From 83d5f96c074b371d56c65aca108f52b9afaa914f Mon Sep 17 00:00:00 2001 From: Vyom-Yadav Date: Sat, 11 Jan 2025 15:58:21 +0530 Subject: [PATCH] Add krel release notes validation workflow Co-authored-by: npolshakova Signed-off-by: Vyom-Yadav --- .../krel-release-notes-validate.yaml | 140 ++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 .github/workflows/krel-release-notes-validate.yaml diff --git a/.github/workflows/krel-release-notes-validate.yaml b/.github/workflows/krel-release-notes-validate.yaml new file mode 100644 index 00000000000..717761292ec --- /dev/null +++ b/.github/workflows/krel-release-notes-validate.yaml @@ -0,0 +1,140 @@ +# Copyright 2025 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Yaml Lint Release Notes +on: + push: + branches: + - master + paths: + - releases/**/release-notes/**.yaml + - releases/**/release-notes/**.yml + pull_request: + paths: + - releases/**/release-notes/**.yaml + - releases/**/release-notes/**.yml + # Allow manual triggering + workflow_dispatch: { } + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +jobs: + krel_release_notes_validate_action: + name: Validate release notes with krel + runs-on: ubuntu-latest + if: ${{ !github.event.pull_request.draft }} + steps: + - name: Check out code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + # we need to fetch the full history in order to check changes across all commits on the branch + fetch-depth: '0' + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + with: + go-version: '1.23' + check-latest: true + - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + with: + use-sudo: false + - id: install-krel + shell: bash + run: | + #!/bin/bash + set -euo pipefail + + # Get the latest release version from GitHub API + KREL_VERSION=$(curl -s https://api.github.com/repos/kubernetes/release/releases/latest | grep '"tag_name":' | cut -d'"' -f4) + ARTIFACT_NAME=krel-amd64-linux + TEMP_DIR=$(mktemp -d) + cd "$TEMP_DIR" + + echo "Downloading latest krel version $KREL_VERSION..." + if ! curl -sL "/~https://github.com/kubernetes/release/releases/download/$KREL_VERSION/$ARTIFACT_NAME" -o krel; then + echo "Failed to download krel" + exit 1 + fi + + KREL_CERT="/~https://github.com/kubernetes/release/releases/download/$KREL_VERSION/$ARTIFACT_NAME.pem" + KREL_SIG="/~https://github.com/kubernetes/release/releases/download/$KREL_VERSION/$ARTIFACT_NAME.sig" + + echo "Using cosign to verify signature of krel version $KREL_VERSION" + if ! cosign verify-blob --certificate "$KREL_CERT" --signature "$KREL_SIG" \ + --certificate-identity "/~https://github.com/kubernetes/release/.github/workflows/release.yml@refs/tags/$KREL_VERSION" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" krel; then + echo "Signature verification failed for krel version: '$KREL_VERSION'" + exit 1 + fi + + chmod +x krel + mkdir -p "$HOME/.local/bin" + mv krel "$HOME/.local/bin/" + cd - > /dev/null + rm -rf "$TEMP_DIR" + + KREL_PATH="$HOME/.local/bin/krel" + echo "krel-path=$KREL_PATH" >> "$GITHUB_OUTPUT" + echo "Krel installed at: $KREL_PATH" + - name: Run if releases YAML changes exist and validate the YAML + id: validate_releases_yaml + env: + KREL_PATH: ${{ steps.install-krel.outputs.krel-path }} + run: | + # Get a list of changed YAML files based on git diff + CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} -- releases/ | grep -E '\.ya?ml$' || true) + + if [ -n "$CHANGED_FILES" ]; then + echo "validating base sha ${{ github.event.pull_request.base.sha }}" + + # Initialize an array for invalid files + INVALID_FILES="" + + while IFS= read -r file; do + set +e + "${KREL_PATH}" release-notes validate --path-to-release-notes "$file" + exit_code=$? + set -e + + if [ $exit_code -ne 0 ]; then + INVALID_FILES="${INVALID_FILES}- ${file##*/}\n" + fi + done <<< "$CHANGED_FILES" + + # If there are any invalid files, set the output and fail + if [ -n "$INVALID_FILES" ]; then + echo "invalid_files<> $GITHUB_OUTPUT + echo -e "$INVALID_FILES" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + exit 1 + else + echo "All YAML files are valid." + fi + else + echo "No YAML files changed under /releases/*" + fi + - name: Comment on PR if invalid yaml detected + if: failure() && github.event_name == 'pull_request' + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const invalidFiles = `${{ steps.validate_releases_yaml.outputs.invalid_files }}`; + if (invalidFiles) { + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body: `❌ YAML validation failed for the following files:\n\n${invalidFiles}` + }); + } \ No newline at end of file