diff --git a/.github/workflows/release-vfsforgit.yml b/.github/workflows/release-vfsforgit.yml new file mode 100644 index 00000000000000..f59ce3e80279c7 --- /dev/null +++ b/.github/workflows/release-vfsforgit.yml @@ -0,0 +1,132 @@ +name: Update VFS for Git + +on: + release: + types: [released, prereleased] + +permissions: + id-token: write # required for Azure login via OIDC + +jobs: + update: + runs-on: ubuntu-latest + environment: release + steps: + - name: Compute tag name + id: tag + run: echo "name=${{ github.event.release.tag_name }}" >>$GITHUB_OUTPUT + + - name: Log into Azure + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Retrieve token + id: token + run: | + az keyvault secret show \ + --name ${{ secrets.VFSFORGIT_TOKEN_SECRET_NAME }} \ + --vault-name ${{ secrets.AZURE_VAULT }} \ + --query "value" -o tsv >token && + sed s/^/::add-mask::/ >$GITHUB_OUTPUT && + rm token + + # Pre-releases: trigger a VFS for Git build with the new Git version + - name: Trigger VFS for Git build + if: github.event.release.prerelease + env: + # GH_TOKEN overrides the GITHUB_TOKEN provided by the actions runner, + # so that `gh` commands use the VFS for Git repo token from Key Vault. + GH_TOKEN: ${{ steps.token.outputs.result }} + run: | + TAG="${{ steps.tag.outputs.name }}" + REPO="microsoft/VFSForGit" + WORKFLOW="build.yaml" + RUN_NAME="VFS for Git (microsoft/git: $TAG)" + + gh workflow run "$WORKFLOW" \ + --repo "$REPO" \ + --field git_version="$TAG" \ + --field run_name="$RUN_NAME" + + # Poll until the dispatched run appears by its display title (timeout 30s) + RUN_URL="" + for i in $(seq 1 6); do + sleep 5 + RUN_URL=$(gh run list \ + --workflow="$WORKFLOW" \ + --repo "$REPO" \ + --json url,displayTitle \ + --jq "[.[] | select(.displayTitle == \"$RUN_NAME\")] | .[0].url // empty") + if [ -n "$RUN_URL" ]; then + break + fi + done + + if [ -n "$RUN_URL" ]; then + echo "::notice::Triggered VFS for Git build with Git version $TAG: $RUN_URL" + else + echo "::warning::Triggered VFS for Git build with Git version $TAG but could not determine run URL" + fi + + # Full releases: create a PR to bump the default GIT_VERSION + - name: Create VFS for Git version bump PR + if: ${{ !github.event.release.prerelease }} + env: + # GH_TOKEN overrides the GITHUB_TOKEN provided by the actions runner, + # so that `gh` commands use the VFS for Git repo token from Key Vault. + GH_TOKEN: ${{ steps.token.outputs.result }} + run: | + # Configure gh as the git credential helper and force HTTPS protocol + # so that git clone/push authenticate using GH_TOKEN. + gh auth setup-git + gh config set git_protocol https + + TAG="${{ steps.tag.outputs.name }}" + REPO="microsoft/VFSForGit" + BRANCH="automation/gitrelease-$TAG" + FILE=".github/workflows/build.yaml" + + # Clone VFS for Git repo + gh repo clone "$REPO" vfsforgit -- --depth=1 + cd vfsforgit + + # Create new branch + git checkout -b "$BRANCH" + + # Update the GIT_VERSION default in build.yaml + sed -i "/GIT_VERSION/s/|| '[^']*' }}/|| '$TAG' }}/" "$FILE" + + # Verify the change was made + if ! git diff --quiet "$FILE"; then + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + git add "$FILE" + git commit -m "Update default Microsoft Git version to $TAG" + + # Push the new branch + git push origin "$BRANCH" + + # Create the PR + WORKFLOW_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + RELEASE_URL="https://github.com/microsoft/git/releases/tag/$TAG" + PR_TITLE="Update default Microsoft Git version to $TAG" + PR_BODY=$(cat <