tum
/
soc


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143
							name: Repository bumper
run-name: Bump ${{ github.ref_name }} (${{ inputs.id }})

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Target version (e.g. 1.2.3)'
        default: ''
        required: false
        type: string
      stage:
        description: 'Version stage (e.g. alpha0)'
        default: ''
        required: false
        type: string
      tag:
        description: 'Change branches references to tag-like references (e.g. v4.12.0-alpha7)'
        default: false
        required: false
        type: boolean
      issue-link:
        description: 'Issue link in format https://github.com/wazuh/<REPO>/issues/<ISSUE-NUMBER>'
        required: true
        type: string
      id:
        description: 'Optional identifier for the run'
        required: false
        type: string

jobs:
  bump:
    name: Repository bumper
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      pull-requests: write

    env:
      CI_COMMIT_AUTHOR: wazuhci
      CI_COMMIT_EMAIL: 22834044+wazuhci@users.noreply.github.com
      CI_GPG_PRIVATE_KEY: ${{ secrets.CI_WAZUHCI_GPG_PRIVATE }}
      GH_TOKEN: ${{ secrets.CI_WAZUHCI_BUMPER_TOKEN }}
      BUMP_SCRIPT_PATH: tools/repository_bumper.sh
      BUMP_LOG_PATH: tools

    steps:
      - name: Dump event payload
        run: |
          cat $GITHUB_EVENT_PATH | jq '.inputs'

      - name: Set up GPG key
        id: signing_setup
        run: |
          echo "${{ env.CI_GPG_PRIVATE_KEY }}" | gpg --batch --import
          KEY_ID=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec/ {print $5; exit}')
          echo "gpg_key_id=$KEY_ID" >> $GITHUB_OUTPUT

      - name: Set up git
        run: |
          git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
          git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
          git config --global commit.gpgsign true
          git config --global user.signingkey "${{ steps.signing_setup.outputs.gpg_key_id }}"
          echo "use-agent" >> ~/.gnupg/gpg.conf
          echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
          echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
          echo RELOADAGENT | gpg-connect-agent
          export DEBIAN_FRONTEND=noninteractive
          export GPG_TTY=$(tty)

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          # Using workflow-specific GITHUB_TOKEN because currently CI_WAZUHCI_BUMPER_TOKEN
          # doesn't have all the necessary permissions
          token: ${{ env.GH_TOKEN }}

      - name: Determine branch name
        id: vars
        env:
          VERSION: ${{ inputs.version }}
          STAGE: ${{ inputs.stage }}
          TAG: ${{ inputs.tag }}
        run: |
          script_params=""
          version=${{ env.VERSION }}
          stage=${{ env.STAGE }}
          tag=${{ env.TAG }}

          # Both version and stage provided
          if [[ -n "$version" && -n "$stage" && "$tag" != "true" ]]; then
            script_params="--version ${version} --stage ${stage}"
          elif [[ -n "$version" && -n "$stage" && "$tag" == "true" ]]; then
            script_params="--version ${version} --stage ${stage} --tag ${tag}"
          fi

          issue_number=$(echo "${{ inputs.issue-link }}" | awk -F'/' '{print $NF}')
          BRANCH_NAME="enhancement/wqa${issue_number}-bump-${{ github.ref_name }}"
          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
          echo "script_params=${script_params}" >> $GITHUB_OUTPUT

      - name: Create and switch to bump branch
        run: |
          git checkout -b ${{ steps.vars.outputs.branch_name }}

      - name: Make version bump changes
        run: |
          echo "Running bump script"
          bash ${{ env.BUMP_SCRIPT_PATH }} ${{ steps.vars.outputs.script_params }}

      - name: Commit and push changes
        run: |
          git add .
          git commit -m "feat: bump ${{ github.ref_name }}"
          git push origin ${{ steps.vars.outputs.branch_name }}

      - name: Create pull request
        id: create_pr
        run: |
          gh auth setup-git
          PR_URL=$(gh pr create \
            --title "Bump ${{ github.ref_name }} branch" \
            --body "Issue: ${{ inputs.issue-link }}" \
            --base ${{ github.ref_name }} \
            --head ${{ steps.vars.outputs.branch_name }})

          echo "Pull request created: ${PR_URL}"
          echo "pull_request_url=${PR_URL}" >> $GITHUB_OUTPUT

      - name: Merge pull request
        run: |
          # Any checks for the PR are bypassed since the branch is expected to be functional (i.e. the bump process does not introduce any bugs)
          gh pr merge "${{ steps.create_pr.outputs.pull_request_url }}" --merge --admin

      - name: Show logs
        run: |
          echo "Bump complete."
          echo "Branch: ${{ steps.vars.outputs.branch_name }}"
          echo "PR: ${{ steps.create_pr.outputs.pull_request_url }}"
          echo "Bumper scripts logs:"
          cat ${BUMP_LOG_PATH}/repository_bumper*log