codeql-action/.github/workflows/post-release-mergeback.yml

# This workflow runs after a release of the action. For v2 releases, it merges any changes from the
# release back into the main branch. Typically, this is just a single commit that updates the
# changelog. For v2 and v1 releases, it then (a) tags the merge commit on the release branch that
# represents the new release with an `vx.y.z` tag and (b) updates the `vx` tag to refer to this
# commit.
name: Tag release and merge back

on:
  workflow_dispatch:
    inputs:
      baseBranch:
        description: 'The base branch to merge into'
        default: main
        required: false

  push:
    branches:
      - releases/v1
      - releases/v2

jobs:
  merge-back:
    runs-on: ubuntu-latest
    if: github.repository == 'github/codeql-action'
    env:
      BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
      HEAD_BRANCH: "${{ github.head_ref || github.ref }}"

    steps:
      - name: Dump environment
        run: env

      - name: Dump GitHub context
        env:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3

      - name: Update git config
        run: |
          git config --global user.email "github-actions@github.com"
          git config --global user.name "github-actions[bot]"

      - name: Get version and new branch
        id: getVersion
        run: |
          VERSION="v$(jq '.version' -r 'package.json')"
          echo "::set-output name=version::${VERSION}"
          short_sha="${GITHUB_SHA:0:8}"
          NEW_BRANCH="mergeback/${VERSION}-to-${BASE_BRANCH}-${short_sha}"
          echo "::set-output name=newBranch::${NEW_BRANCH}"


      - name: Dump branches
        env:
          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
        run: |
          echo "BASE_BRANCH ${BASE_BRANCH}"
          echo "HEAD_BRANCH ${HEAD_BRANCH}"
          echo "NEW_BRANCH ${NEW_BRANCH}"

      - name: Create mergeback branch
        env:
          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
        run: |
          git checkout -b "${NEW_BRANCH}"

      - name: Check for tag
        id: check
        env:
          VERSION: "${{ steps.getVersion.outputs.version }}"
        run: |
          set +e # don't fail on an errored command
          git ls-remote --tags origin | grep "${VERSION}"
          exists="$?"
          if [ "${exists}" -eq 0 ]; then
            echo "Tag ${VERSION} exists. Not going to re-release."
            echo "::set-output name=exists::true"
          else
            echo "Tag ${VERSION} does not exist yet."
          fi

      # we didn't tag the release during the update-release-branch workflow because the
      # commit that actually makes it to the release branch is a merge commit,
      # and not yet known during the first workflow. We tag now because we know the correct commit.
      - name: Tag release
        if: steps.check.outputs.exists != 'true'
        env:
          VERSION: ${{ steps.getVersion.outputs.version }}
        run: |
          # Unshallow the repo in order to allow pushes
          git fetch --unshallow
          # Create the `vx.y.z` tag
          git tag --annotate "${VERSION}" --message "${VERSION}"
          # Update the `vx` tag
          major_version_tag=$(cut -d '.' -f1 <<< "${VERSION}")
          # Use `--force` to overwrite the major version tag
          git tag --annotate "${major_version_tag}" --message "${major_version_tag}" --force
          # Push the tags, using:
          # - `--atomic` to make sure we either update both tags or neither (an intermediate state,
          #   e.g. where we update the v2.x.y tag on the remote but not the v2 tag, could result in
          #   unwanted Dependabot updates, e.g. from v2 to v2.x.y)
          # - `--force` since we're overwriting the `vx` tag
          git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"

      - name: Create mergeback branch
        if: steps.check.outputs.exists != 'true' && contains(github.ref, 'releases/v2')
        env:
          VERSION: "${{ steps.getVersion.outputs.version }}"
          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: |
          set -exu
          pr_title="Mergeback ${VERSION} ${HEAD_BRANCH} into ${BASE_BRANCH}"
          pr_body="Updates version and changelog."

          # Update the version number ready for the next release
          npm version patch --no-git-tag-version

          # Update the changelog
          perl -i -pe 's/^/## \[UNRELEASED\]\n\nNo user facing changes.\n\n/ if($.==3)' CHANGELOG.md
          git add .
          git commit -m "Update changelog and version after ${VERSION}"

          git push origin "${NEW_BRANCH}"

          # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft
          # so that a maintainer can take the PR out of draft, thereby triggering the PR checks.
          gh pr create \
            --head "${NEW_BRANCH}" \
            --base "${BASE_BRANCH}" \
            --title "${pr_title}" \
            --label "Update dependencies" \
            --body "${pr_body}" \
            --draft