From 0d82ebfaa82b97c5a30752532123a29bcb5de743 Mon Sep 17 00:00:00 2001
From: Sebastien Poirier <sebastien@h2o.ai>
Date: Tue, 28 Jun 2022 15:06:59 +0200
Subject: [PATCH 1/2] change workflow to correctly modify the app version on
 releases and when forcing merged version back to master

---
 .github/scripts/tag-set.sh             | 29 +++++++++++++++++++
 .github/scripts/version-set.sh         | 40 ++++++++++++++++++++++++++
 .github/workflows/stable-tag.yml       | 18 ++++--------
 .github/workflows/versioning-reset.yml | 27 +++++++++++++++++
 .github/workflows/versioning.yml       | 26 ++++-------------
 5 files changed, 107 insertions(+), 33 deletions(-)
 create mode 100755 .github/scripts/tag-set.sh
 create mode 100755 .github/scripts/version-set.sh
 create mode 100644 .github/workflows/versioning-reset.yml

diff --git a/.github/scripts/tag-set.sh b/.github/scripts/tag-set.sh
new file mode 100755
index 000000000..d2803a5a2
--- /dev/null
+++ b/.github/scripts/tag-set.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+TAG="$1"
+PUSH=${2:-"no-push"}
+
+function extract_version()
+{
+  local version=$(echo "$1" | sed -E 's/^(refs\/(heads|tags)\/)?(.*)/\3/')
+  echo "$version"
+}
+
+NEW_TAG=$(extract_version $TAG)
+
+git config user.name github-actions
+git config user.email github-actions@github.com
+git tag -f $NEW_TAG
+
+HIGHEST_vTAG=$(extract_version $(git ls-remote --tags --sort=-v:refname origin | grep -P "/v\d.*" | head -n 1 | awk '{print $2}'))
+#git fetch --all --tags
+#LATEST_vTAG=$(git describe --contains `git rev-list --tags="v*" --max-count=1`)
+#HIGHEST_vTAG=$(git tag --list 'v*' --sort=-v:refname | grep -P "v\d.*" | head -n 1)
+
+echo "New tag: '$NEW_TAG', Highest version tag: '$HIGHEST_vTAG'"
+if [ "$NEW_TAG" == "$HIGHEST_vTAG" ]; then
+  echo "Additionally setting 'stable' tag"
+  git tag -f stable
+fi
+if [[ "$PUSH" == "push" ]]; then
+  git push --tags -f
+fi
diff --git a/.github/scripts/version-set.sh b/.github/scripts/version-set.sh
new file mode 100755
index 000000000..1a904a7ce
--- /dev/null
+++ b/.github/scripts/version-set.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+VERSION="$1"
+PUSH=${2:-"no-push"}
+ADD_COMMIT=${3:-"add-commit"}
+
+VERSION_FILE='app/__version__.py'
+VERSION_PLACEHOLDER='__version__ =\s+"(.*)"$'
+DEV_PLACEHOLDER='_dev_version =\s+"(.*)"$'
+
+function get_version()
+{
+  local version=$(grep -P "$2" "$1" | sed -E "s/$2/\1/")
+  echo "$version"
+}
+
+function set_version()
+{
+  sed -i -E "s/$2/__version__ = \"$3\"/g" "$1"
+  echo $(get_version "$1" "$2")
+}
+
+OLD_VERSION=$(get_version "$VERSION_FILE" "$VERSION_PLACEHOLDER")
+DEV_VERSION=$(get_version "$VERSION_FILE" "$DEV_PLACEHOLDER")
+NEW_VERSION=$(echo ${VERSION:-"$DEV_VERSION"} | sed -E 's/^v([0-9].*)/\1/')
+echo "setting version from \"$OLD_VERSION\" to \"$NEW_VERSION\""
+FINAL_VERSION=$(set_version "$VERSION_FILE" "$VERSION_PLACEHOLDER" "$NEW_VERSION")
+echo "version changed to \"$FINAL_VERSION\""
+echo "VERSION=$FINAL_VERSION" >> $GITHUB_ENV
+
+if [[ "$PUSH" == "push" ]] && [[ -x "$(command -v git)" ]]; then
+  git config user.name github-actions
+  git config user.email github-actions@github.com
+  if [[ "$ADD_COMMIT" == "add-commit" ]]; then
+    git commit -am "Update version to $FINAL_VERSION"
+    git push
+  else
+    git commit -a --amend --no-edit
+    git push -f
+  fi
+fi
diff --git a/.github/workflows/stable-tag.yml b/.github/workflows/stable-tag.yml
index b13f9c18e..04544c18a 100644
--- a/.github/workflows/stable-tag.yml
+++ b/.github/workflows/stable-tag.yml
@@ -1,24 +1,16 @@
-name:  Tag with Stable
+name: Tag with Stable
 
 on:
   push:
     tags:
       - 'v*'
 
+  workflow_dispatch:
+
 jobs:
   tag-if-latest-stable:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: Register git credentials
-        run: |
-          git config user.name github-actions
-          git config user.email github-actions@github.com
-      - name: Update stable if latest
-        run: |
-          MOST_RECENT_STABLE=$(git ls-remote --tags origin | tail -n 1 | sed -E 's/.*\s//')
-          echo "New: '""${GITHUB_REF}""', most recent: '""${MOST_RECENT_STABLE}""'"
-          if [ "$GITHUB_REF" == "$MOST_RECENT_STABLE" ]; then
-            git tag stable
-            git push --tags -f
-          fi
+      - name: Set tag and add stable tag if highest version
+        run: ./.github/scripts/tag-set.sh $GITHUB_REF push
diff --git a/.github/workflows/versioning-reset.yml b/.github/workflows/versioning-reset.yml
new file mode 100644
index 000000000..63fbf6424
--- /dev/null
+++ b/.github/workflows/versioning-reset.yml
@@ -0,0 +1,27 @@
+name: Version reset to dev
+# reset the version if merging a release branch into main
+
+on:
+  push:
+    branches:
+      - main
+      - master
+    paths:
+      - 'app/__version__.py'
+
+  workflow_dispatch:
+
+env:
+  BRANCH: ${{ github.event.release.target_commitish }}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ env.BRANCH }}
+          fetch-depth: 2  # we need the previous commit as we amend the last one
+      - name: Reset version to dev
+        run: ./.github/scripts/version-set.sh "" push no-add-commit
diff --git a/.github/workflows/versioning.yml b/.github/workflows/versioning.yml
index b377caadc..2eccf8413 100644
--- a/.github/workflows/versioning.yml
+++ b/.github/workflows/versioning.yml
@@ -3,7 +3,7 @@ name: Version Bump
 on:
   release:
     types:
-      - created
+      - published
 
   workflow_dispatch:
 
@@ -16,26 +16,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           ref: ${{ env.BRANCH }}
       - name: Bump version from tag
-        run: |
-          VERSION=$(echo $TAG | sed 's/^v//')
-          PLACEHOLDER='__version__ = _dev_version'
-          VERSION_FILE='amlb/__version__.py'
-          grep "$PLACEHOLDER" "$VERSION_FILE"
-          sed -i "s/$PLACEHOLDER/__version__ = \"${VERSION}\"/g" "$VERSION_FILE"
-          echo "VERSION=$VERSION" >> $GITHUB_ENV
-        shell: bash
-      - name: Commit version changes
-        run: |
-          git config user.name github-actions
-          git config user.email github-actions@github.com
-          git commit -am "Update version to $VERSION"
+        run: ./.github/scripts/version-set.sh $TAG push
       - name: Update tag
-        run: |
-          git tag $TAG
-          git push
-          git push --tags -f
-
+        run: ./.github/scripts/tag-set.sh $TAG push
+      - name: Restore dev version
+        run: ./.github/scripts/version-set.sh "" push

From f95501924be0d9034503d7473482514bb6e95fcc Mon Sep 17 00:00:00 2001
From: Sebastien Poirier <sebastien@h2o.ai>
Date: Mon, 11 Jul 2022 18:14:37 +0200
Subject: [PATCH 2/2] protect main branch from accidental releases

---
 .github/scripts/version-set.sh   | 21 +++++++++++++--------
 .github/workflows/stable-tag.yml | 16 ----------------
 .github/workflows/versioning.yml | 24 ++++++++++++++++++++++--
 3 files changed, 35 insertions(+), 26 deletions(-)
 delete mode 100644 .github/workflows/stable-tag.yml

diff --git a/.github/scripts/version-set.sh b/.github/scripts/version-set.sh
index 1a904a7ce..734f64144 100755
--- a/.github/scripts/version-set.sh
+++ b/.github/scripts/version-set.sh
@@ -27,14 +27,19 @@ FINAL_VERSION=$(set_version "$VERSION_FILE" "$VERSION_PLACEHOLDER" "$NEW_VERSION
 echo "version changed to \"$FINAL_VERSION\""
 echo "VERSION=$FINAL_VERSION" >> $GITHUB_ENV
 
-if [[ "$PUSH" == "push" ]] && [[ -x "$(command -v git)" ]]; then
-  git config user.name github-actions
-  git config user.email github-actions@github.com
-  if [[ "$ADD_COMMIT" == "add-commit" ]]; then
-    git commit -am "Update version to $FINAL_VERSION"
-    git push
+if [[ "$PUSH" == "push" ]]; then
+  if [[ -x "$(command -v git)" ]]; then
+    git config user.name github-actions
+    git config user.email github-actions@github.com
+    if [[ "$ADD_COMMIT" == "add-commit" ]]; then
+      git commit -am "Update version to $FINAL_VERSION"
+      git push
+    else
+      git commit -a --amend --no-edit
+      git push -f
+    fi
   else
-    git commit -a --amend --no-edit
-    git push -f
+    echo "Can not push the version changes as git is not available."
+    exit 1
   fi
 fi
diff --git a/.github/workflows/stable-tag.yml b/.github/workflows/stable-tag.yml
deleted file mode 100644
index 04544c18a..000000000
--- a/.github/workflows/stable-tag.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-name: Tag with Stable
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-  workflow_dispatch:
-
-jobs:
-  tag-if-latest-stable:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Set tag and add stable tag if highest version
-        run: ./.github/scripts/tag-set.sh $GITHUB_REF push
diff --git a/.github/workflows/versioning.yml b/.github/workflows/versioning.yml
index 2eccf8413..fc05eb540 100644
--- a/.github/workflows/versioning.yml
+++ b/.github/workflows/versioning.yml
@@ -12,9 +12,29 @@ env:
   TAG: ${{ github.event.release.tag_name }}
 
 jobs:
-  deploy:
+  validation:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Release only from stable-v* branch
+        if: ${{ !startsWith(env.BRANCH, 'stable-v') }}
+        uses: actions/github-script@v6
+        with:
+          script: core.setFailed("Releases can only be made from 'stable-v*' branches")
+  rollback:
+    needs: validation
+    if: ${{ failure() }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Rollback if invalid release
+        uses: author/action-rollback@stable
+        with:
+          tag: ${{ env.TAG }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  versioning:
+    needs: validation
+    if: ${{ success() }}
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v3
         with: