diff --git a/RELEASING.md b/RELEASING.md index 543e4ab0b..fc9c9db51 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -6,19 +6,25 @@ To release a new version of `datadog-ci`: 2. Run `yarn version:all `. 3. Commit the change `vX.X.X` and tag it with `git tag vX.X.X`. - You may refer to [Semantic Versioning](https://semver.org/#summary) to determine what level to increment. -4. Push the branch **along with the tag** using `git push --tags origin name-of-the-branch`. Create a PR, and get at least one approval. - - **Find and open** the workflow run corresponding to your tag [in this list](https://github.com/DataDog/datadog-ci/actions/workflows/publish-release.yml). - - Copy the release notes from the summary, and paste them in the description of your PR. This ensures the feature PRs have a link to your release PR. +4. Push the branch along with the tag using `git push --tags`, and create a PR. + - Find and open the workflow run corresponding to your tag [in this list](https://github.com/DataDog/datadog-ci/actions/workflows/publish-release.yml). + - Copy the release notes from the draft release, and paste them in the description of your PR. This ensures the feature PRs have a link to your release PR. - Add the `release` label to your PR. - See this [example PR](https://github.com/DataDog/datadog-ci/pull/1215). -5. Once you've received at least one approval, merge the PR **with the "Create a merge commit" strategy**. - - You may notice that a **GitHub** job is waiting for an approval, and some **_GitLab_** jobs are pending: this is expected (see **step 8**). You can merge the PR when *only those jobs* are left. - - The "Create a merge commit" strategy is required for **step 8**, and for the GitHub Release to point to an existing commit once the PR is merged. -6. The `npm-publish` job is waiting for an approval from a datadog-ci maintainer: ask for approval and wait for it and its downstream jobs to succeed. -7. Go to the draft GitHub Release, and publish it as **latest**. +5. Request an approval from a datadog-ci admin. + - If a `oidc-setup-required ⚠️` label is added to your PR, ask an admin for assistance. +6. Wait for your PR to be approved. + - Retry the `pre-approval-checks` job if needed. +7. The `npm-publish` job should now be waiting for an approval from a datadog-ci admin. + - Ask for approval and wait for it and its downstream jobs to succeed. +8. Once all jobs are successful, merge the PR **with the "Create a merge commit" strategy**. + - The "Create a merge commit" strategy is required for the GitHub Release to point to an existing commit once the PR is merged. +9. Go to the draft GitHub Release, and publish it as **latest**. - There should be 5 binaries available in the release's assets. -8. Finally, go to the [_GitLab_ pipelines](https://gitlab.ddbuild.io/DataDog/datadog-ci/-/pipelines?scope=tags&status=manual), find the pipeline for your tag, and start the `build` stage to run the Docker image build jobs. - - Make sure all the jobs and downstream jobs succeed. +10. **Important**: Finally, release the Docker image from GitLab. + - Go to the [**GitLab** pipelines](https://gitlab.ddbuild.io/DataDog/datadog-ci/-/pipelines?scope=tags&status=manual) + - Find the pipeline for your tag, and start the `build` stage to run the Docker image build jobs. + - Make sure all the jobs and downstream jobs succeed. Thanks for creating a release! 🎉 @@ -39,4 +45,4 @@ To overwrite a release candidate: - Overwrite the tag to point to your new commit with `git tag --force vX.X.X`. - Force push with `git push --force` and `git push --tags --force`. - Update your PR description with the new release notes. -- Continue from step 4 of the Release Process. +- Continue the release process as usual. diff --git a/bin/check-npm-packages.sh b/bin/check-npm-packages.sh index afdda6310..f3cba3608 100755 --- a/bin/check-npm-packages.sh +++ b/bin/check-npm-packages.sh @@ -6,9 +6,11 @@ set -euo pipefail # It can also first-time publish missing packages when run with --fix. # # Usage: -# ./bin/check-npm-packages.sh # Check mode (default) - exits 1 if packages are missing -# ./bin/check-npm-packages.sh --fix # Fix mode - publishes missing packages -# ./bin/check-npm-packages.sh --fix --dry-run # Fix mode with dry-run - simulates publishing +# bin/check-npm-packages.sh # Check mode (default) - exits 1 if packages are missing +# bin/check-npm-packages.sh --fix # Fix mode - publishes missing packages +# bin/check-npm-packages.sh --fix --dry-run # Fix mode with dry-run - simulates publishing +# +# To debug the CI check mode locally, use: `GITHUB_TOKEN=$(gh auth token) GITHUB_SHA= bin/check-npm-packages.sh` MODE="check" DRY_RUN=false @@ -64,15 +66,27 @@ while IFS= read -r pkg; do fi done <<< "$local_packages" -# Fetch PR information +# Fetch release PR information PR_RESPONSE="" PR_LABELS="" +PR_NUMBER="" +PR_APPROVALS=0 if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then PR_RESPONSE=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ "https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/pulls") + PR_NUMBER=$(echo "$PR_RESPONSE" | jq -r '.[0].number // empty') PR_LABELS=$(echo "$PR_RESPONSE" | jq '[.[0].labels[].name]' 2>/dev/null || true) echo -e "${BLUE}PR labels:${NC} $PR_LABELS" + + # Fetch review approvals for the PR + if [ -n "$PR_NUMBER" ]; then + PR_REVIEWS=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ + "https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/reviews") + # Count unique approvals (latest review per user that is APPROVED) + PR_APPROVALS=$(echo "$PR_REVIEWS" | jq '[group_by(.user.login) | .[] | max_by(.submitted_at) | select(.state == "APPROVED")] | length') + echo -e "${BLUE}PR approvals:${NC} $PR_APPROVALS" + fi echo fi @@ -99,9 +113,18 @@ if [ -n "$PR_LABELS" ]; then echo fi -# Everything is good. if [ ${#missing_packages[@]} -eq 0 ]; then + # No missing packages ✅ echo -e "${GREEN}All local packages exist on NPM ✅${NC}" + echo + + # Check that the PR has at least one approval + if [ -n "$PR_NUMBER" ] && [ "$PR_APPROVALS" -lt 1 ]; then + echo -e "${RED}This PR requires at least one approval before approving the NPM deployment. Please ask an admin to approve the PR. ❌${NC}" + echo + exit 1 + fi + exit 0 fi @@ -114,7 +137,6 @@ echo # In CI environment, post a comment on the PR if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then - PR_NUMBER=$(echo "$PR_RESPONSE" | jq -r '.[0].number // empty') PR_AUTHOR=$(echo "$PR_RESPONSE" | jq -r '.[0].user.login // empty') DIFF_OUTPUT=$(diff -u --label "Published packages (Actual)" --label "Local packages (Expected)" \