CHANGELOG.md

@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.2.0] - 2023-11-07
+
+- Add new `release-it.yml` template for automated release management.
+
 ## [3.1.1] - 2023-10-19
 
 ### Changed

auto-devops/release-it.yml

+# This template enables automated release management using the release-it tool. 
+
+.release-base:
+  image:
+    name: registry.gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/release-it:latest
+  variables:
+    GIT_STRATEGY: clone
+    GIT_DEPTH: 0
+  before_script: |
+    MAGENTA="\e[35m"
+    CLEAR="\e[0m"
+
+    log() {
+        echo -e "${MAGENTA}${1}${CLEAR}"
+    }
+
+    # By default, GitLab performs a shallow clone of the target repository and checks out a detached commit rather than
+    # the branch itself. We want to be able to search the full history so we need to do the following.
+    git fetch origin
+    git checkout "$CI_COMMIT_REF_NAME"
+
+    log "Retrieving an access token for the default service account of the runner pod..."
+    DEFAULT_TOKEN=$(
+      curl --fail-with-body -s -S -H "Metadata-Flavor: Google" \
+        "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
+      | jq -r ".access_token"
+    )
+
+    log "Generating an access token for the $GITLAB_TOKEN_ACCESSOR_SERVICE_ACCOUNT service account..."
+    ACCESS_TOKEN=$(
+      curl --fail-with-body -s -S -X POST \
+        -H "Authorization: Bearer $DEFAULT_TOKEN" \
+        -H "Content-Type: application/json; charset=utf-8" \
+        "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GITLAB_TOKEN_ACCESSOR_SERVICE_ACCOUNT/@/%40}:generateAccessToken" \
+        -d '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
+      | jq -r ".accessToken"
+    )
+
+    log "Retrieving the GitLab bot access token from Google Secret Manager..."
+    export GITLAB_TOKEN=$(
+      curl --fail-with-body -s -S -H "Authorization: Bearer $ACCESS_TOKEN" \
+        -H "Content-Type: application/json" \
+        "https://secretmanager.googleapis.com/v1/$GITLAB_ACCESS_TOKEN_SECRET_ID/versions/latest:access" \
+      | jq -r ".payload.data" | base64 -d
+    )
+
+    log "Configuring git to use the GitLab bot account..."
+    git config user.email "$GITLAB_ACCESS_TOKEN_EMAIL"
+    git config user.name "$GITLAB_ACCESS_TOKEN_NAME"
+
+    log "Configuring the git remote url..."
+    git remote set-url origin "https://token:$GITLAB_TOKEN@$CI_SERVER_HOST/$CI_PROJECT_PATH.git"
+  tags:
+    - $GKE_RUNNER_TAG
+
+update-release-merge-request:
+  extends: .release-base
+  stage: review
+  script: /opt/devops/update-merge-request.sh
+  needs: []
+  rules:
+    # This job should only run if this variable is not null.
+    - if: $USE_MERGE_REQUEST_RELEASE_FLOW == null
+      when: never
+    # This is the main rule to run this job if we're using the merge request workflow and the pipeline is running on
+    # either the default branch or a branch named "hotfix-".
+    - if: ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /^hotfix-.*$/i) && $CI_COMMIT_MESSAGE !~ /chore\(release\)/
+
+release:
+  extends: .release-base
+  stage: production
+  script: /opt/devops/release.sh
+  rules:
+    # This rule stops the job running if it is a new or rebased branch ($CI_COMMIT_BEFORE_SHA ==
+    # "0000000000000000000000000000000000000000") or if the pipeline was manually triggered via the web UI but only if
+    # we're using the merge request workflow.
+    - if: ($CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" || $CI_PIPELINE_SOURCE == "web") && $USE_MERGE_REQUEST_RELEASE_FLOW
+      when: never
+    # When using the merge request workflow, this release job should only trigger for pipelines on the default branch or
+    # branches starting "hotfix-" and only if the automated release bot commit was merged as the most recent commit.
+    - if: ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /^hotfix-.*$/i) && $USE_MERGE_REQUEST_RELEASE_FLOW && $CI_COMMIT_MESSAGE =~ /chore\(release\)/
+    # If we're using the merge request workflow but all previous rules have not matched then we do not run the
+    # release job. 
+    - if: $USE_MERGE_REQUEST_RELEASE_FLOW
+      when: never
+    # Finally, we can assume we're running in the default mode and we simply run this release job if we are on the
+    # default branch or a branch starting "hotfix-". Note that we don't run the job if the last commit was the release
+    # commit by the bot account otherwise we'll get stuck in an infinite loop.
+    - if: ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /^hotfix-.*$/i) && $CI_COMMIT_MESSAGE !~ /chore\(release\)/