pezkuwi-sdk/.github/workflows/release-10_branchoff-stable.yml

# This workflow has combined functionality of branching-off a new stable release branch and tagging an RC.
# The options to branch-off and/or tag an RC can be chosen independently by ticking the appropriate checkbox in the launching form,
# as the branch-off happens only ones per quarter and a tagging activity done more frequently for each new RC during the release process.
name: Release - Branch off stable branch and/or tag rc

on:
  workflow_dispatch:
    inputs:
      stable_version:
        description: Stable version in the format stableYYMM that will be used as branch name and rc tag base
        required: true
        type: string

      node_version:
        description: Version of the pezkuwi node in the format X.XX.X (e.g. 1.15.0). ℹ️ Node version is needed only for the branch-off
        type: string
        required: false

      is_new_stable:
        description: Check this box if this is a new stable release and the stable branch needs to be created
        type: boolean

      tag_rc:
        description: Check this box if the rc tag needs to be created
        type: boolean

jobs:
  validate-inputs:
    runs-on: ubuntu-latest
    outputs:
      node_version: ${{ steps.validate_inputs.outputs.node_version }}
      stable_version: ${{ steps.validate_inputs.outputs.stable_version }}

    steps:
      - name: Checkout sources
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.1.7

      - name: Validate inputs
        id: validate_inputs
        run: |
          . ./.github/scripts/common/lib.sh

          if [ -n "${{ inputs.node_version }}" ]; then
            node_version=$(filter_version_from_input "${{ inputs.node_version }}")
            echo "node_version=${node_version}" >> $GITHUB_OUTPUT
          fi

          stable_version=$(validate_stable_tag ${{ inputs.stable_version }})
          echo "stable_version=${stable_version}" >> $GITHUB_OUTPUT

  create-stable-branch:
    if: ${{ inputs.is_new_stable }}
    needs: [ validate-inputs ]
    runs-on: ubuntu-latest
    environment: release
    env:
      PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }}
      PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
      STABLE_BRANCH_NAME: ${{ needs.validate-inputs.outputs.stable_version }}

    steps:
      - name: Install pgpkkms
        run: |
          # Install pgpkms that is used to sign commits
          pip install git+https://github.com/pezkuwichain-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151

      - name: Generate content write token for the release automation
        id: generate_write_token
        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
        with:
            app-id: ${{ vars.RELEASE_AUTOMATION_APP_ID }}
            private-key: ${{ secrets.RELEASE_AUTOMATION_APP_PRIVATE_KEY }}
            owner: pezkuwichain

      - name: Checkout sources
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.1.7
        with:
          ref: master
          token: ${{ steps.generate_write_token.outputs.token }}

      - name: Import gpg keys
        run: |
          . ./.github/scripts/common/lib.sh

          import_gpg_keys

      - name: Config git
        run: |
          git config --global commit.gpgsign true
          git config --global gpg.program /home/runner/.local/bin/pgpkms-git
          git config --global user.name "ParityReleases"
          git config --global user.email "release-team@pezkuwichain.io"
          git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51"

      - name: Create stable branch
        run: |
          git checkout -b "$STABLE_BRANCH_NAME"
          git show-ref "$STABLE_BRANCH_NAME"

      - name: Bump versions, reorder prdocs and push stable branch
        env:
          GH_TOKEN: ${{ steps.generate_write_token.outputs.token }}
        run: |
          . ./.github/scripts/release/release_lib.sh

          NODE_VERSION="${{ needs.validate-inputs.outputs.node_version }}"
          NODE_VERSION_PATTERN="\(NODE_VERSION[^=]*= \)\".*\""
          set_version "$NODE_VERSION_PATTERN" $NODE_VERSION "pezkuwi/node/primitives/src/lib.rs"
          commit_with_message "Bump node version to $NODE_VERSION in pezkuwi-cli"
          set_version "$NODE_VERSION_PATTERN" $NODE_VERSION "pezcumulus/pezkuwi-omni-node/lib/src/nodes/mod.rs"
          commit_with_message "Bump node version to $NODE_VERSION in pezkuwi-omni-node-lib"

          SPEC_VERSION=$(get_spec_version $NODE_VERSION)
          runtimes_list=$(get_filtered_runtimes_list)
          set_spec_versions $SPEC_VERSION "${runtimes_list[@]}"

          reorder_prdocs $STABLE_BRANCH_NAME

          gh auth setup-git

          git push origin "$STABLE_BRANCH_NAME"

      - name: Tag RC after branch off
        if: ${{ inputs.tag_rc }}
        env:
          GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} # or use a PAT with workflow scope
        run: |
          stable_tag_base=pezkuwi-${{ needs.validate-inputs.outputs.stable_version }}
          gh workflow run release-11_rc-automation.yml \
            --repo ${{ github.repository }} \
            --ref ${{ needs.validate-inputs.outputs.stable_version }} \
            --field version=${stable_tag_base}

  tag-rc-without-branchoff:
    if: ${{ !inputs.is_new_stable && inputs.tag_rc }}
    needs: [ validate-inputs ]
    uses: ./.github/workflows/release-11_rc-automation.yml
    with:
      version: pezkuwi-${{ needs.validate-inputs.outputs.stable_version }}
    secrets: inherit