ci: updated branches and dev process#1704
Draft
Tbaile wants to merge 1 commit into
Draft
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates NethSecurity’s CI/CD and documentation to support a branch-based release flow, adding testing and stable as automated publishing branches and removing the previous tag/manual “release stable packages” workflow approach.
Changes:
- Extend
build-imageworkflow triggers totesting/stable, adjust version suffixing, and avoid overwriting existingstable/testingimage artifacts. - Remove legacy workflows for “release stable packages” and subscription syncing.
- Update docs and cleanup tooling to reflect the new version format and release process.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
tools/cleanup/cleanup.py |
Updates dev-build timestamp extraction to support the new prerelease segment format. |
docs/development_process.md |
Updates the documented stable release flow to branch-merge driven publishing and revises manual release guidance. |
docs/build/index.md |
Clarifies build defaults/variable behavior wording. |
build.conf.defaults |
Removes REPO_CHANNEL default from versioned defaults. |
AGENTS.md |
Updates CI/release documentation table and stable release steps (but needs a correction for PR builds). |
.github/workflows/subscription.yml |
Removes the workflow that synced stable → subscription on a schedule. |
.github/workflows/release-stable.yml |
Removes the manual dev → stable package sync workflow. |
.github/workflows/cleanup-branch.yml |
Adjusts cleanup logic to purge PR-numbered channels and exempts testing. |
.github/workflows/build-image.yml |
Implements branch-based publishing (main→dev, testing/stable→respective channels) and conditional image artifact upload. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | Push to `main` | `dev` | `<base>-dev.<run>.<timestamp>.<hash>` | | ||
| | Push to `testing` | `testing` | `<base>` | | ||
| | Push to `stable` | `stable` | `<base>` | | ||
| | PR branch | branch-named | `<base>-<branch>.<run>.<timestamp>.<hash>` | |
| podman exec -ti parceler-php php artisan repository:snapshots nethsecurity | ||
| ``` | ||
| Let's assume the latest snapshot is `2024-10-02T08:43:17+02:00`. | ||
| 2. If you want to push all the packages to all firewall without waiting the tier period, execute: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposal changes of dev processes
At the moment the dev process is as the following:
mainthat produces a DEV build. This dev build is used for testing onlyCurrent proposal is to automatically push the packages and images when merged to specified branches:
maindoesn't change, it's the dev branch and won't be touched, processes here happen as it always has been.prpull request also don't actually change.testingintroducing this branch to allow us to have a testing channel for some partners and/or specified machine we want test the not ready to release packages. This will be updated by merging the content of main or cherry-picking the changes.stablestable is to release packages to the public, stable channel. This can be used to release from testing or directly from main. Once this has been released it's needed to rebase main and testing to this branch, allowing changes already merged to be synced to the other channels.When releasing to
stableortestingimages are not written over if they're already present in the remote channel. I've considered the need for a rewrite of the image a complete edge-case with no clear path forward at the moment. The solution to this is a manual build and manual copy. This can however be changed by adding a flag over the CI that forces the image push, not implemented at the moment.TAGS: Tags have been removed from the build process, since I've noted above the need to rewrite history if a botched build is pushed. Releases, however are needed to be made to save the sbom and manifest.
My proposal is to use TAGS just for releases and tie them up to the stable branch instead of the main one.
Note: Not all documentation is up to date, if this draft goes forward I'll look into changing that, not applied at the moment due to uncertainty and changes to be applied if draft gets updated.