mirror of
https://github.com/formbricks/formbricks.git
synced 2026-05-21 11:49:32 -05:00
Bhagya Amarasinghe
268 lines
9.6 KiB
YAML
268 lines
9.6 KiB
YAML
name: Build, release & deploy Formbricks images
|
||
|
||
on:
|
||
release:
|
||
types: [published]
|
||
|
||
permissions:
|
||
contents: read
|
||
|
||
jobs:
|
||
check-latest-release:
|
||
name: Check if this is the latest release
|
||
runs-on: ubuntu-latest
|
||
timeout-minutes: 5
|
||
permissions:
|
||
contents: read
|
||
outputs:
|
||
is_latest: ${{ steps.compare_tags.outputs.is_latest }}
|
||
# This job determines if the current release was marked as "Set as the latest release"
|
||
# by comparing it with the latest release from GitHub API
|
||
steps:
|
||
- name: Harden the runner
|
||
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Get latest release tag from API
|
||
id: get_latest_release
|
||
env:
|
||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||
REPO: ${{ github.repository }}
|
||
run: |
|
||
set -euo pipefail
|
||
|
||
# Get the latest release tag from GitHub API with error handling
|
||
echo "Fetching latest release from GitHub API..."
|
||
|
||
# Use curl with error handling - API returns 404 if no releases exist
|
||
http_code=$(curl -s -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" \
|
||
"https://api.github.com/repos/${REPO}/releases/latest" -o /tmp/latest_release.json)
|
||
|
||
if [[ "$http_code" == "404" ]]; then
|
||
echo "⚠️ No previous releases found (404). This appears to be the first release."
|
||
echo "latest_release=" >> $GITHUB_OUTPUT
|
||
elif [[ "$http_code" == "200" ]]; then
|
||
latest_release=$(jq -r .tag_name /tmp/latest_release.json)
|
||
if [[ "$latest_release" == "null" || -z "$latest_release" ]]; then
|
||
echo "⚠️ API returned null/empty tag_name. Treating as first release."
|
||
echo "latest_release=" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "Latest release from API: ${latest_release}"
|
||
echo "latest_release=${latest_release}" >> $GITHUB_OUTPUT
|
||
fi
|
||
else
|
||
echo "❌ GitHub API error (HTTP ${http_code}). Treating as first release."
|
||
echo "latest_release=" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
echo "Current release tag: ${{ github.event.release.tag_name }}"
|
||
|
||
- name: Compare release tags
|
||
id: compare_tags
|
||
env:
|
||
CURRENT_TAG: ${{ github.event.release.tag_name }}
|
||
LATEST_TAG: ${{ steps.get_latest_release.outputs.latest_release }}
|
||
run: |
|
||
set -euo pipefail
|
||
|
||
# Handle first release case (no previous releases)
|
||
if [[ -z "${LATEST_TAG}" ]]; then
|
||
echo "🎉 This is the first release (${CURRENT_TAG}) - treating as latest"
|
||
echo "is_latest=true" >> $GITHUB_OUTPUT
|
||
elif [[ "${CURRENT_TAG}" == "${LATEST_TAG}" ]]; then
|
||
echo "✅ This release (${CURRENT_TAG}) is marked as the latest release"
|
||
echo "is_latest=true" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "ℹ️ This release (${CURRENT_TAG}) is not the latest release (latest: ${LATEST_TAG})"
|
||
echo "is_latest=false" >> $GITHUB_OUTPUT
|
||
fi
|
||
docker-build-community:
|
||
name: Build & release community docker image
|
||
permissions:
|
||
contents: read
|
||
packages: write
|
||
id-token: write
|
||
uses: ./.github/workflows/release-docker-github.yml
|
||
secrets: inherit
|
||
needs:
|
||
- check-latest-release
|
||
with:
|
||
IS_PRERELEASE: ${{ github.event.release.prerelease }}
|
||
MAKE_LATEST: ${{ needs.check-latest-release.outputs.is_latest == 'true' }}
|
||
|
||
docker-build-cloud:
|
||
name: Build & push Formbricks Cloud to ECR
|
||
permissions:
|
||
contents: read
|
||
id-token: write
|
||
uses: ./.github/workflows/build-and-push-ecr.yml
|
||
secrets: inherit
|
||
with:
|
||
image_tag: ${{ needs.docker-build-community.outputs.VERSION }}
|
||
IS_PRERELEASE: ${{ github.event.release.prerelease }}
|
||
MAKE_LATEST: ${{ needs.check-latest-release.outputs.is_latest == 'true' }}
|
||
needs:
|
||
- check-latest-release
|
||
- docker-build-community
|
||
|
||
helm-chart-release:
|
||
name: Release Helm Chart
|
||
permissions:
|
||
contents: read
|
||
packages: write
|
||
uses: ./.github/workflows/release-helm-chart.yml
|
||
secrets: inherit
|
||
needs:
|
||
- docker-build-community
|
||
with:
|
||
VERSION: ${{ needs.docker-build-community.outputs.VERSION }}
|
||
|
||
verify-cloud-build:
|
||
name: Verify Cloud Build Outputs
|
||
runs-on: ubuntu-latest
|
||
timeout-minutes: 5 # Simple verification should be quick
|
||
needs:
|
||
- docker-build-cloud
|
||
steps:
|
||
- name: Harden the runner
|
||
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Display ECR build outputs
|
||
env:
|
||
IMAGE_TAG: ${{ needs.docker-build-cloud.outputs.IMAGE_TAG }}
|
||
TAGS: ${{ needs.docker-build-cloud.outputs.TAGS }}
|
||
run: |
|
||
set -euo pipefail
|
||
|
||
echo "✅ ECR Build Completed Successfully"
|
||
echo "Image Tag: ${IMAGE_TAG}"
|
||
echo "ECR Tags:"
|
||
printf '%s\n' "${TAGS}"
|
||
|
||
move-stable-tag:
|
||
name: Move stable tag to release
|
||
permissions:
|
||
contents: write # Required for tag push operations in called workflow
|
||
uses: ./.github/workflows/move-stable-tag.yml
|
||
needs:
|
||
- check-latest-release
|
||
- docker-build-community # Ensure release is successful first
|
||
with:
|
||
release_tag: ${{ github.event.release.tag_name }}
|
||
commit_sha: ${{ github.sha }}
|
||
is_prerelease: ${{ github.event.release.prerelease }}
|
||
make_latest: ${{ needs.check-latest-release.outputs.is_latest == 'true' }}
|
||
|
||
update-helm-app-version:
|
||
name: Create Helm app version update
|
||
runs-on: ubuntu-latest
|
||
timeout-minutes: 5
|
||
needs:
|
||
- docker-build-community
|
||
- helm-chart-release
|
||
if: ${{ !github.event.release.prerelease }}
|
||
permissions:
|
||
contents: write
|
||
pull-requests: write
|
||
steps:
|
||
- name: Harden the runner
|
||
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout main
|
||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||
with:
|
||
ref: main
|
||
|
||
- name: Install YQ
|
||
uses: dcarbone/install-yq-action@4075b4dca348d74bd83f2bf82d30f25d7c54539b # v1.3.1
|
||
|
||
- name: Prepare Helm app version update
|
||
id: update
|
||
env:
|
||
VERSION: ${{ needs.docker-build-community.outputs.VERSION }}
|
||
run: |
|
||
set -euo pipefail
|
||
|
||
if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
||
echo "Skipping Helm app version source update for non-stable version: ${VERSION}"
|
||
echo "changed=false" >> "$GITHUB_OUTPUT"
|
||
exit 0
|
||
fi
|
||
|
||
yq -i ".appVersion = \"${VERSION}\"" charts/formbricks/Chart.yaml
|
||
perl -0pi -e "s/!\[AppVersion: [^\]]+\]/![AppVersion: ${VERSION}]/" charts/formbricks/README.md
|
||
perl -0pi -e "s/AppVersion-[0-9A-Za-z._+-]+-informational/AppVersion-${VERSION}-informational/" charts/formbricks/README.md
|
||
|
||
if git diff --quiet -- charts/formbricks/Chart.yaml charts/formbricks/README.md; then
|
||
echo "Helm chart appVersion already matches ${VERSION}"
|
||
echo "changed=false" >> "$GITHUB_OUTPUT"
|
||
exit 0
|
||
fi
|
||
|
||
echo "changed=true" >> "$GITHUB_OUTPUT"
|
||
|
||
- name: Create Helm app version PR
|
||
if: steps.update.outputs.changed == 'true'
|
||
env:
|
||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||
VERSION: ${{ needs.docker-build-community.outputs.VERSION }}
|
||
run: |
|
||
set -euo pipefail
|
||
|
||
branch="chore/update-helm-app-version-${VERSION}"
|
||
title="chore: update Helm app version to ${VERSION}"
|
||
body_file="$(mktemp)"
|
||
|
||
git config user.name "github-actions[bot]"
|
||
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
||
git checkout -B "$branch"
|
||
git add charts/formbricks/Chart.yaml charts/formbricks/README.md
|
||
git commit -m "$title"
|
||
git push --force-with-lease origin "$branch"
|
||
|
||
cat > "$body_file" <<EOF
|
||
Updates the Helm chart default app version after publishing stable Formbricks release ${VERSION}.
|
||
|
||
Release candidates and pre-releases do not create this source update.
|
||
EOF
|
||
|
||
if gh pr view "$branch" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
|
||
gh pr edit "$branch" --repo "$GITHUB_REPOSITORY" --title "$title" --body-file "$body_file" --base main
|
||
else
|
||
gh pr create --repo "$GITHUB_REPOSITORY" --base main --head "$branch" --title "$title" --body-file "$body_file"
|
||
fi
|
||
|
||
linear-release-complete:
|
||
name: Mark Linear release as complete
|
||
runs-on: ubuntu-latest
|
||
timeout-minutes: 5
|
||
needs:
|
||
- docker-build-community
|
||
- docker-build-cloud
|
||
- helm-chart-release
|
||
- move-stable-tag
|
||
- update-helm-app-version
|
||
if: ${{ !github.event.release.prerelease }}
|
||
steps:
|
||
- name: Harden the runner
|
||
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout repository
|
||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||
with:
|
||
fetch-depth: 0
|
||
|
||
- name: Complete Linear release
|
||
uses: linear/linear-release-action@0353b5fa8c00326913966f00557d68f8f30b8b6b # v0.7.0
|
||
with:
|
||
access_key: ${{ secrets.LINEAR_ACCESS_KEY }}
|
||
command: complete
|
||
version: ${{ github.event.release.tag_name }}
|