diff --git a/.github/actions/release-branches/release-branches.py b/.github/actions/release-branches/release-branches.py index 8e8bf37db5..664d016ed7 100644 --- a/.github/actions/release-branches/release-branches.py +++ b/.github/actions/release-branches/release-branches.py @@ -1,12 +1,19 @@ import argparse import json import os -import subprocess +import configparser # Name of the remote ORIGIN = 'origin' -OLDEST_SUPPORTED_MAJOR_VERSION = 2 +script_dir = os.path.dirname(os.path.realpath(__file__)) +grandparent_dir = os.path.dirname(os.path.dirname(script_dir)) + +config = configparser.ConfigParser() +with open(os.path.join(grandparent_dir, 'releases.ini')) as stream: + config.read_string('[default]\n' + stream.read()) + +OLDEST_SUPPORTED_MAJOR_VERSION = config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'] def main(): diff --git a/.github/releases.ini b/.github/releases.ini new file mode 100644 index 0000000000..83aee4b155 --- /dev/null +++ b/.github/releases.ini @@ -0,0 +1 @@ +OLDEST_SUPPORTED_MAJOR_VERSION=2 diff --git a/.github/workflows/script/update-required-checks.sh b/.github/workflows/script/update-required-checks.sh index a06e90a380..f55ee8256b 100755 --- a/.github/workflows/script/update-required-checks.sh +++ b/.github/workflows/script/update-required-checks.sh @@ -2,6 +2,11 @@ # Update the required checks based on the current branch. # Typically, this will be main. +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +REPO_DIR="$(dirname "$SCRIPT_DIR")" +GRANDPARENT_DIR="$(dirname "$REPO_DIR")" +source "$GRANDPARENT_DIR/releases.ini" + if ! gh auth status 2>/dev/null; then gh auth status echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI." @@ -29,7 +34,22 @@ echo "$CHECKS" | jq echo "{\"contexts\": ${CHECKS}}" > checks.json -for BRANCH in main releases/v2; do +echo "Updating main" +gh api --silent -X "PATCH" "repos/github/codeql-action/branches/main/protection/required_status_checks" --input checks.json + +# list all branchs on origin remote matching releases/v* +BRANCHES="$(git ls-remote --heads origin 'releases/v*' | sed 's?.*refs/heads/??' | sort -V)" + +for BRANCH in $BRANCHES; do + + # strip exact 'releases/v' prefix from $BRANCH using count of characters + VERSION="${BRANCH:10}" + + if [ "$VERSION" -lt "$OLDEST_SUPPORTED_MAJOR_VERSION" ]; then + echo "Skipping $BRANCH" + continue + fi + echo "Updating $BRANCH" gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json done diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 67d435103c..ea4ac72adb 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -76,7 +76,9 @@ Since the `codeql-action` runs most of its testing through individual Actions wo 1. By default, this script retrieves the checks from the latest SHA on `main`, so make sure that your `main` branch is up to date. 2. Run the script. If there's a reason to, you can pass in a different SHA as a CLI argument. -3. After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v1`, and `v2` have been updated. +3. After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v2`, and `v3` have been updated. + +Note that any updates to checks need to be backported to the `releases/v2` branch, in order to maintain the same set of names for required checks. ## Deprecating a CodeQL version (write access required) @@ -111,8 +113,8 @@ To deprecate an older version of the Action: - Add a changelog note announcing the deprecation. - Implement an Actions warning for customers using the deprecated version. 1. Wait for the deprecation period to pass. -1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported. -1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [release-branches.py](.github/actions/release-branches/release-branches.py). Once this PR is merged, the release process will no longer backport changes to the deprecated release version. +1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported. +1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [releases.ini](.github/releases.ini). Once this PR is merged, the release process will no longer backport changes to the deprecated release version. ## Resources