[V2] Release process (#1359)

* update release process

* swap runner to self-hosted

* remove publishing jobs, will be handled by another workflow

Author: sean-breen

.github/workflows/ci.yml

@@ -444,12 +444,3 @@ jobs:
         run: make build-grafana-example
       - name: Clean Grafana example
         run: make clean-grafana-example
-
-  trigger-release-workflow:
-    if: ${{ startsWith(github.ref_name, 'release-') && !github.event.pull_request.head.repo.fork }}
-    needs: [ lint, unit-test, component-test, performance-test, integration-tests ]
-    uses: ./.github/workflows/release-branch.yml
-    secrets: inherit
-    permissions:
-      contents: write
-      pull-requests: write

.github/workflows/release-branch.yml

@@ -11,15 +11,10 @@ on:
         type: boolean
         default: false
       createPullRequest:
-          description: 'Create pull request back into main'
+          description: 'Create pull request back into dev-v2'
           required: true
           type: boolean
-          default: false  
-      uploadJWT:
-        description: 'Temporary JWT to publish packages to up-ap.nginx.com'
-        required: true
-        type: string
-        default: ''
+          default: false
   workflow_call:
 
 permissions:
@@ -30,17 +25,22 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+
     name: Update Release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-22.04-amd64
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
+
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: 'go.mod'
+
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+
       - run: npm install [email protected]
+
       - name: Create Draft Release
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: release
@@ -115,30 +115,36 @@ jobs:
                     release_upload_url: release.data.upload_url,
                 }
             }
+
       - name: Set Environment Variables
         run: |
           echo "${{steps.release.outputs.result}}"
           echo "VERSION=$(echo '${{steps.release.outputs.result}}' | jq -r '.version')" >> $GITHUB_ENV
           echo "RELEASE_ID=$(echo '${{steps.release.outputs.result}}' | jq -r '.release_id')" >> $GITHUB_ENV
           echo "RELEASE_UPLOAD_URL=$(echo '${{steps.release.outputs.result}}' | jq -r '.release_upload_url')" >> $GITHUB_ENV
+
       - name: Setup build environment
         run: |
           sudo apt-get update
           sudo apt-get install -y gpgv1 monkeysphere 
           go install github.com/goreleaser/nfpm/v2/cmd/[email protected]
+
       - name: Tag release
         run: |
           git config --global user.name 'github-actions'
           git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
           git tag -a "v${{env.VERSION}}" -m "CI Autogenerated"
           git tag -a "sdk/v${{env.VERSION}}" -m "CI Autogenerated"
+
       - name: Push Tags
         if: ${{ inputs.publishPackages == true }}
         run: |
           git push origin "v${{env.VERSION}}"
           git push origin "sdk/v${{env.VERSION}}"
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
       - name: Build Docker Image
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
@@ -150,68 +156,44 @@ jobs:
           no-cache: true
           build-args: |
             package_type=signed-package
+
       - name: Build Packages
         env:
           INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
           NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
           echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
-      - name: Azure Login
-        uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
-        with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
-      - name: Azure Upload Release Packages
-        uses: azure/CLI@965c8d7571d2231a54e321ddd07f7b10317f34d9 # v2.0.0
+
+      - name: Get Id Token
+        if: ${{ inputs.publishPackages == true }}
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        id: idtoken
         with:
-          inlineScript: |
-            for i in ./build/azure/packages/nginx-agent*; do 
-              az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_CONTAINER_NAME }} \
-              --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n nginx-agent/${GITHUB_REF##*/}/${i##*/}
-            done 
-      - name: Azure Logout
-        run: |
-          az logout
-        if: always()
-      - name: Upload Release Assets
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        # clobber overwrites existing assets of the same name
-        run: |
-          gh release upload --clobber v${{env.VERSION}} \
-            $(find ./build/github/packages -type f \( -name "*.deb" -o -name "*.rpm" -o -name "*.pkg" -o -name "*.apk" \))
+          script: |
+            let id_token = await core.getIDToken()
+            core.setOutput('id_token', id_token)
+
       - name: Publish Release Packages
         if: ${{ inputs.publishPackages == true }}
         env:
-          TOKEN: ${{ inputs.uploadJWT }}
-          UPLOAD_URL: "https://up-ap-tmp.nginx.com"
+          TOKEN: ${{ steps.idtoken.outputs.id_token }}
+          UPLOAD_URL: "https://up-ap.nginx.com"
         run: |
           make release
-      - name: Publish Github Release
-        if: ${{ inputs.publishPackages == true }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            const {RELEASE_ID} = process.env
-            const release = (await github.rest.repos.updateRelease({
-              owner: context.payload.repository.owner.login,
-              repo: context.payload.repository.name,
-              release_id: `${RELEASE_ID}`,
-              draft: false,
-            }))
-            console.log(`Release published: ${release.data.html_url}`)
+
       - name: Create Pull Request
         if: ${{ inputs.publishPackages == true && inputs.createPullRequest == true}}
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { repo, owner } = context.repo;
             const result = await github.rest.pulls.create({
-              title: 'Merge ${{ github.ref_name }} back into main',
+              title: 'Merge ${{ github.ref_name }} back into dev-v2',
               owner,
               repo,
               head: '${{ github.ref_name }}',
-              base: 'main',
+              base: 'dev-v2',
               body: [
                 'This PR is auto-generated by the release branch workflow.'
               ].join('\n')

Makefile.packaging

@@ -197,5 +197,4 @@ gpg-key: ## Generate GPG public key
 
 release: ## Publish tarball to the UPLOAD_URL
 	echo "Publishing nginx-agent packages to ${UPLOAD_URL}"; \
-	curl -XPOST --fail -F "file=@$(PACKAGES_DIR)/${PACKAGE_PREFIX}.tar.gz" -H "Token: ${TOKEN}" ${UPLOAD_URL}; \
-	curl -XPOST --fail -F "file=@$(GPG_PUBLIC_KEY)" -H "Token: ${TOKEN}" ${UPLOAD_URL}; \
+	curl -XPOST --fail -F "file=@$(PACKAGES_DIR)/${PACKAGE_PREFIX}.tar.gz" -H "Token: ${TOKEN}" ${UPLOAD_URL};