ci: gh actions to release code

.github/workflows/cut-release-branch.yml

@@ -3,17 +3,20 @@ name: Cut Release Branch
 on:
   workflow_dispatch:
     inputs:
-      minor_version:
-        description: 'Major.minor version to release, with v prefix (e.g. v1.4)'
+      bump_type:
+        description: 'Version bump type'
         required: true
-        type: string
+        type: choice
+        options:
+          - minor
+          - major
       base_branch:
         description: 'Branch to cut from'
         required: true
         default: 'main'
         type: string
       dry_run:
-        description: 'Dry run — skip all writes (git push, PRs)'
+        description: 'Dry run — skip all writes (git push)'
         required: true
         default: 'true'
         type: choice
@@ -22,7 +25,6 @@ on:
           - 'false'
 
 env:
-  RELEASE_BRANCH: releases/${{ inputs.minor_version }}
   BOT_EMAIL: ${{ vars.BOT_EMAIL }}
   BOT_USERNAME: ${{ vars.BOT_USERNAME }}
 
@@ -31,7 +33,6 @@ jobs:
     runs-on: ubuntu-22.04
     permissions:
       contents: write
-      pull-requests: write
 
     steps:
       - name: Checkout
@@ -40,3 +41,47 @@ jobs:
           ref: ${{ inputs.base_branch }}
           fetch-depth: 0
           token: ${{ secrets.BOT_TOKEN }}
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+
+      - name: Install CI dependencies
+        working-directory: ci
+        run: npm ci
+
+      - name: Derive release branch from highest stable tag
+        id: derive-branch
+        working-directory: ci
+        run: npm run release:derive-release-branch
+        env:
+          BUMP_TYPE: ${{ inputs.bump_type }}
+
+      - name: Check release branch does not already exist
+        working-directory: ci
+        run: npm run release:check-branch-not-exists
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Run tests in Docker (test gate)
+        uses: docker/build-push-action@v7
+        with:
+          push: false
+          load: true
+          context: .
+          build-args: SKIP_TESTS=false
+
+      - name: Configure git bot identity
+        working-directory: ci
+        run: npm run release:configure-git
+
+      - name: Create release branch
+        if: ${{ inputs.dry_run == 'false' }}
+        working-directory: ci
+        run: npm run release:create-release-branch
+
+      - name: Push release branch
+        if: ${{ inputs.dry_run == 'false' }}
+        run: git push origin "$RELEASE_BRANCH"

.github/workflows/main.yml

@@ -1,8 +1,8 @@
 name: Build and publish Docker
 on:
   push:
-    branches:
-      - '**'
+    branches-ignore:
+      - 'releases/**'
     tags-ignore:
       - '*'
   workflow_dispatch: ~
@@ -38,6 +38,24 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+
+      - name: Install CI dependencies
+        working-directory: ci
+        run: npm ci
+
+      - name: Compute dev version
+        id: dev-version
+        working-directory: ci
+        run: npm run release:compute-dev-version
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
       - name: Login to Github Packages
@@ -52,6 +70,7 @@ jobs:
           push: true
           build-args: |
             APPS_REVISION=${{ env.APPS_REVISION }}
+            VERSION=${{ steps.dev-version.outputs.version }}
           context: .
           tags: |
             ${{ env.CACHE_REGISTRY }}/${{ env.CACHE_REPO }}:${{ env.TAG }}
@@ -90,129 +109,3 @@ jobs:
           DEV_CLUSTER_ID: ${{ secrets.DEV_CLUSTER_ID }}
           LKE_CP_ACL_IPV4: ${{ secrets.LKE_CP_ACL_IPV4 }}
         run: ci/scripts/trigger_dev.sh
-
-  release:
-    needs: push-to-docker
-    if: always() && (startsWith(github.ref, 'refs/heads/releases/') || startsWith(github.ref, 'refs/heads/main')) && startsWith(github.event.head_commit.message, 'chore(release)') && !github.event.act
-    runs-on: ubuntu-22.04
-    env:
-      COMMIT_MSG: ${{ github.event.head_commit.message }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: Set env
-        run: |
-          git config --global user.email $BOT_EMAIL
-          git config --global user.name $BOT_USERNAME
-      - name: Create and push git tag
-        id: git_tag
-        run: |
-          TAG=${GITHUB_REF##*/}
-          docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
-          docker pull $REPO:$TAG
-          docker tag $REPO:$TAG $REPO:latest
-          docker push $REPO:latest
-          release_tag=v$(jq -r '.version' < package.json)
-          echo tag=$release_tag >> $GITHUB_OUTPUT
-          echo "Releasing $REPO:$release_tag"
-          docker tag $REPO:$TAG $REPO:$release_tag
-          docker push $REPO:$release_tag
-          docker login -u $BOT_USERNAME -p '${{ secrets.BOT_TOKEN }}' ghcr.io
-          docker tag $REPO:$TAG $CACHE_REGISTRY/$CACHE_REPO:$release_tag
-          docker push $CACHE_REGISTRY/$CACHE_REPO:$release_tag
-          echo "machine github.com login ${{ env.BOT_USERNAME }} password ${{ secrets.BOT_TOKEN }}" > ~/.netrc
-          git tag -am "$COMMIT_MSG" $release_tag && git push --follow-tags
-          # Cut the CHANGELOG.md file up to the second occurence of the line starting with `## [` (meaning two #, a space,a square bracket).
-          # This way we always get the changes of the latest patch (if any) and the latest minor.
-          awk '/^## \[/{count++; if(count==2) exit} {print}' CHANGELOG.md > NEW_CHANGELOG.md
-      - name: Create GitHub release
-        uses: ncipollo/release-action@v1.21.0
-        env:
-          token: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag: ${{ steps.git_tag.outputs.tag }}
-          name: Release ${{ steps.git_tag.outputs.tag }}
-          bodyFile: 'NEW_CHANGELOG.md'
-          generateReleaseNotes: true
-  chart-release:
-    needs: release
-    if: always() && contains(needs.release.result, 'success') && !github.event.act
-    runs-on: ubuntu-22.04
-    container:
-      image: linode/apl-tools:v2.10.6
-      options: --user 0 # See https://docs.github.com/en/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions#user
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: Prepare chart
-        id: prepare_chart
-        run: |
-          # Install and update helm repo
-          helm repo add apl https://linode.github.io/apl-core
-          helm repo update
-
-          # Retrieve the app version from package.json
-          app_version=$(jq -r '.version' package.json)
-          if [ -z "$app_version" ]; then
-              echo "Error: Could not retrieve app version from package.json"
-              exit 1
-          fi
-
-          # Extract major and minor from the app version
-          new_app_major=$(echo "$app_version" | cut -d '.' -f 1)
-          new_app_minor=$(echo "$app_version" | cut -d '.' -f 2)
-
-          # Get existing helm charts in the registry
-          helm_output=$(helm search repo otomi -l -o json)
-
-          # Use jq to parse the output and find the latest version for the given $new_app_major.$new_app_minor app version
-          existing_version=$(echo "$helm_output" | jq -r --arg major "$new_app_major" --arg minor "$new_app_minor" '
-            map(select(.app_version | startswith("v\($major).\($minor)"))) |
-            max_by(.version | split(".") | map(tonumber)) |
-            .version'
-          )
-
-          # Update Chart.yaml and values.yaml with the new app version
-          sed -i "s/0.0.0-chart-version/$app_version/g" chart/apl/Chart.yaml
-          sed -i "s/APP_VERSION_PLACEHOLDER/v$app_version/g" chart/apl/Chart.yaml
-
-          echo "Chart and values files updated successfully with version $app_version"
-
-          # Copy readme from repo into the charts and add tpl/chart-values.md
-          cp README.md chart/apl/
-          printf "\n\n" >>chart/apl/README.md
-          cat tpl/chart-values.md >>chart/apl/README.md
-
-          # Generate schema
-          npx js-yaml values-schema.yaml > chart/apl/values.schema.json
-
-          # Set the global id for git as it seems needed by the next step when a custom image is used
-          git config --global user.email ${{ env.BOT_EMAIL }}
-          git config --global user.name ${{ env.BOT_USERNAME }}
-      #TODO: Use the same user id on the container as in the runner to avoid the "dubious ownership" error
-      - name: Mark repository as safe for Git
-        run: git config --global --add safe.directory /__w/apl-core/apl-core
-      - name: Create and publish otomi chart release
-        id: chart_release
-        uses: helm/chart-releaser-action@v1.7.0
-        with:
-          charts_dir: chart
-          skip_existing: true
-          mark_as_latest: false
-        env:
-          CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-
-  # notification:
-  #   needs: [build-test-cache, push-to-docker, release, chart-release]
-  #   if: always()
-  #   runs-on: ubuntu-22.04
-  #   steps:
-  #     - name: Slack Notification
-  #       uses: rtCamp/action-slack-notify@v2
-  #       env:
-  #         SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-  #         SLACK_CHANNEL: github-ci
-  #         SLACK_COLOR: ${{ job.status }}
-  #         SLACK_ICON: https://github.com/redkubes.png?size=48
-  #         SLACK_TITLE: CI run
-  #         SLACK_USERNAME: RedKubesBot