From 80ff337b1138e456dc0b5efe934271f958b69951 Mon Sep 17 00:00:00 2001 From: Kody Stribrny Date: Fri, 27 Mar 2026 15:01:23 -0700 Subject: [PATCH 1/7] Updating kernel release workflow We no longer like the workflow writing to our repo --- .github/workflows/auto-release.yml | 76 +++++++++++++++++++++++++----- 1 file changed, 65 insertions(+), 11 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 2cd6fde6e00..ae84d2f59e3 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -19,6 +19,8 @@ on: jobs: release-packager: permissions: + contents: write + pull-requests: write id-token: write name: Release Packager runs-on: ubuntu-latest @@ -31,6 +33,16 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Install GitHub CLI + run: | + command -v gh >/dev/null 2>&1 || { + curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg + sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg + echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null + sudo apt update + sudo apt install gh + } + # Currently FreeRTOS/.github/scripts houses the release script. Download it for upcoming usage - name: Checkout FreeRTOS Release Tools uses: actions/checkout@v4.1.1 @@ -52,13 +64,13 @@ jobs: git config --global user.name "$ACTOR" git config --global user.email "$ACTOR"@users.noreply.github.com - - name: create a new branch that references commit id + - name: Create release preparation branch env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} COMMIT_ID: ${{ github.event.inputs.commit_id }} working-directory: ./local_kernel run: | - git checkout -b "$VERSION_NUMBER" "$COMMIT_ID" + git checkout -b "release-prep-$VERSION_NUMBER" "$COMMIT_ID" echo "COMMIT_SHA_1=$(git rev-parse HEAD)" >> $GITHUB_ENV - name: Update source files with version info @@ -73,7 +85,7 @@ jobs: ./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_1" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER" exit $? - - name : Update version number in manifest.yml + - name: Update version number in manifest.yml env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} working-directory: ./local_kernel @@ -81,14 +93,53 @@ jobs: ./.github/scripts/manifest_updater.py -v "$VERSION_NUMBER" exit $? - - name : Commit version number change in manifest.yml + - name: Commit and push release preparation branch env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} working-directory: ./local_kernel run: | git add . - git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml' - git push -u origin "$VERSION_NUMBER" + git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml and source files' + git push -u origin "release-prep-$VERSION_NUMBER" + + - name: Create pull request + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + working-directory: ./local_kernel + run: | + PR_URL=$(gh pr create \ + --base main \ + --head "release-prep-$VERSION_NUMBER" \ + --title "[AUTO][RELEASE]: Release $VERSION_NUMBER" \ + --body "Automated release preparation for $VERSION_NUMBER. Updates version numbers in source files and manifest.yml.") + echo "PR_URL=$PR_URL" >> $GITHUB_ENV + + - name: Wait for PR to be merged + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + working-directory: ./local_kernel + run: | + PR_NUMBER=$(echo "$PR_URL" | grep -oP '\d+$') + while true; do + STATE=$(gh pr view "$PR_NUMBER" --json state --jq .state) + if [ "$STATE" = "MERGED" ]; then + echo "PR merged successfully" + break + elif [ "$STATE" = "CLOSED" ]; then + echo "Error: PR was closed without merging" + exit 1 + fi + echo "Waiting for PR to be merged... (current state: $STATE)" + sleep 30 + done + + - name: Re-checkout after merge + uses: actions/checkout@v4.1.1 + with: + path: local_kernel + ref: main + fetch-depth: 0 - name: Generate SBOM uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main @@ -96,14 +147,15 @@ jobs: repo_path: ./local_kernel source_path: ./ - - name: commit SBOM file + - name: Commit SBOM file env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} working-directory: ./local_kernel run: | + git checkout -b "release-$VERSION_NUMBER" git add . git commit -m '[AUTO][RELEASE]: Update SBOM' - git push -u origin "$VERSION_NUMBER" + git push -u origin "release-$VERSION_NUMBER" echo "COMMIT_SHA_2=$(git rev-parse HEAD)" >> $GITHUB_ENV - name: Release @@ -127,10 +179,12 @@ jobs: artifact_path: ./FreeRTOS-KernelV${{ github.event.inputs.version_number }}.zip release_tag: ${{ github.event.inputs.version_number }} - - name: Cleanup + - name: Delete release preparation branch + if: always() env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} working-directory: ./local_kernel run: | - # Delete the branch created for Tag by SBOM generator - git push -u origin --delete "$VERSION_NUMBER" + git push origin --delete "release-prep-$VERSION_NUMBER" || true + git push origin --delete "release-$VERSION_NUMBER" || true From 4582e77cd47fcf121fc25a20f7767a15f1ba159c Mon Sep 17 00:00:00 2001 From: Kody Stribrny Date: Fri, 27 Mar 2026 16:05:43 -0700 Subject: [PATCH 2/7] Revert - dev testing changes --- .github/workflows/auto-release.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index ae84d2f59e3..c5eff0f727c 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -106,9 +106,11 @@ jobs: env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO_FULL_NAME: ${{ github.repository }} working-directory: ./local_kernel run: | PR_URL=$(gh pr create \ + --repo "$REPO_FULL_NAME" \ --base main \ --head "release-prep-$VERSION_NUMBER" \ --title "[AUTO][RELEASE]: Release $VERSION_NUMBER" \ @@ -118,11 +120,12 @@ jobs: - name: Wait for PR to be merged env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO_FULL_NAME: ${{ github.repository }} working-directory: ./local_kernel run: | - PR_NUMBER=$(echo "$PR_URL" | grep -oP '\d+$') + PR_NUMBER=$(echo "$PR_URL" | grep -oE '[0-9]+$') while true; do - STATE=$(gh pr view "$PR_NUMBER" --json state --jq .state) + STATE=$(gh pr view "$PR_NUMBER" --repo "$REPO_FULL_NAME" --json state --jq .state) if [ "$STATE" = "MERGED" ]; then echo "PR merged successfully" break From 0ee5930076d7359190dcb7292edabd9c7aca2c10 Mon Sep 17 00:00:00 2001 From: Kody Stribrny Date: Fri, 27 Mar 2026 16:11:47 -0700 Subject: [PATCH 3/7] Maybe dev changes? --- .github/workflows/auto-release.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index c5eff0f727c..66eda4e61fe 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -99,7 +99,11 @@ jobs: working-directory: ./local_kernel run: | git add . - git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml and source files' + if git diff --cached --quiet; then + echo "No changes to commit — source files and manifest already up to date." + else + git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml and source files' + fi git push -u origin "release-prep-$VERSION_NUMBER" - name: Create pull request From 9c7caf8346ac5ee34c814c0690b35680218cdbb9 Mon Sep 17 00:00:00 2001 From: Kody Stribrny Date: Fri, 27 Mar 2026 16:18:44 -0700 Subject: [PATCH 4/7] Debugging attempt --- .github/workflows/auto-release.yml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 66eda4e61fe..e369d19b07c 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -98,12 +98,22 @@ jobs: VERSION_NUMBER: ${{ github.event.inputs.version_number }} working-directory: ./local_kernel run: | + echo "=== Git log (last 5 commits) ===" + git log --oneline -5 + echo "=== Git status ===" + git status + echo "=== Git diff --stat ===" + git diff --stat git add . + echo "=== Staged changes ===" + git diff --cached --stat if git diff --cached --quiet; then - echo "No changes to commit — source files and manifest already up to date." + echo "No new changes to commit — source files and manifest already up to date." else git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml and source files' fi + echo "=== Commits ahead of origin/main ===" + git log --oneline origin/main..HEAD git push -u origin "release-prep-$VERSION_NUMBER" - name: Create pull request @@ -193,5 +203,11 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} working-directory: ./local_kernel run: | - git push origin --delete "release-prep-$VERSION_NUMBER" || true + # Only delete release-prep branch if the PR was already merged + PR_STATE=$(gh pr list --repo "${{ github.repository }}" --head "release-prep-$VERSION_NUMBER" --json state --jq '.[0].state' 2>/dev/null || echo "") + if [ "$PR_STATE" = "MERGED" ] || [ -z "$PR_STATE" ]; then + git push origin --delete "release-prep-$VERSION_NUMBER" || true + else + echo "Skipping release-prep branch deletion — PR is still open (state: $PR_STATE)" + fi git push origin --delete "release-$VERSION_NUMBER" || true From ad5cd112c8e53299a4e5d56fc32263322113f92a Mon Sep 17 00:00:00 2001 From: Kody Stribrny Date: Fri, 27 Mar 2026 16:21:59 -0700 Subject: [PATCH 5/7] Fix detached head issue --- .github/workflows/auto-release.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index e369d19b07c..e0f6dffa31f 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -98,22 +98,17 @@ jobs: VERSION_NUMBER: ${{ github.event.inputs.version_number }} working-directory: ./local_kernel run: | - echo "=== Git log (last 5 commits) ===" - git log --oneline -5 - echo "=== Git status ===" - git status - echo "=== Git diff --stat ===" - git diff --stat + # The update_src_version.py script detaches HEAD by checking out a SHA. + # Re-attach HEAD to the release prep branch, keeping all commits. + git branch -f "release-prep-$VERSION_NUMBER" HEAD + git checkout "release-prep-$VERSION_NUMBER" + git add . - echo "=== Staged changes ===" - git diff --cached --stat if git diff --cached --quiet; then echo "No new changes to commit — source files and manifest already up to date." else git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml and source files' fi - echo "=== Commits ahead of origin/main ===" - git log --oneline origin/main..HEAD git push -u origin "release-prep-$VERSION_NUMBER" - name: Create pull request From 90137a03cd1661a6bad7839bca1c32986fa967de Mon Sep 17 00:00:00 2001 From: Kody Stribrny Date: Fri, 27 Mar 2026 16:27:51 -0700 Subject: [PATCH 6/7] Revert fork repo testing changes --- .github/workflows/auto-release.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index e0f6dffa31f..0b76fdabe37 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -115,11 +115,9 @@ jobs: env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO_FULL_NAME: ${{ github.repository }} working-directory: ./local_kernel run: | PR_URL=$(gh pr create \ - --repo "$REPO_FULL_NAME" \ --base main \ --head "release-prep-$VERSION_NUMBER" \ --title "[AUTO][RELEASE]: Release $VERSION_NUMBER" \ @@ -129,12 +127,11 @@ jobs: - name: Wait for PR to be merged env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO_FULL_NAME: ${{ github.repository }} working-directory: ./local_kernel run: | PR_NUMBER=$(echo "$PR_URL" | grep -oE '[0-9]+$') while true; do - STATE=$(gh pr view "$PR_NUMBER" --repo "$REPO_FULL_NAME" --json state --jq .state) + STATE=$(gh pr view "$PR_NUMBER" --json state --jq .state) if [ "$STATE" = "MERGED" ]; then echo "PR merged successfully" break @@ -199,7 +196,7 @@ jobs: working-directory: ./local_kernel run: | # Only delete release-prep branch if the PR was already merged - PR_STATE=$(gh pr list --repo "${{ github.repository }}" --head "release-prep-$VERSION_NUMBER" --json state --jq '.[0].state' 2>/dev/null || echo "") + PR_STATE=$(gh pr list --head "release-prep-$VERSION_NUMBER" --json state --jq '.[0].state' 2>/dev/null || echo "") if [ "$PR_STATE" = "MERGED" ] || [ -z "$PR_STATE" ]; then git push origin --delete "release-prep-$VERSION_NUMBER" || true else From bf431d4495acbc47736632e988cecf09680d0321 Mon Sep 17 00:00:00 2001 From: Kody Stribrny Date: Mon, 30 Mar 2026 13:16:21 -0700 Subject: [PATCH 7/7] Create a release branch which can be deleted. Update SBOM workflow params. No more secrets. --- .github/workflows/auto-release.yml | 52 ++++++++++++++++++++---------- 1 file changed, 35 insertions(+), 17 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 0b76fdabe37..4ca9a56491d 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -15,6 +15,9 @@ on: description: "Version String for task.h on main branch (leave empty to leave as-is)." required: false default: '' + github_token: + description: 'GitHub token for creating releases and pushing changes' + required: true jobs: release-packager: @@ -31,7 +34,7 @@ jobs: with: architecture: x64 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.event.inputs.github_token }} - name: Install GitHub CLI run: | @@ -64,21 +67,29 @@ jobs: git config --global user.name "$ACTOR" git config --global user.email "$ACTOR"@users.noreply.github.com - - name: Create release preparation branch + - name: Create version branch env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} COMMIT_ID: ${{ github.event.inputs.commit_id }} working-directory: ./local_kernel run: | - git checkout -b "release-prep-$VERSION_NUMBER" "$COMMIT_ID" + git checkout -b "$VERSION_NUMBER" "$COMMIT_ID" + git push -u origin "$VERSION_NUMBER" echo "COMMIT_SHA_1=$(git rev-parse HEAD)" >> $GITHUB_ENV + - name: Create release preparation branch + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} + working-directory: ./local_kernel + run: | + git checkout -b "release-prep-$VERSION_NUMBER" + - name: Update source files with version info env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }} COMMIT_SHA_1: ${{ env.COMMIT_SHA_1 }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.event.inputs.github_token }} run: | # Install deps and run pip install -r ./tools/.github/scripts/release-requirements.txt @@ -114,11 +125,13 @@ jobs: - name: Create pull request env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.event.inputs.github_token }} + REPO_FULL_NAME: ${{ github.repository }} working-directory: ./local_kernel run: | PR_URL=$(gh pr create \ - --base main \ + --repo "$REPO_FULL_NAME" \ + --base "$VERSION_NUMBER" \ --head "release-prep-$VERSION_NUMBER" \ --title "[AUTO][RELEASE]: Release $VERSION_NUMBER" \ --body "Automated release preparation for $VERSION_NUMBER. Updates version numbers in source files and manifest.yml.") @@ -126,12 +139,13 @@ jobs: - name: Wait for PR to be merged env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.event.inputs.github_token }} + REPO_FULL_NAME: ${{ github.repository }} working-directory: ./local_kernel run: | PR_NUMBER=$(echo "$PR_URL" | grep -oE '[0-9]+$') while true; do - STATE=$(gh pr view "$PR_NUMBER" --json state --jq .state) + STATE=$(gh pr view "$PR_NUMBER" --repo "$REPO_FULL_NAME" --json state --jq .state) if [ "$STATE" = "MERGED" ]; then echo "PR merged successfully" break @@ -147,24 +161,29 @@ jobs: uses: actions/checkout@v4.1.1 with: path: local_kernel - ref: main + ref: ${{ github.event.inputs.version_number }} fetch-depth: 0 - name: Generate SBOM uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main with: - repo_path: ./local_kernel - source_path: ./ + directory: ./local_kernel + distribution-type: repository + creator: Amazon Web Services, Inc. + download-location: git+https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}.git@${{ github.event.inputs.version_number }} + homepage: https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }} + namespace-prefix: https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/${{ github.event.inputs.version_number }}/ + include-file-hashes: true - name: Commit SBOM file env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} + GITHUB_TOKEN: ${{ github.event.inputs.github_token }} working-directory: ./local_kernel run: | - git checkout -b "release-$VERSION_NUMBER" git add . git commit -m '[AUTO][RELEASE]: Update SBOM' - git push -u origin "release-$VERSION_NUMBER" + git push -u origin "$VERSION_NUMBER" echo "COMMIT_SHA_2=$(git rev-parse HEAD)" >> $GITHUB_ENV - name: Release @@ -173,7 +192,7 @@ jobs: MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }} COMMIT_SHA_2: ${{ env.COMMIT_SHA_2 }} REPO_OWNER: ${{ github.repository_owner }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.event.inputs.github_token }} run: | # Install deps and run pip install -r ./tools/.github/scripts/release-requirements.txt @@ -192,14 +211,13 @@ jobs: if: always() env: VERSION_NUMBER: ${{ github.event.inputs.version_number }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.event.inputs.github_token }} working-directory: ./local_kernel run: | # Only delete release-prep branch if the PR was already merged - PR_STATE=$(gh pr list --head "release-prep-$VERSION_NUMBER" --json state --jq '.[0].state' 2>/dev/null || echo "") + PR_STATE=$(gh pr list --repo "${{ github.repository }}" --head "release-prep-$VERSION_NUMBER" --json state --jq '.[0].state' 2>/dev/null || echo "") if [ "$PR_STATE" = "MERGED" ] || [ -z "$PR_STATE" ]; then git push origin --delete "release-prep-$VERSION_NUMBER" || true else echo "Skipping release-prep branch deletion — PR is still open (state: $PR_STATE)" fi - git push origin --delete "release-$VERSION_NUMBER" || true