Remove github_token input, correct for SBOM file placement (#1391 )

* Remove github_token input Inputs need to be literal, static values. Instead we should simply use `${{ secrets.GITHUB_TOKEN }}` which is resolved at runtime * Copy over generated SBOM files The SBOM generator currently outputs the files at the workspace root.
Make the Github token optional (#1390 )
2026-05-12 11:42:57 -04:00 · 2026-03-30 23:47:57 +00:00 · 2026-03-30 16:16:16 -07:00 · 2026-03-30 15:52:02 -07:00 · 2026-03-30 14:50:31 -07:00
1 changed files with 104 additions and 14 deletions
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@ -19,6 +19,8 @@ on:
 jobs:
  release-packager:
    permissions:
+      contents: write
+      pull-requests: write
      id-token: write
    name: Release Packager
    runs-on: ubuntu-latest
@ -31,6 +33,16 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

+      - name: Install GitHub CLI
+        run: |
+          command -v gh >/dev/null 2>&1 || {
+            curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
+            sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg
+            echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+            sudo apt update
+            sudo apt install gh
+          }
+
      # Currently FreeRTOS/.github/scripts houses the release script. Download it for upcoming usage
      - name: Checkout FreeRTOS Release Tools
        uses: actions/checkout@v4.1.1
@ -52,15 +64,23 @@ jobs:
          git config --global user.name "$ACTOR"
          git config --global user.email "$ACTOR"@users.noreply.github.com

-      - name: create a new branch that references commit id
+      - name: Create version branch
        env:
          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
          COMMIT_ID: ${{ github.event.inputs.commit_id }}
        working-directory: ./local_kernel
        run: |
          git checkout -b "$VERSION_NUMBER" "$COMMIT_ID"
+          git push -u origin "$VERSION_NUMBER"
          echo "COMMIT_SHA_1=$(git rev-parse HEAD)" >> $GITHUB_ENV

+      - name: Create release preparation branch
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
+        working-directory: ./local_kernel
+        run: |
+          git checkout -b "release-prep-$VERSION_NUMBER"
+
      - name: Update source files with version info
        env:
          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
@ -73,7 +93,7 @@ jobs:
          ./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_1" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
          exit $?

-      - name : Update version number in manifest.yml
+      - name: Update version number in manifest.yml
        env:
          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
        working-directory: ./local_kernel
@ -81,29 +101,92 @@ jobs:
          ./.github/scripts/manifest_updater.py -v "$VERSION_NUMBER"
          exit $?

-      - name : Commit version number change in manifest.yml
+      - name: Commit and push release preparation branch
        env:
          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
        working-directory: ./local_kernel
        run: |
+          # The update_src_version.py script detaches HEAD by checking out a SHA.
+          # Re-attach HEAD to the release prep branch, keeping all commits.
+          git branch -f "release-prep-$VERSION_NUMBER" HEAD
+          git checkout "release-prep-$VERSION_NUMBER"
+
          git add .
-          git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml'
-          git push -u origin "$VERSION_NUMBER"
+          if git diff --cached --quiet; then
+            echo "No new changes to commit — source files and manifest already up to date."
+          else
+            git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml and source files'
+          fi
+          git push -u origin "release-prep-$VERSION_NUMBER"
+
+      - name: Create pull request
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO_FULL_NAME: ${{ github.repository }}
+        working-directory: ./local_kernel
+        run: |
+          PR_URL=$(gh pr create \
+            --repo "$REPO_FULL_NAME" \
+            --base "$VERSION_NUMBER" \
+            --head "release-prep-$VERSION_NUMBER" \
+            --title "[AUTO][RELEASE]: Release $VERSION_NUMBER" \
+            --body "Automated release preparation for $VERSION_NUMBER. Updates version numbers in source files and manifest.yml.")
+          echo "PR_URL=$PR_URL" >> $GITHUB_ENV
+
+      - name: Wait for PR to be merged
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO_FULL_NAME: ${{ github.repository }}
+        working-directory: ./local_kernel
+        run: |
+          PR_NUMBER=$(echo "$PR_URL" | grep -oE '[0-9]+$')
+          while true; do
+            STATE=$(gh pr view "$PR_NUMBER" --repo "$REPO_FULL_NAME" --json state --jq .state)
+            if [ "$STATE" = "MERGED" ]; then
+              echo "PR merged successfully"
+              break
+            elif [ "$STATE" = "CLOSED" ]; then
+              echo "Error: PR was closed without merging"
+              exit 1
+            fi
+            echo "Waiting for PR to be merged... (current state: $STATE)"
+            sleep 30
+          done
+
+      - name: Re-checkout after merge
+        uses: actions/checkout@v4.1.1
+        with:
+          path: local_kernel
+          ref: ${{ github.event.inputs.version_number }}
+          fetch-depth: 0

      - name: Generate SBOM
        uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main
        with:
-          repo_path: ./local_kernel
-          source_path: ./
+          directory: ./local_kernel
+          distribution-type: repository
+          creator: Amazon Web Services, Inc.
+          download-location: git+https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}.git@${{ github.event.inputs.version_number }}
+          homepage: https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}
+          namespace-prefix: https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/${{ github.event.inputs.version_number }}/
+          include-file-hashes: true

-      - name: commit SBOM file
+      - name: Commit SBOM file
        env:
          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
-        working-directory: ./local_kernel
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
+          # SBOM generator writes files to the workspace root — copy them into the repo
+          cp *SPDX* ./local_kernel/ 2>/dev/null || cp *spdx* ./local_kernel/ 2>/dev/null || true
+          cd ./local_kernel
          git add .
-          git commit -m '[AUTO][RELEASE]: Update SBOM'
-          git push -u origin "$VERSION_NUMBER"
+          if git diff --cached --quiet; then
+            echo "No SBOM changes to commit."
+          else
+            git commit -m '[AUTO][RELEASE]: Update SBOM'
+            git push -u origin "$VERSION_NUMBER"
+          fi
          echo "COMMIT_SHA_2=$(git rev-parse HEAD)" >> $GITHUB_ENV

      - name: Release
@ -127,10 +210,17 @@ jobs:
          artifact_path: ./FreeRTOS-KernelV${{ github.event.inputs.version_number }}.zip
          release_tag: ${{ github.event.inputs.version_number }}

-      - name: Cleanup
+      - name: Delete release preparation branch
+        if: always()
        env:
          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        working-directory: ./local_kernel
        run: |
-          # Delete the branch created for Tag by SBOM generator
-          git push -u origin --delete "$VERSION_NUMBER"
+          # Only delete release-prep branch if the PR was already merged
+          PR_STATE=$(gh pr list --repo "${{ github.repository }}" --head "release-prep-$VERSION_NUMBER" --json state --jq '.[0].state' 2>/dev/null || echo "")
+          if [ "$PR_STATE" = "MERGED" ] || [ -z "$PR_STATE" ]; then
+            git push origin --delete "release-prep-$VERSION_NUMBER" || true
+          else
+            echo "Skipping release-prep branch deletion — PR is still open (state: $PR_STATE)"
+          fi
Author	SHA1	Message	Date
Kody Stribrny	2624889925	Remove github_token input, correct for SBOM file placement (#1391 ) * Remove github_token input Inputs need to be literal, static values. Instead we should simply use `${{ secrets.GITHUB_TOKEN }}` which is resolved at runtime * Copy over generated SBOM files The SBOM generator currently outputs the files at the workspace root.	2026-03-30 23:47:57 +00:00
Kody Stribrny	e365da1b12	Make the Github token optional (#1390 ) A default is useless when the variable is required.	2026-03-30 16:16:16 -07:00
Kody Stribrny	fb2ab8d575	Provide a default token value (#1389 )	2026-03-30 15:52:02 -07:00
Kody Stribrny	caee8b6a94	Updating Auto-Release Workflow (#1388 ) We no longer like the workflow writing to our repo	2026-03-30 14:50:31 -07:00