actually could merge this one now. Once the secrets have been added we can give it a first try...

* Adds automatic release action * remove test branch usage * set proper permissions * use the commit hashes of the versions for external actions * remove invalid permission property * use local version of build script * various improvements * disallow creating automated tags from branches other than 4.x-dev and next_release * apply latest build script changes * manually import gpg key instead of using an action * remove all remote work * also attach piwik.* files to the release * some cleanup * Adds confirmation box to action run * apply review feedback * add password check * allow releases to be triggered from any development branch * only allow beta releases from development branches * improve permissions * add some comments about required secrets * use default github token to check group members

sgiehl added RFC Indicates the issue is a request for comments where the author is looking for feedback. Needs Review PRs that need a code review Better processes Indicates an issue is about improving how we work. labels May 19, 2021

github-actions bot added the Stale The label used by the Close Stale Issues action label Jun 8, 2021

sgiehl added Do not close PRs with this label won't be marked as stale by the Close Stale Issues action and removed Stale The label used by the Close Stale Issues action labels Jun 11, 2021

github-actions bot added Stale The label used by the Close Stale Issues action and removed Stale The label used by the Close Stale Issues action labels Jun 19, 2021

github-actions bot added Stale The label used by the Close Stale Issues action and removed Stale The label used by the Close Stale Issues action labels Jul 3, 2021

github-actions bot added Stale The label used by the Close Stale Issues action and removed Stale The label used by the Close Stale Issues action labels Jul 11, 2021

github-actions bot added Stale The label used by the Close Stale Issues action and removed Stale The label used by the Close Stale Issues action labels Jul 19, 2021

tsteur reviewed Jul 20, 2021

View reviewed changes