diff --git a/.github/chainguard/self.update-system-tests.push.sts.yaml b/.github/chainguard/self.update-system-tests.create-pr.sts.yaml similarity index 100% rename from .github/chainguard/self.update-system-tests.push.sts.yaml rename to .github/chainguard/self.update-system-tests.create-pr.sts.yaml diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml index 10ec3cd0a95..0fadc2d4996 100644 --- a/.github/workflows/create-release-branch.yaml +++ b/.github/workflows/create-release-branch.yaml @@ -15,14 +15,18 @@ jobs: create-release-branch: runs-on: ubuntu-latest permissions: - contents: write # Allow pushing the empty release branch + # contents: write # Allow pushing the empty release branch + contents: read id-token: write # Required for OIDC token federation steps: - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 id: octo-sts with: scope: DataDog/dd-trace-java - policy: self.update-system-tests.push + policy: self.update-system-tests.create-pr + + - name: Checkout dd-trace-java at tag + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 - name: Determine tag id: determine-tag @@ -42,69 +46,63 @@ jobs: id: define-branch run: | TAG=${{ steps.determine-tag.outputs.tag }} - BRANCH="release/${TAG%.0}.x" - echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT" + echo "branch=release/${TAG%.0}.x" >> "$GITHUB_OUTPUT" - - name: Checkout dd-trace-java at tag - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 - with: - ref: ${{ github.sha }} + # - name: Check if branch already exists + # id: check-branch + # run: | + # BRANCH=${{ steps.define-branch.outputs.branch }} + # if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then + # echo "creating_new_branch=false" >> "$GITHUB_OUTPUT" + # echo "Branch $BRANCH already exists - skipping following steps" + # else + # echo "creating_new_branch=true" >> "$GITHUB_OUTPUT" + # echo "Branch $BRANCH does not exist - proceeding with following steps" + # fi - - name: Check if branch already exists - id: check-branch - run: | - BRANCH=${{ steps.define-branch.outputs.branch }} - if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then - echo "creating_new_branch=false" >> "$GITHUB_OUTPUT" - echo "Branch $BRANCH already exists - skipping following steps" - else - echo "creating_new_branch=true" >> "$GITHUB_OUTPUT" - echo "Branch $BRANCH does not exist - proceeding with following steps" - fi + # - name: Create and push empty release branch + # if: steps.check-branch.outputs.creating_new_branch == 'true' + # run: | + # git checkout -b "${{ steps.define-branch.outputs.branch }}" + # git push -u origin "${{ steps.define-branch.outputs.branch }}" - - name: Create and push empty release branch - if: steps.check-branch.outputs.creating_new_branch == 'true' - run: | - git checkout -b "${{ steps.define-branch.outputs.branch }}" - git push -u origin "${{ steps.define-branch.outputs.branch }}" + - name: Update system-tests references to latest commit SHA on main + # if: steps.check-branch.outputs.creating_new_branch == 'true' + run: BRANCH=main ./tooling/update_system_test_reference.sh - name: Define temp branch name - if: steps.check-branch.outputs.creating_new_branch == 'true' + # if: steps.check-branch.outputs.creating_new_branch == 'true' id: define-temp-branch - run: echo "branch=ci/pin-system-tests-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT - - - name: Update system-tests references to latest commit SHA on main - if: steps.check-branch.outputs.creating_new_branch == 'true' - run: BRANCH=main ./tooling/update_system_test_reference.sh + run: echo "temp-branch=ci/pin-system-tests-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT - name: Commit changes - if: steps.check-branch.outputs.creating_new_branch == 'true' + # if: steps.check-branch.outputs.creating_new_branch == 'true' id: create-commit run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - + - name: Push changes to temp branch - if: steps.check-branch.outputs.creating_new_branch == 'true' + # if: steps.check-branch.outputs.creating_new_branch == 'true' uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 with: token: "${{ steps.octo-sts.outputs.token }}" - branch: "${{ steps.define-temp-branch.outputs.branch }}" + branch: "${{ steps.define-temp-branch.outputs.temp-branch }}" head-sha: "${{ github.sha }}" create-branch: true command: push commits: "${{ steps.create-commit.outputs.commit }}" - name: Create pull request from temp branch to release branch - if: steps.check-branch.outputs.creating_new_branch == 'true' + # if: steps.check-branch.outputs.creating_new_branch == 'true' env: GH_TOKEN: ${{ steps.octo-sts.outputs.token }} run: | - gh pr create --title "Pin system-tests for ${{ steps.define-branch.outputs.branch }}" \ + gh pr create --title "Pin system-tests for ${{ steps.define-branch.outputs.branch }}" \ --base "${{ steps.define-branch.outputs.branch }}" \ - --head "${{ steps.define-temp-branch.outputs.branch }}" \ + --head "${{ steps.define-temp-branch.outputs.temp-branch }}" \ --label "tag: dependencies" \ --label "tag: no release notes" \ --body "This PR pins the system-tests reference for the release branch."