From 8d6e8967c5a0e25cb372a62b7b1639fc5233c992 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Tue, 6 Jun 2023 11:12:29 +0100 Subject: [PATCH] Change pipelines to use tags and secure them properly --- .github/workflows/deploy-cloud.yaml | 30 ++++++++++++----------- .github/workflows/deploy-preprod.yml | 21 +++++++++++++--- .github/workflows/release-develop.yml | 7 ++++++ .github/workflows/release-master.yml | 2 +- .github/workflows/release-selfhost.yml | 16 +++++++++--- .github/workflows/release-singleimage.yml | 21 ++++++++++++---- 6 files changed, 69 insertions(+), 28 deletions(-) diff --git a/.github/workflows/deploy-cloud.yaml b/.github/workflows/deploy-cloud.yaml index fa80da846f..d8f1ee88f9 100644 --- a/.github/workflows/deploy-cloud.yaml +++ b/.github/workflows/deploy-cloud.yaml @@ -2,23 +2,29 @@ name: Budibase Deploy Production on: workflow_dispatch: - inputs: - version: - description: Budibase release version. For example - 1.0.0 - required: false jobs: release: runs-on: ubuntu-latest steps: - - name: Fail if branch is not master - if: github.ref != 'refs/heads/master' - run: | - echo "Ref is not master, you must run this job from master." - exit 1 + - name: Fail if not a tag + run: | + if [[ $GITHUB_REF != refs/tags/* ]]; then + echo "Workflow Dispatch can only be run on tags" + exit 1 + fi - uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Fail if tag is not in master + run: | + if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then + echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" + exit 1 + fi - name: Pull values.yaml from budibase-infra run: | @@ -31,11 +37,7 @@ jobs: - name: Get the latest budibase release version id: version run: | - if [ -z "${{ github.event.inputs.version }}" ]; then - release_version=$(cat lerna.json | jq -r '.version') - else - release_version=${{ github.event.inputs.version }} - fi + release_version=$(cat lerna.json | jq -r '.version') echo "RELEASE_VERSION=$release_version" >> $GITHUB_ENV - name: Configure AWS Credentials diff --git a/.github/workflows/deploy-preprod.yml b/.github/workflows/deploy-preprod.yml index 6ce1697d3a..81395bc7e3 100644 --- a/.github/workflows/deploy-preprod.yml +++ b/.github/workflows/deploy-preprod.yml @@ -1,17 +1,30 @@ name: "deploy-preprod" on: workflow_dispatch: - inputs: - version: - description: Budibase release version. For example - 1.0.0 - required: false workflow_call: jobs: deploy-to-legacy-preprod-env: runs-on: ubuntu-latest steps: + - name: Fail if not a tag + run: | + if [[ $GITHUB_REF != refs/tags/* ]]; then + echo "Workflow Dispatch can only be run on tags" + exit 1 + fi + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Fail if tag is not in master + run: | + if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then + echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" + exit 1 + fi + - name: Get the latest budibase release version id: version diff --git a/.github/workflows/release-develop.yml b/.github/workflows/release-develop.yml index 48c51e8457..503fc53194 100644 --- a/.github/workflows/release-develop.yml +++ b/.github/workflows/release-develop.yml @@ -22,6 +22,13 @@ jobs: runs-on: ubuntu-latest steps: + - name: Fail if not a tag + run: | + if [[ $GITHUB_REF != refs/tags/* ]]; then + echo "Workflow Dispatch can only be run on tags" + exit 1 + fi + - uses: actions/checkout@v2 with: submodules: true diff --git a/.github/workflows/release-master.yml b/.github/workflows/release-master.yml index 8f371a2481..a4e679e7bf 100644 --- a/.github/workflows/release-master.yml +++ b/.github/workflows/release-master.yml @@ -27,7 +27,7 @@ jobs: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} fetch-depth: 0 - - name: Fail if tag is not master + - name: Fail if tag is not in master run: | if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" diff --git a/.github/workflows/release-selfhost.yml b/.github/workflows/release-selfhost.yml index f5a2f643c3..8b1ae0c6fe 100644 --- a/.github/workflows/release-selfhost.yml +++ b/.github/workflows/release-selfhost.yml @@ -8,16 +8,24 @@ jobs: runs-on: ubuntu-latest steps: - - name: Fail if branch is not master - if: github.ref != 'refs/heads/master' + - name: Fail if not a tag run: | - echo "Ref is not master, you must run this job from master." - exit 1 + if [[ $GITHUB_REF != refs/tags/* ]]; then + echo "Workflow Dispatch can only be run on tags" + exit 1 + fi - uses: actions/checkout@v2 with: fetch_depth: 0 + - name: Fail if tag is not in master + run: | + if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then + echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" + exit 1 + fi + - name: Use Node.js 14.x uses: actions/setup-node@v1 with: diff --git a/.github/workflows/release-singleimage.yml b/.github/workflows/release-singleimage.yml index cd16574eea..fbf972a866 100644 --- a/.github/workflows/release-singleimage.yml +++ b/.github/workflows/release-singleimage.yml @@ -15,13 +15,24 @@ jobs: matrix: node-version: [14.x] steps: - - name: Fail if branch is not master - if: github.ref != 'refs/heads/master' - run: | - echo "Ref is not master, you must run this job from master." - exit 1 + - name: Fail if not a tag + run: | + if [[ $GITHUB_REF != refs/tags/* ]]; then + echo "Workflow Dispatch can only be run on tags" + exit 1 + fi - name: "Checkout" uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Fail if tag is not in master + run: | + if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then + echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" + exit 1 + fi + - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v1 with: