From e9f9bdf681b00db9123e2ca66880b87475fdea2d Mon Sep 17 00:00:00 2001 From: Steven Bouwkamp Date: Wed, 1 Oct 2025 14:58:58 -0400 Subject: [PATCH 1/2] Split create release into hotfix / normal --- .github/workflows/_create_draft_release.yml | 167 ++++++++++++++++++ .../workflows/create_hotfix_draft_release.yml | 41 +++++ .../workflows/create_normal_draft_release.yml | 41 +++++ 3 files changed, 249 insertions(+) create mode 100644 .github/workflows/_create_draft_release.yml create mode 100644 .github/workflows/create_hotfix_draft_release.yml create mode 100644 .github/workflows/create_normal_draft_release.yml diff --git a/.github/workflows/_create_draft_release.yml b/.github/workflows/_create_draft_release.yml new file mode 100644 index 000000000000..ba5280dbf91b --- /dev/null +++ b/.github/workflows/_create_draft_release.yml @@ -0,0 +1,167 @@ +name: Create reusable draft release + +on: + workflow_call: + inputs: + forced_commit_id: + description: 'Force using artifacts from specific commit? If provided, this will try and use the artifacts from the given commit, regardless of build status' + required: false + type: string + ignore_gitlab_failures: + description: "DANGER Force ignoring any issues with the GitLab artifacts or SSI. Don't use this unless you _really_ know what you're doing" + required: false + type: boolean + default: false + is_hotfix: + description: 'Is this a hotfix release? If true, skips vNext milestone renaming' + required: true + type: boolean + secrets: + AZURE_DEVOPS_TOKEN: + required: true + NUGET_API_KEY: + required: true + GH_APP_ID: + required: true + GH_APP_PRIVATE_KEY: + required: true + DD_PREPROD_API_KEY: + required: true + DD_PUBLIC_SYMBOL_API_KEY: + required: true + +jobs: + create_draft_release: + runs-on: ubuntu-latest + permissions: + contents: write # create release + actions: read # read secrets + issues: write # change milestones + env: + # Have to use external token with explicit workflow permissions because we are creating + # a release from an arbitrary SHA. For "reasons", the built-in token does not _always_ + # work in that scenario, so using an external token is required. See issue + # https://github.com/cli/cli/issues/9514 for more details. + AZURE_DEVOPS_TOKEN: "${{ secrets.AZURE_DEVOPS_TOKEN }}" + + steps: + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + + - name: Set SHA + id: set_sha + run: | + if [ -z "${{ inputs.forced_commit_id }}" ]; then + commitsha="${GITHUB_SHA}" + else + commitsha="${{ inputs.forced_commit_id }}" + fi + echo "Using sha $commitsha" + echo "sha=${commitsha}" >> $GITHUB_OUTPUT + + - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 + with: + global-json-file: global.json + + - name: "Configure Git Credentials" + run: | + git config user.name "${{ github.actor }}" + git config user.email "${{ github.actor }}@users.noreply.github.com" + + - name: "Check NuGet token validity" + run: | + echo "Downloading test package" + if ! curl -fL -o Datadog.Trace.Annotations.1.0.0.nupkg https://www.nuget.org/api/v2/package/Datadog.Trace.Annotations/1.0.0; then + echo "Download failed!" >&2 + exit 1 + fi + + echo "Pushing package to test NuGet API key validity" + if ! dotnet nuget push "Datadog.Trace.Annotations.1.0.0.nupkg" --api-key ${{ secrets.NUGET_API_KEY }} --skip-duplicate --source https://api.nuget.org/v3/index.json; then + echo "Push failed - the API key is likely not valid" >&2 + echo "Create a new NuGet api key at nuget.org, with glob permissions * to push to the Datadog org and" >&2 + echo "replace the NUGET_API_KEY GitHub secret with the new key at https://github.com/DataDog/dd-trace-dotnet/settings/secrets/actions " >&2 + echo "and then try running this release again" >&2 + exit 1 + fi + + echo "Push succeeded, cleaning up" + rm Datadog.Trace.Annotations.1.0.0.nupkg + + - name: Generate GitHub App Token + id: generate-token + uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1 + with: + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + + - name: "Check GitLab status" + if: ${{ !inputs.ignore_gitlab_failures }} + run: ./tracer/build.sh VerifyReleaseReadiness + env: + CommitSha: "${{ steps.set_sha.outputs.sha }}" + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" + + - name: "Get current version" + id: versions + run: ./tracer/build.sh OutputCurrentVersionToGitHub + + - name: "Download build assets from Azure Pipelines" + id: assets + run: ./tracer/build.sh DownloadReleaseArtifacts + env: + TargetBranch: ${{ github.ref }} + CommitSha: "${{ steps.set_sha.outputs.sha }}" + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" + + - name: "Generate release notes" + id: release_notes + run: ./tracer/build.sh GenerateReleaseNotes + env: + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" + + - name: "Rename vNext milestone" + id: rename + # We don't rename vNext/vNext-v1 for hotfix releases + if: ${{ !inputs.is_hotfix && !contains(github.ref, 'hotfix') }} + run: ./tracer/build.sh RenameVNextMilestone + env: + Version: ${{steps.versions.outputs.full_version}} + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" + + - name: Create Release + uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v1.0.0 + with: + token: "${{ steps.generate-token.outputs.token }}" + draft: true + name: "${{steps.versions.outputs.full_version}}" + tag_name: "v${{steps.versions.outputs.full_version}}" + target_commitish: "${{steps.set_sha.outputs.sha}}" + prerelease: ${{steps.versions.outputs.isprerelease}} + body: ${{steps.release_notes.outputs.release_notes}} + fail_on_unmatched_files: true + files: | + ${{steps.assets.outputs.artifacts_path}}/*.deb + ${{steps.assets.outputs.artifacts_path}}/*.rpm + ${{steps.assets.outputs.artifacts_path}}/*.tar.gz + ${{steps.assets.outputs.artifacts_path}}/*.zip + ${{steps.assets.outputs.gitlab_artifacts_path}}/*.msi + ${{steps.assets.outputs.gitlab_artifacts_path}}/*.zip + ${{steps.assets.outputs.sha_path}} + + - name: "Publish nuget packages to nuget.org" + working-directory: ${{steps.assets.outputs.artifacts_path}} + run: | + dotnet nuget push "*.${{steps.versions.outputs.full_version}}*.nupkg" --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json + + - name: "Copy gitlab artifacts to artifacts_path" + run: cp "${{steps.assets.outputs.gitlab_artifacts_path}}/"*.zip "${{steps.assets.outputs.artifacts_path}}/" + + - name: 'Push debug symbols to datadog' + uses: ./.github/actions/publish-debug-symbols + with: + artifacts_path: ${{steps.assets.outputs.artifacts_path}} + preprod_key: "${{ secrets.DD_PREPROD_API_KEY }}" + public_symbols_key: "${{ secrets.DD_PUBLIC_SYMBOL_API_KEY }}" diff --git a/.github/workflows/create_hotfix_draft_release.yml b/.github/workflows/create_hotfix_draft_release.yml new file mode 100644 index 000000000000..cc3f5cad7bf6 --- /dev/null +++ b/.github/workflows/create_hotfix_draft_release.yml @@ -0,0 +1,41 @@ +name: Create hotfix draft release + +on: + workflow_dispatch: + inputs: + forced_commit_id: + description: 'Force using artifacts from specific commit? If provided, this will try and use the artifacts from the given commit, regardless of build status' + required: false + type: string + ignore_gitlab_failures: + description: "DANGER Force ignoring any issues with the GitLab artifacts or SSI. Don't use this unless you _really_ know what you're doing" + required: false + type: boolean + default: false + +jobs: + check_branch: + runs-on: ubuntu-latest + steps: + - name: Verify running on hotfix branch + run: | + if [[ "${{ github.ref }}" != refs/head/hotfix* ]]; then + echo "Error: This workflow can only be run from a hotfix/* branch" + echo "Current branch: ${{ github.ref }}" + exit 1 + fi + + create_hotfix_draft_release: + needs: check_branch + uses: ./.github/workflows/_create_draft_release.yml + with: + forced_commit_id: ${{ inputs.forced_commit_id }} + ignore_gitlab_failures: ${{ inputs.ignore_gitlab_failures }} + is_hotfix: true + secrets: + AZURE_DEVOPS_TOKEN: ${{ secrets.AZURE_DEVOPS_TOKEN }} + NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} + GH_APP_ID: ${{ secrets.GH_APP_ID }} + GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }} + DD_PREPROD_API_KEY: ${{ secrets.DD_PREPROD_API_KEY }} + DD_PUBLIC_SYMBOL_API_KEY: ${{ secrets.DD_PUBLIC_SYMBOL_API_KEY }} diff --git a/.github/workflows/create_normal_draft_release.yml b/.github/workflows/create_normal_draft_release.yml new file mode 100644 index 000000000000..8ac552aff4fd --- /dev/null +++ b/.github/workflows/create_normal_draft_release.yml @@ -0,0 +1,41 @@ +name: Create normal draft release + +on: + workflow_dispatch: + inputs: + forced_commit_id: + description: 'Force using artifacts from specific commit? If provided, this will try and use the artifacts from the given commit, regardless of build status' + required: false + type: string + ignore_gitlab_failures: + description: "DANGER Force ignoring any issues with the GitLab artifacts or SSI. Don't use this unless you _really_ know what you're doing" + required: false + type: boolean + default: false + +jobs: + check_branch: + runs-on: ubuntu-latest + steps: + - name: Verify running on main release branch + run: | + if [[ "${{ github.ref }}" != "refs/head/master" ]]; then + echo "Error: This workflow can only be run from the following: master" + echo "Current branch: ${{ github.ref }}" + exit 1 + fi + + create_normal_draft_release: + needs: check_branch + uses: ./.github/workflows/_create_draft_release.yml + with: + forced_commit_id: ${{ inputs.forced_commit_id }} + ignore_gitlab_failures: ${{ inputs.ignore_gitlab_failures }} + is_hotfix: false + secrets: + AZURE_DEVOPS_TOKEN: ${{ secrets.AZURE_DEVOPS_TOKEN }} + NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} + GH_APP_ID: ${{ secrets.GH_APP_ID }} + GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }} + DD_PREPROD_API_KEY: ${{ secrets.DD_PREPROD_API_KEY }} + DD_PUBLIC_SYMBOL_API_KEY: ${{ secrets.DD_PUBLIC_SYMBOL_API_KEY }} \ No newline at end of file From 0f09cdcc9ae06faf972eb573c693994fee84ef5f Mon Sep 17 00:00:00 2001 From: Steven Bouwkamp Date: Wed, 1 Oct 2025 15:38:31 -0400 Subject: [PATCH 2/2] Change /refs/head/ to /refs/heads/ --- .github/workflows/create_hotfix_draft_release.yml | 2 +- .github/workflows/create_normal_draft_release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/create_hotfix_draft_release.yml b/.github/workflows/create_hotfix_draft_release.yml index cc3f5cad7bf6..d00366e87583 100644 --- a/.github/workflows/create_hotfix_draft_release.yml +++ b/.github/workflows/create_hotfix_draft_release.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Verify running on hotfix branch run: | - if [[ "${{ github.ref }}" != refs/head/hotfix* ]]; then + if [[ "${{ github.ref }}" != refs/heads/hotfix* ]]; then echo "Error: This workflow can only be run from a hotfix/* branch" echo "Current branch: ${{ github.ref }}" exit 1 diff --git a/.github/workflows/create_normal_draft_release.yml b/.github/workflows/create_normal_draft_release.yml index 8ac552aff4fd..dbf5f19a2254 100644 --- a/.github/workflows/create_normal_draft_release.yml +++ b/.github/workflows/create_normal_draft_release.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Verify running on main release branch run: | - if [[ "${{ github.ref }}" != "refs/head/master" ]]; then + if [[ "${{ github.ref }}" != "refs/heads/master" ]]; then echo "Error: This workflow can only be run from the following: master" echo "Current branch: ${{ github.ref }}" exit 1