From fb3937a7f3af87d09665ce082eda8b278d021255 Mon Sep 17 00:00:00 2001 From: Matthew Watkins Date: Mon, 22 Dec 2025 09:00:42 +0000 Subject: [PATCH] CI: Update action versions, swap to repository credential The 1Password integration is misbehaving and needs debugging. In the meantime, we will swap back to a local repository credential. This change also updates all the action calls to the latest releases. Issue-ID: CIMAN-33 Change-Id: I4f5558f0c3ae597741b6cbd84413452fd55c19a1 Signed-off-by: Matthew Watkins --- .github/workflows/gerrit-merge-release-itdep.yaml | 174 +++++++++------------- 1 file changed, 70 insertions(+), 104 deletions(-) diff --git a/.github/workflows/gerrit-merge-release-itdep.yaml b/.github/workflows/gerrit-merge-release-itdep.yaml index c3e2944e..c422de52 100644 --- a/.github/workflows/gerrit-merge-release-itdep.yaml +++ b/.github/workflows/gerrit-merge-release-itdep.yaml @@ -1,6 +1,6 @@ --- # SPDX-License-Identifier: Apache-2.0 -# SPDX-FileCopyrightText: 2023 The Linux Foundation, 2025 OpenInfra Foundation Europe +# SPDX-FileCopyrightText: 2025 The Linux Foundation name: 'Release Helm Charts' @@ -11,53 +11,6 @@ on: tags: - '**' - # Manual trigger for debugging - # Note: Mandatory Gerrit variables switched to optional - workflow_dispatch: - inputs: - # Optional Gerrit inputs - GERRIT_BRANCH: - description: "Branch that change is against" - required: false - type: string - GERRIT_CHANGE_ID: - description: "The ID for the change" - required: false - type: string - GERRIT_CHANGE_NUMBER: - description: "The Gerrit number" - required: false - type: string - GERRIT_CHANGE_URL: - description: "URL to the change" - required: false - type: string - GERRIT_EVENT_TYPE: - description: "Type of Gerrit event" - required: false - type: string - GERRIT_PATCHSET_NUMBER: - description: "The patch number for the change" - required: false - type: string - GERRIT_PATCHSET_REVISION: - description: "The revision sha" - required: false - type: string - GERRIT_PROJECT: - description: "Project in Gerrit" - required: false - type: string - GERRIT_REFSPEC: - description: "Gerrit refspec of change" - required: false - type: string - GERRIT_DISABLED: - description: "Run without Gerrit components" - required: false - default: false - type: boolean - concurrency: # yamllint disable-line rule:line-length group: publish-release-${{ github.workflow }}-${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }} @@ -76,9 +29,24 @@ env: RIC_DEP_CI_DOCKER_FILE: 'ci/Dockerfile' jobs: - notify: + repository-metadata: + name: "Repository Metadata" runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + timeout-minutes: 5 steps: + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + # yamllint disable-line rule:line-length + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + fetch-depth: 0 + - name: "Gather repository metadata" id: repo-metadata # yamllint disable-line rule:line-length @@ -89,23 +57,50 @@ jobs: artifact_upload: 'true' artifact_formats: 'json' - - name: Notify job start + tag-validate: + name: 'Validate Tag Push' + runs-on: 'ubuntu-latest' + permissions: + contents: read + timeout-minutes: 2 + outputs: + tag: "${{ steps.tag-validate.outputs.tag_name }}" + steps: + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: 'audit' + + - name: 'Checkout repository' # yamllint disable-line rule:line-length - uses: lfreleng-actions/gerrit-review-action@6d2e00dfd3173cd9a36d11350c8fba44731c7b4e # v0.10.0 - if: github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: - host: ${{ vars.GERRIT_SERVER }} - username: ${{ vars.GERRIT_SSH_USER }} - key: ${{ secrets.GERRIT_SSH_PRIVKEY }} - known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} - gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} - gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} - comment-only: 'true' + fetch-depth: 0 + fetch-tags: true + + - name: 'Verify pushed tag' + id: 'tag-validate' + # yamllint disable-line rule:line-length + uses: lfreleng-actions/tag-validate-action@fix-ssh-signature-detection # Testing + with: + require_type: 'calver' + require_signed: 'true' + token: "${{ secrets.GITHUB_TOKEN }}" + + - name: 'Reject development tags' + if: steps.tag-validate.outputs.development_tag == 'true' + shell: bash + run: | + # Reject development tags + echo "Development tag pushed; aborting release workflow 🛑" + echo "Development tag pushed; aborting release workflow 🛑" \ + >> "$GITHUB_STEP_SUMMARY" + exit 1 verify-and-publish: name: 'Build/Verify Helm Charts' - needs: [notify] - if: always() + needs: [tag-validate] runs-on: 'ubuntu-latest' outputs: charts_build_dir: "${{ env.CHARTS_BUILD_DIR }}" @@ -115,12 +110,12 @@ jobs: timeout-minutes: 20 steps: # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - name: Load secrets from 1Password - uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3.0.0 + uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0 with: export-env: true env: @@ -158,18 +153,11 @@ jobs: echo "set=true" >> $GITHUB_OUTPUT fi - - name: "Exit early for 1Password integration" - run: | - # Exit early for 1Password integration - exit 0 - - - name: 'Checkout Gerrit change' + # No need for Gerrit checkout; triggered on tag push + # GitHub is already in sync with Gerrit state + - name: 'Checkout repository' # yamllint disable-line rule:line-length - uses: lfreleng-actions/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9 - with: - gerrit-project: ${{ inputs.GERRIT_PROJECT }} - gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }} - delay: "0s" + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: 'Display workflow environment' shell: bash @@ -186,7 +174,7 @@ jobs: - name: 'Set up Docker Buildx' # yamllint disable-line rule:line-length - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: 'Build pre-requisites, install Helm plugins' id: pre-requisites @@ -209,7 +197,7 @@ jobs: - name: 'Start ChartMuseum' id: chartmuseum # yamllint disable-line rule:line-length - uses: lfreleng-actions/chartmuseum-action@fd69b10b8a21548c0eb99b13f52ed40875057dbf # v0.1.5 + uses: lfreleng-actions/chartmuseum-action@7f3e1314e831894078f9a7ad74cea2ea0975d505 # v0.1.6 with: username: 'chartmuseum' password: "${{ secrets.GITHUB_TOKEN }}" @@ -220,28 +208,28 @@ jobs: # Makefiles publish to Chartmeusem service locally - name: 'Build onap_oom' # yamllint disable-line rule:line-length - uses: lfreleng-actions/make-action@d2b447abd5db8425f4fbbb27b953133861137a66 # v0.1.2 + uses: lfreleng-actions/make-action@e07201ee8e3d1f34800f1c63f58415624a8c054c # v0.1.3 with: make_args: "-C smo-install/onap_oom/kubernetes -e SKIP_LINT=TRUE" # Makefiles publish to Chartmeusem service locally - name: 'Build oran_oom' # yamllint disable-line rule:line-length - uses: lfreleng-actions/make-action@d2b447abd5db8425f4fbbb27b953133861137a66 # v0.1.2 + uses: lfreleng-actions/make-action@e07201ee8e3d1f34800f1c63f58415624a8c054c # v0.1.3 with: make_args: "-C smo-install/oran_oom" # Makefiles publish to Chartmeusem service locally - name: 'Build oran_oom/smo' # yamllint disable-line rule:line-length - uses: lfreleng-actions/make-action@d2b447abd5db8425f4fbbb27b953133861137a66 # v0.1.2 + uses: lfreleng-actions/make-action@e07201ee8e3d1f34800f1c63f58415624a8c054c # v0.1.3 with: make_args: "-C smo-install/oran_oom/smo" # Makefiles publish to Chartmeusem service locally - name: 'Build tests_oom' # yamllint disable-line rule:line-length - uses: lfreleng-actions/make-action@d2b447abd5db8425f4fbbb27b953133861137a66 # v0.1.2 + uses: lfreleng-actions/make-action@e07201ee8e3d1f34800f1c63f58415624a8c054c # v0.1.3 with: make_args: "-C smo-install/tests_oom" @@ -254,36 +242,14 @@ jobs: tags: "" - name: 'Publish to Nexus3 (Helm Snapshot)' - uses: lfreleng-actions/nexus-publish-action@b53a4638789cba03279c97aeab7f0ce10dbfa991 # v0.1.3 + uses: lfreleng-actions/nexus-publish-action@b53a4638789cba03279c97aeab7f0ce10dbfa991 # v0.1.4 # Note: changed from verify for 1Password integration with: nexus_server: "${{ vars.NEXUS3_SERVER }}" nexus_username: "${{ github.event.repository.name }}" - nexus_password: "${{ env.NEXUS_PASSWORD }}" + nexus_password: "${{ secrets.NEXUS_PASSWORD }}" repository_format: 'raw' repository_name: 'helm.release' files_path: "${{ env.CHARTS_BUILD_DIR }}" file_pattern: '*.tgz' permit_fail: true - - report-status: - if: ${{ always() && github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true }} - needs: [notify, verify-and-publish] - runs-on: ubuntu-latest - steps: - - name: Get conclusion - # yamllint disable-line rule:line-length - uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3 - - - name: Report workflow conclusion - # yamllint disable-line rule:line-length - uses: lfreleng-actions/gerrit-review-action@537251ec667665b386f70b330b05446e3fc29087 # v0.9 - with: - host: ${{ vars.GERRIT_SERVER }} - username: ${{ vars.GERRIT_SSH_USER }} - key: ${{ secrets.GERRIT_SSH_PRIVKEY }} - known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} - gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} - gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} - vote-type: ${{ env.WORKFLOW_CONCLUSION }} - comment-only: 'true' -- 2.16.6