Exercise most of the release process on prereleases

mislav · mislav · commit a98313147970 · 2020-09-07T16:11:27.000+02:00
- deb and rpm packages are now built for prereleases
- consolidate setup for deb &amp; rpm
- man pages are generated for prereleases
- the `cli.github.com` site is only pushed to on full releases

Bonus:
- only publish the GitHub release after the Windows MSI is uploaded
- hub does not need downloading
diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
@@ -27,153 +27,85 @@ jobs:
           args: release --release-notes=CHANGELOG.md
         env:
           GITHUB_TOKEN: ${{secrets.UPLOAD_GITHUB_TOKEN}}
-      - name: Bump homebrew-core formula
-        uses: mislav/bump-homebrew-formula-action@v1
-        if: "!contains(github.ref, '-')" # skip prereleases
-        with:
-          formula-name: gh
-          download-url: https://github.com/cli/cli.git
-        env:
-          COMMITTER_TOKEN: ${{ secrets.UPLOAD_GITHUB_TOKEN }}
       - name: Checkout documentation site
-        if: "!contains(github.ref, '-')" # skip prereleases
         uses: actions/checkout@v2
         with:
           repository: github/cli.github.com
           path: site
           fetch-depth: 0
           token: ${{secrets.SITE_GITHUB_TOKEN}}
-      - name: Publish documentation site
-        if: "!contains(github.ref, '-')" # skip prereleases
+      - name: Update site man pages
         env:
           GIT_COMMITTER_NAME: cli automation
           GIT_AUTHOR_NAME: cli automation
           GIT_COMMITTER_EMAIL: noreply@github.com
           GIT_AUTHOR_EMAIL: noreply@github.com
-        run: make site-publish
+        run: make site-bump
       - name: Move project cards
-        if: "!contains(github.ref, '-')" # skip prereleases
+        continue-on-error: true
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
           PENDING_COLUMN: 8189733
           DONE_COLUMN: 7110130
         run: |
-          curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1
-          api() { bin/hub api -H 'accept: application/vnd.github.inertia-preview+json' "$@"; }
+          api() { gh api -H 'accept: application/vnd.github.inertia-preview+json' "$@"; }
+          api-write() { [[ $GITHUB_REF == *-* ]] && echo "skipping: api $*" || api "$@"; }
           cards=$(api projects/columns/$PENDING_COLUMN/cards | jq ".[].id")
-          for card in $cards; do api projects/columns/cards/$card/moves --field position=top --field column_id=$DONE_COLUMN; done
-  rpm-repos:
-    if: "!contains(github.ref, '-')" # skip prereleases
-    needs: goreleaser
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Get package artifacts
-        uses: i3h/download-release-asset@v1
-        with:
-          owner: cli
-          repo: cli
-          tag: latest
-          file: .*.rpm
-      - name: install createrepo, rpm
-        run: sudo apt-get install -y createrepo rpm
-      - name: set up gpg
+          for card in $cards; do
+            api-write projects/columns/cards/$card/moves -f position=top -F column_id=$DONE_COLUMN
+          done
+      
+      - name: Install packaging dependencies
+        run: sudo apt-get install -y createrepo rpm reprepro
+      - name: Set up GPG
         run: |
-          echo "Importing pubkey..."
-          cat script/pubkey.asc | gpg --import --no-tty --batch --yes
-          echo "Importing seckey..."
-          echo ${{secrets.GPG_KEY}} | base64 -d | gpg --import --no-tty --batch --yes
-          echo "Resetting gpg-agent and ingesting passphrase"
+          gpg --import --no-tty --batch --yes < script/pubkey.asc
+          echo "${{secrets.GPG_KEY}}" | base64 -d | gpg --import --no-tty --batch --yes
           echo "allow-preset-passphrase" > ~/.gnupg/gpg-agent.conf
           gpg-connect-agent RELOADAGENT /bye
-          echo ${{secrets.GPG_PASSPHRASE}} | /usr/lib/gnupg2/gpg-preset-passphrase --preset 867DAD5051270B843EF54F6186FA10E3A1D22DC5
+          echo "${{secrets.GPG_PASSPHRASE}}" | /usr/lib/gnupg2/gpg-preset-passphrase --preset 867DAD5051270B843EF54F6186FA10E3A1D22DC5
       - name: Sign RPMs
         run: |
           cp script/rpmmacros ~/.rpmmacros
-          rpmsign --addsign *.rpm
-      - name: Checkout pages site
-        uses: actions/checkout@v2
-        with:
-          repository: github/cli.github.com
-          path: site
-          fetch-depth: 0
-          token: ${{secrets.SITE_GITHUB_TOKEN}}
-      - name: run createrepo
+          rpmsign --addsign dist/*.rpm
+      - name: Run createrepo
         run: |
-          cp *.rpm site/packages/rpm/
+          mkdir -p site/packages/rpm
+          cp dist/*.rpm site/packages/rpm/
           createrepo site/packages/rpm
-          cd site/packages/rpm && gpg --yes --detach-sign --armor repodata/repomd.xml
-          cd ../../../
-      - name: publish site
-        env:
-          GIT_COMMITTER_NAME: cli automation
-          GIT_AUTHOR_NAME: cli automation
-          GIT_COMMITTER_EMAIL: noreply@github.com
-          GIT_AUTHOR_EMAIL: noreply@github.com
-        run: |
-          git -C site add packages
-          git -C site commit -m"${GITHUB_REF} rpm packages"
-          git -C site push
-
-  deb-repos:
-    if: "!contains(github.ref, '-')" # skip prereleases
-    needs: goreleaser
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Get package artifacts
-        uses: i3h/download-release-asset@v1
-        with:
-          owner: cli
-          repo: cli
-          tag: latest
-          file: .*.deb
-      - name: install reprepro
-        run: sudo apt-get install -y reprepro
-      - name: set up gpg
-        run: |
-          echo "Importing pubkey..."
-          cat script/pubkey.asc | gpg --import --no-tty --batch --yes
-          echo "Importing seckey..."
-          echo ${{secrets.GPG_KEY}} | base64 -d | gpg --import --no-tty --batch --yes
-          echo "Resetting gpg-agent and ingesting passphrase"
-          echo "allow-preset-passphrase" > ~/.gnupg/gpg-agent.conf
-          gpg-connect-agent RELOADAGENT /bye
-          echo ${{secrets.GPG_PASSPHRASE}} | /usr/lib/gnupg2/gpg-preset-passphrase --preset 867DAD5051270B843EF54F6186FA10E3A1D22DC5
-      - name: run reprepro
+          pushd site/packages/rpm
+          gpg --yes --detach-sign --armor repodata/repomd.xml
+          popd
+      - name: Run reprepro
         env:
           RELEASES: "focal stable"
         run: |
-          mkdir upload
+          mkdir -p upload
           for release in $RELEASES; do
-            for file in *.deb ; do
-              /usr/bin/reprepro --confdir="+b/script" includedeb $release $file;
+            for file in dist/*.deb; do
+              reprepro --confdir="+b/script" includedeb "$release" "$file"
             done
           done
-      - name: "Select repo artifacts"
-        # Select only final repo artifacts (this makes reprepro runs stateless)
-        run: cp -a dists/ pool/ upload/
-      - name: Checkout pages site
-        uses: actions/checkout@v2
-        with:
-          repository: github/cli.github.com
-          path: site
-          fetch-depth: 0
-          token: ${{secrets.SITE_GITHUB_TOKEN}}
-      - name: add files to site
-        run: cp -a upload/* site/packages/
-      - name: publish site
+          cp -a dists/ pool/ upload/
+          mkdir -p site/packages
+          cp -a upload/* site/packages/
+      - name: Publish site
         env:
           GIT_COMMITTER_NAME: cli automation
           GIT_AUTHOR_NAME: cli automation
           GIT_COMMITTER_EMAIL: noreply@github.com
           GIT_AUTHOR_EMAIL: noreply@github.com
+        working-directory: ./site
         run: |
-          git -C site add packages
-          git -C site commit -m"${GITHUB_REF} deb packages"
-          git -C site push
+          git add packages
+          git commit -m "Add rpm and deb packages for ${GITHUB_REF#refs/tags/}"
+          if [[ $GITHUB_REF == *-* ]]; then
+            git log --oneline @{upstream}..
+            git diff --name-status @{upstream}..
+          else
+            git push
+          fi
+
   msi:
     needs: goreleaser
     runs-on: windows-latest
@@ -184,8 +116,7 @@ jobs:
         id: download_exe
         shell: bash
         run: |
-          curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1
-          bin/hub release download "${GITHUB_REF#refs/tags/}" -i '*windows_amd64*.zip'
+          hub release download "${GITHUB_REF#refs/tags/}" -i '*windows_amd64*.zip'
           printf "::set-output name=zip::%s\n" *.zip
           unzip -o *.zip && rm -v *.zip
         env:
@@ -218,6 +149,14 @@ jobs:
             -Executable "${{ steps.buildmsi.outputs.msi }}"
       - name: Upload MSI
         shell: bash
-        run: bin/hub release edit "${GITHUB_REF#refs/tags/}" -m "" -a "${{ steps.buildmsi.outputs.msi }}"
+        run: hub release edit "${GITHUB_REF#refs/tags/}" -m "" --draft=false -a "${{ steps.buildmsi.outputs.msi }}"
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Bump homebrew-core formula
+        uses: mislav/bump-homebrew-formula-action@v1
+        if: "!contains(github.ref, '-')" # skip prereleases
+        with:
+          formula-name: gh
+          download-url: https://github.com/cli/cli.git
+        env:
+          COMMITTER_TOKEN: ${{ secrets.UPLOAD_GITHUB_TOKEN }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -2,6 +2,7 @@ project_name: gh
 
 release:
   prerelease: auto
+  draft: true # we only publish after the Windows MSI gets uploaded
 
 before:
   hooks:
diff --git a/Makefile b/Makefile
@@ -46,15 +46,14 @@ site-docs: site
 	git -C site commit -m 'update help docs' || true
 .PHONY: site-docs
 
-site-publish: site-docs
+site-bump: site-docs
 ifndef GITHUB_REF
 	$(error GITHUB_REF is not set)
 endif
 	sed -i.bak -E 's/(assign version = )".+"/\1"$(GITHUB_REF:refs/tags/v%=%)"/' site/index.html
 	rm -f site/index.html.bak
 	git -C site commit -m '$(GITHUB_REF:refs/tags/v%=%)' index.html
-	git -C site push
-.PHONY: site-publish
+.PHONY: site-bump
 
 
 .PHONY: manpages
