github-actions-runner/.github/workflows/patch_update_release.yml at main · canonical/github-actions-runner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
name: Update Runner Patches (Release-to-Release)

on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
  push:
    paths:
      - "patches/runner-sdk8-*.patch"
      - "patches/last_processed_tag.txt"

jobs:
  update-patches:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout your repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Clone upstream runner repository
        run: git clone --tags https://github.com/actions/runner.git upstream-runner

      - name: Get release tags
        id: get-tags
        run: |
          cd upstream-runner
          # Get latest release tag
          LATEST_TAG=$(git tag --sort=-v:refname | grep '^v[0-9]' | head -n1)
          echo "LATEST_TAG=$LATEST_TAG" >> $GITHUB_OUTPUT
          echo "LATEST_COMMIT=$(git rev-parse $LATEST_TAG)" >> $GITHUB_OUTPUT

          # Get previous processed tag
          if [ -f ../patches/last_processed_tag.txt ]; then
            PREVIOUS_TAG=$(cat ../patches/last_processed_tag.txt)
            echo "PREVIOUS_TAG=$PREVIOUS_TAG" >> $GITHUB_OUTPUT
          else
            echo "PREVIOUS_TAG=" >> $GITHUB_OUTPUT
          fi

      - name: Check for new release
        if: steps.get-tags.outputs.PREVIOUS_TAG == steps.get-tags.outputs.LATEST_TAG
        run: |
          echo "No new releases - skipping"
          exit 0

      - name: Verify previous release exists
        if: steps.get-tags.outputs.PREVIOUS_TAG != '' && steps.get-tags.outputs.PREVIOUS_TAG != steps.get-tags.outputs.LATEST_TAG
        run: |
          cd upstream-runner
          if ! git rev-parse ${{ steps.get-tags.outputs.PREVIOUS_TAG }} >/dev/null 2>&1; then
            echo "Previous tag ${{ steps.get-tags.outputs.PREVIOUS_TAG }} not found"
            exit 1
          fi

      - name: Process architectures
        if: steps.get-tags.outputs.PREVIOUS_TAG != '' && steps.get-tags.outputs.PREVIOUS_TAG != steps.get-tags.outputs.LATEST_TAG
        id: process-arches
        run: |
          mkdir -p patches
          touch successful_arches.txt

          for arch in ppc64le s390x; do
            echo "Processing $arch..."
            cd upstream-runner

            # Reset to clean state
            git reset --hard
            git clean -fd

            # Check if previous patch exists
            if [ ! -f "../patches/runner-sdk8-$arch.patch" ] || \
               ! grep -q "${{ steps.get-tags.outputs.PREVIOUS_TAG }}" "../patches/runner-sdk8-$arch.patch"; then
              echo "No valid previous patch for $arch"
              cd ..
              continue
            fi

            # Apply previous patch to previous release
            git checkout ${{ steps.get-tags.outputs.PREVIOUS_TAG }}
            if ! git apply --check --whitespace=nowarn "../patches/runner-sdk8-$arch.patch"; then
              echo "::warning::Previous patch application failed for $arch"
              cd ..
              continue
            fi
            git apply --whitespace=nowarn "../patches/runner-sdk8-$arch.patch"

            # Stash changes
            git stash push -m "patch-$arch"

            # Apply to latest release
            git checkout ${{ steps.get-tags.outputs.LATEST_TAG }}
            if ! git stash apply stash^{/patch-$arch}; then
              echo "::warning::Stash application failed for $arch on ${{ steps.get-tags.outputs.LATEST_TAG }}"
              git reset --hard
              git stash drop || true
              cd ..
              continue
            fi

            # Create new patch
            git diff --patch --ignore-space-at-eol > "../patches/runner-sdk8-$arch.patch"
            echo "# From upstream release: ${{ steps.get-tags.outputs.LATEST_TAG }}" >> "../patches/runner-sdk8-$arch.patch"

            # Cleanup
            git reset --hard
            git stash drop || true
            cd ..

            echo "$arch" >> successful_arches.txt
          done

          # Set output for successful architectures
          if [ -s successful_arches.txt ]; then
            echo "successful_arches=$(paste -sd, successful_arches.txt)" >> $GITHUB_OUTPUT
          fi

      - name: Update tag reference
        if: steps.process-arches.outputs.successful_arches != ''
        run: |
          echo "${{ steps.get-tags.outputs.LATEST_TAG }}" > patches/last_processed_tag.txt

      # Only commit the patches for release patch sync
      - name: Prepare repo for PR
        if: steps.process-arches.outputs.successful_arches != ''
        run: |
          rm -f successful_arches.txt

      - name: Import and configure the GPG key for Platform Engineering bot
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.PE_BOT_GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PE_BOT_GPG_PASSPHRASE }}
          git_config_global: true
          git_user_signingkey: true
          git_commit_gpgsign: true

      - name: Create pull request to main
        uses: peter-evans/create-pull-request@v6
        if: steps.process-arches.outputs.successful_arches != ''
        with:
          # 2025-08-22: Using GitHub's Personal Access Token is required to allow automated workflow
          # triggers (on: pull_request) from Pull Requests issued by this workflow.
          token: ${{ secrets.PE_BOT_PAT }}
          commit-message: "Update release: ${{ steps.get-tags.outputs.PREVIOUS_TAG }} → ${{ steps.get-tags.outputs.LATEST_TAG }} [${{ steps.process-arches.outputs.successful_arches }}]"
          committer: Platform Engineering Bot <is-devops-team@canonical.com>
          author: Platform Engineering Bot <is-devops-team@canonical.com>
          branch: patch-sync/${{ steps.get-tags.outputs.LATEST_TAG }}
          title: Sync release patch ${{ steps.get-tags.outputs.LATEST_TAG }}
          body: Sync release branch patch for commit ${{ steps.get-tags.outputs.LATEST_TAG }}

      - name: Prepare repo for release
        run: |
          cd upstream-runner && git checkout ${{ steps.get-tags.outputs.LATEST_TAG }} && cd ..
          cp -r upstream-runner/* .
          rm -rf upstream-runner

      - name: Create release branch
        if: steps.process-arches.outputs.successful_arches != ''
        run: |
          git checkout -b releases/${{ steps.get-tags.outputs.LATEST_TAG }}
          git add . && git commit -m "Create release ${{steps.get-tags.outputs.LATEST_TAG}}"
          git push -u origin releases/${{ steps.get-tags.outputs.LATEST_TAG }}

      - uses: mattermost/action-mattermost-notify@master
        if: ${{ failure() }}
        with:
          MATTERMOST_WEBHOOK_URL: ${{ secrets.MM_WEBHOOK_URL }}
          TEXT: |
            ${{ github.repository }} build failed.
            [Pipeline](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) was failed :red_circle:
            ${{ secrets.MM_PING_USERS }}
          MATTERMOST_USERNAME: ${{ github.triggering_actor }}
          MATTERMOST_ICON_URL: https://cdn-icons-png.flaticon.com/512/25/25231.png