diff --git a/.github/environments.json b/.github/environments.json new file mode 100644 index 00000000..2cbf5700 --- /dev/null +++ b/.github/environments.json @@ -0,0 +1,23 @@ +{ + "Develop": { + "deployment_branch_policy": { + "protected_branches": false, + "custom_branch_policies": true + }, + "reviewers": [], + "wait_timer": 0 + }, + "Production": { + "deployment_branch_policy": { + "protected_branches": false, + "custom_branch_policies": true + }, + "reviewers": [], + "wait_timer": 0 + }, + "github-pages": { + "deployment_branch_policy": null, + "reviewers": [], + "wait_timer": 0 + } +} diff --git a/.github/protection.json b/.github/protection.json index ba49d1ca..987fa795 100644 --- a/.github/protection.json +++ b/.github/protection.json @@ -1,4 +1,19 @@ { + "develop": { + "allow_deletions": false, + "allow_force_pushes": false, + "enforce_admins": false, + "required_pull_request_reviews": { + "dismiss_stale_reviews": false, + "require_code_owner_reviews": false, + "required_approving_review_count": 1 + }, + "required_status_checks": { + "contexts": [], + "strict": true + }, + "restrictions": null + }, "main": { "allow_deletions": false, "allow_force_pushes": false, diff --git a/.github/workflows/draft.yml b/.github/workflows/draft.yml deleted file mode 100644 index f5d7ee65..00000000 --- a/.github/workflows/draft.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Draft Release - -on: - pull_request: - branches: - - main - types: - - closed - -jobs: - update: - if: github.event.pull_request.merged == true && !contains(github.head_ref, 'release/') - - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Update Draft Release - uses: release-drafter/release-drafter@v6 - with: - config-name: release-drafter.yml - disable-autolabeler: true - publish: false - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/gh-deploy.yml b/.github/workflows/gh-deploy.yml index 27cecc5a..57ffec7a 100644 --- a/.github/workflows/gh-deploy.yml +++ b/.github/workflows/gh-deploy.yml @@ -20,6 +20,8 @@ jobs: deploy: runs-on: ubuntu-latest + environment: github-pages + steps: - name: Checkout uses: actions/checkout@v6 diff --git a/.github/workflows/publish-app.yml b/.github/workflows/publish-app.yml index 97eb7be2..50dd929d 100644 --- a/.github/workflows/publish-app.yml +++ b/.github/workflows/publish-app.yml @@ -3,7 +3,7 @@ name: Publish App to GHCR on: push: branches: - - main + - develop paths: - ".github/workflows/publish-app.yml" - ".python-version" diff --git a/.github/workflows/publish-devcontainer.yml b/.github/workflows/publish-devcontainer.yml index 2715e24d..7b2a950e 100644 --- a/.github/workflows/publish-devcontainer.yml +++ b/.github/workflows/publish-devcontainer.yml @@ -3,7 +3,7 @@ name: Publish Devcontainer to GHCR on: push: branches: - - main + - develop paths: - ".devcontainer/Dockerfile" - ".github/workflows/publish-devcontainer.yml" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f849302e..78e7ebe4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,7 @@ name: Release on: pull_request: branches: + - develop - main types: - closed @@ -12,11 +13,33 @@ permissions: pull-requests: read jobs: - publish: - if: github.event.pull_request.merged == true && contains(github.head_ref, 'release/') + develop: + if: github.event.pull_request.merged == true && github.base_ref == 'develop' runs-on: ubuntu-latest + environment: Develop + + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Update Draft Release + uses: release-drafter/release-drafter@v6 + with: + config-name: release-drafter.yml + disable-autolabeler: true + publish: false + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + production: + if: github.event.pull_request.merged == true && github.base_ref == 'main' + + runs-on: ubuntu-latest + + environment: Production + steps: - name: Checkout uses: actions/checkout@v6 diff --git a/.github/workflows/setting.yml b/.github/workflows/setting.yml index df488bbf..06e8a0a5 100644 --- a/.github/workflows/setting.yml +++ b/.github/workflows/setting.yml @@ -4,6 +4,7 @@ on: pull_request: paths: - .github/workflows/setting.yml + - .github/environments.json - .github/protection.json schedule: - cron: "0 0 * * *" @@ -23,7 +24,9 @@ jobs: - name: Enable auto-delete head branches run: | - gh repo edit ${{ github.repository }} --delete-branch-on-merge + gh repo edit ${{ github.repository }} \ + --default-branch develop \ + --delete-branch-on-merge env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} @@ -40,14 +43,15 @@ jobs: - name: Set GitHub Pages Source run: | - gh api -X POST "repos/${{ github.repository }}/pages" \ + gh api -X POST ${{ env.ENDPOINT }} \ -f "source[branch]=${{ env.BRANCH }}" \ -f "source[path]=${{ env.TARGET_PATH }}" --silent \ || \ - gh api -X PUT "repos/${{ github.repository }}/pages" \ + gh api -X PUT ${{ env.ENDPOINT }} \ -f "source[branch]=${{ env.BRANCH }}" \ -f "source[path]=${{ env.TARGET_PATH }}" env: + ENDPOINT: repos/${{ github.repository }}/pages BRANCH: gh-pages TARGET_PATH: / GH_TOKEN: ${{ steps.generate-token.outputs.token }} @@ -68,21 +72,75 @@ jobs: - name: Apply Branch Protection Rules run: | - if [ ! -f "$CONFIG_FILE" ]; then - echo "Error: $CONFIG_FILE not found!" + if [ ! -f ${{ env.CONFIG_FILE }} ]; then + echo "Error: ${{ env.CONFIG_FILE }} not found!" exit 1 fi - BRANCHES=$(jq -r 'keys[]' "$CONFIG_FILE") + BRANCHES=$(jq -r 'keys[]' ${{ env.CONFIG_FILE }}) for BRANCH in $BRANCHES; do - if ! gh api "repos/${{ github.repository }}/branches/$BRANCH" --silent >/dev/null 2>&1; then - echo "Warning: Branch '$BRANCH' does not exist in this repository. Skipping..." + if ! gh api "${{ env.ENDPOINT }}/$BRANCH" --silent >/dev/null 2>&1; then + echo "Warning: Branch $BRANCH does not exist in this repository. Skipping..." continue fi - jq -c ".\"$BRANCH\"" "$CONFIG_FILE" | gh api -X PUT "repos/${{ github.repository }}/branches/$BRANCH/protection" --input - + jq -c ".\"$BRANCH\"" ${{ env.CONFIG_FILE }} | gh api -X PUT "${{ env.ENDPOINT }}/$BRANCH/protection" --input - done env: CONFIG_FILE: .github/protection.json + ENDPOINT: repos/${{ github.repository }}/branches + GH_TOKEN: ${{ steps.generate-token.outputs.token }} + + environments: + runs-on: ubuntu-latest + + strategy: + matrix: + include: + - environment: Develop + branch: develop + - environment: Production + branch: main + - environment: github-pages + branch: gh-pages + + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Generate a token + id: generate-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_KEY }} + + - name: Configure Environment + run: | + if [ ! -f ${{ env.CONFIG_FILE }} ]; then + echo "Error: ${{ env.CONFIG_FILE }} not found!" + exit 1 + fi + + jq -c ".\"${{ env.ENVIRONMENT_NAME }}\"" ${{ env.CONFIG_FILE }} | gh api -X PUT "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}" --input - + + CUSTOM_BRANCH_POLICIES=$(jq -r ".\"${{ env.ENVIRONMENT_NAME }}\".deployment_branch_policy.custom_branch_policies" ${{ env.CONFIG_FILE }}) + + if [ "$CUSTOM_BRANCH_POLICIES" != true ]; then + IDS=$(gh api "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}/deployment-branch-policies" --jq '.branch_policies[].id' || true) + for ID in $IDS; do + gh api -X DELETE "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}/deployment-branch-policies/$ID" --silent || true + done + exit 0 + fi + + gh api -X POST "${{ env.ENDPOINT }}/${{ env.ENVIRONMENT_NAME }}/deployment-branch-policies" \ + -f "name=${{ env.BRANCH_NAME }}" \ + -f "type=branch" + env: + CONFIG_FILE: .github/environments.json + BRANCH_NAME: ${{ matrix.branch }} + ENDPOINT: repos/${{ github.repository }}/environments + ENVIRONMENT_NAME: ${{ matrix.environment }} GH_TOKEN: ${{ steps.generate-token.outputs.token }}