Skip to content

Commit

Permalink
feat(release): automate security releases and improve release management
Browse files Browse the repository at this point in the history 
- Add automated security releases with focused changelogs
- Configure release-drafter with conventional commit support
- Set up Renovate for automated dependency management
  - Auto-merge for minor and patch updates
  - Immediate PRs and releases for security updates
  - Weekly schedule for regular updates
- Ensure security updates are removed from draft releases
  • Loading branch information
@elsbrock
elsbrock committed Feb 6, 2025
1 parent 3756058 commit ba77035
Show file tree
Hide file tree
Showing 4 changed files with 174 additions and 2 deletions.
76 changes: 76 additions & 0 deletions .github/release-drafter.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name-template: 'v$RESOLVED_VERSION'
tag-template: 'v$RESOLVED_VERSION'
categories:
- title: '🚨 Breaking Changes'
labels:
- 'breaking'
collapse-after: 5
- title: '🔒 Security Updates'
labels:
- 'security'
collapse-after: 5
- title: '🚀 Features'
labels:
- 'feature'
- 'enhancement'
collapse-after: 5
- title: '🐛 Bug Fixes'
labels:
- 'fix'
- 'bugfix'
- 'bug'
collapse-after: 5
- title: '🧰 Maintenance'
labels:
- 'chore'
- 'dependencies'
collapse-after: 5

# Add conventional commit support
autolabeler:
- label: 'security'
title:
- '/^fix\(security\):/i'
- label: 'bug'
title:
- '/^fix:/i'
- label: 'feature'
title:
- '/^feat:/i'
- label: 'chore'
title:
- '/^chore:/i'
- label: 'breaking'
title:
- '/^BREAKING CHANGE:/i'
- '/!:/i'

change-template: '- $TITLE @$AUTHOR (#$NUMBER)'

version-resolver:
major:
labels:
- 'major'
- 'breaking'
minor:
labels:
- 'minor'
- 'feature'
- 'enhancement'
patch:
labels:
- 'patch'
- 'fix'
- 'bugfix'
- 'bug'
- 'security'
- 'dependencies'
- 'chore'
default: patch

template: |
## What's Changed
$CHANGES
## 👨‍💻 Contributors
$CONTRIBUTORS
20 changes: 19 additions & 1 deletion .github/renovate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,27 @@
"schedule": ["before 4am on monday"],
"packageRules": [
{
"matchUpdateTypes": ["minor", "patch"],
"matchUpdateTypes": ["patch", "pin", "digest"],
"labels": ["dependencies", "patch"],
"automerge": true,
"automergeType": "branch"
},
{
"matchUpdateTypes": ["major"],
"labels": ["dependencies", "major"]
},
{
"matchUpdateTypes": ["minor"],
"labels": ["dependencies", "minor"],
"automerge": true,
"automergeType": "branch"
},
{
"matchSecurityUpdates": true,
"labels": ["security"],
"automerge": true,
"automergeType": "branch",
"prCreation": "immediate"
}
],
"platformAutomerge": true,
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/release-drafter.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Release Drafter

on:
push:
branches:
- main
# Allow manual trigger
workflow_dispatch:

permissions:
contents: read

jobs:
update_release_draft:
permissions:
contents: write
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: release-drafter/release-drafter@v6
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
58 changes: 57 additions & 1 deletion .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
@@ -1,26 +1,81 @@
name: "Release"

on:
# Trigger on published releases (manual releases)
release:
types:
- "published"
# Trigger on merged PRs (for automated security updates)
pull_request:
types:
- "closed"
branches:
- "main" # Only run on PRs targeting main branch

permissions: {}

jobs:
release:
name: "Release"
# Run if either:
# 1. It's a published release event
# 2. It's a merged Renovate PR with security label
if: |
(github.event_name == 'release') ||
(github.event_name == 'pull_request' &&
github.event.pull_request.merged == true &&
github.event.pull_request.user.login == 'renovate[bot]' &&
contains(github.event.pull_request.labels.*.name, 'security'))
runs-on: "ubuntu-latest"
permissions:
contents: write
steps:
- name: "Checkout the repository"
uses: "actions/[email protected]"

- name: "Get version"
id: version
shell: "bash"
run: |
if [ "${{ github.event_name }}" = "release" ]; then
echo "version=${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
else
# Extract version from Renovate PR title
VERSION=$(echo "${{ github.event.pull_request.title }}" | grep -oP '(?<=to v)[0-9]+\.[0-9]+\.[0-9]+')
echo "version=v${VERSION}" >> $GITHUB_OUTPUT
fi
# For security updates, create a focused release
- name: "Create Security Release"
if: github.event_name == 'pull_request'
uses: release-drafter/release-drafter@v6
with:
version: ${{ steps.version.outputs.version }}
name: "🔒 Security Release ${{ steps.version.outputs.version }}"
tag: ${{ steps.version.outputs.version }}
publish: true
# Override template to only include the security update
template: |
## 🔒 Security Update
- ${{ github.event.pull_request.title }} (#${{ github.event.pull_request.number }})
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# Remove the security update from the existing draft release
- name: "Update Draft Release"
if: github.event_name == 'pull_request'
uses: release-drafter/release-drafter@v6
with:
version: next
publish: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: "Adjust version number"
shell: "bash"
run: |
yq -i -o json '.version="${{ github.event.release.tag_name }}"' \
yq -i -o json '.version="${{ steps.version.outputs.version }}"' \
"${{ github.workspace }}/custom_components/cowboy/manifest.json"
- name: "ZIP the integration directory"
Expand All @@ -32,4 +87,5 @@ jobs:
- name: "Upload the ZIP file to the release"
uses: softprops/[email protected]
with:
tag_name: ${{ steps.version.outputs.version }}
files: ${{ github.workspace }}/custom_components/cowboy/cowboy-ha.zip

0 comments on commit ba77035

Please sign in to comment.