Revert "Merge pull request #29 from uclahs-cds/nwiltsie-attach-tarball"

nwiltsie · nwiltsie · commit b924d71e8f43 · 2025-02-10T13:20:50.000-08:00
This reverts commit e539242, reversing changes made to a452e40.
diff --git a/.github/workflows/internal-alias.yaml b/.github/workflows/internal-alias.yaml
@@ -16,3 +16,5 @@ permissions:
 jobs:
   update-alias:
     uses: ./.github/workflows/wf-alias-release.yaml
+    # Secrets are only required until tool-create-release is made public
+    secrets: inherit
diff --git a/.github/workflows/internal-finalize.yaml b/.github/workflows/internal-finalize.yaml
@@ -19,7 +19,6 @@ jobs:
   finalize-release:
     if: ${{ github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'automation-create-release') }}
     uses: ./.github/workflows/wf-finalize-release.yaml
+    secrets: inherit
     with:
       draft: false
-    secrets:
-      token: ${{ secrets.UCLAHS_CDS_REPO_READ_TOKEN }}
diff --git a/.github/workflows/internal-prepare.yaml b/.github/workflows/internal-prepare.yaml
@@ -29,5 +29,5 @@ jobs:
     with:
       bump_type: ${{ inputs.bump_type }}
       prerelease: ${{ inputs.prerelease }}
-    secrets:
-      token: ${{ secrets.UCLAHS_CDS_REPO_READ_TOKEN }}
+    # Secrets are only required until tool-create-release is made public
+    secrets: inherit
diff --git a/.github/workflows/wf-alias-release.yaml b/.github/workflows/wf-alias-release.yaml
@@ -1,24 +1,6 @@
 ---
 on:
   workflow_call:
-    inputs:
-      # These inputs are taken directly from stefanzweifel/git-auto-commit-action
-      commit-user-name:
-        type: string
-        description: Name used for the commit user
-        required: false
-        default: github-actions[bot]
-      commit-user-email:
-        type: string
-        description: Email address used for the commit user
-        required: false
-        default: 41898282+github-actions[bot]@users.noreply.github.com
-    secrets:
-      token:
-        description: >
-          Personal access token (PAT) used to fetch the repository. Required
-          if the repository has any private submodules.
-        required: false
 
 jobs:
   alias-release:
@@ -32,7 +14,7 @@ jobs:
         env:
           REPO: ${{ github.repository }}
           RUN_ID: ${{ github.run_id }}
-          GH_TOKEN: ${{ secrets.token || github.token }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           ACTION_DATA=$(gh api "repos/$REPO/actions/runs/$RUN_ID")
           echo "::debug::$ACTION_DATA"
@@ -45,14 +27,14 @@ jobs:
           repository: uclahs-cds/tool-create-release
           path: reusable
           ref: ${{ steps.workflow-parsing.outputs.SHA }}
+          token: ${{ secrets.UCLAHS_CDS_REPO_READ_TOKEN }}
 
       - name: Checkout calling repository
         uses: actions/checkout@v4
         with:
           path: caller
           fetch-depth: 0
           fetch-tags: true
-          token: ${{ secrets.token || github.token }}
 
       - name: Set up python
         uses: actions/setup-python@v5
@@ -65,11 +47,9 @@ jobs:
       # Update the alias if necessary
       - id: alias-release
         run: |
-          git config --file "$REPO_DIR/.git/config" user.name "$COMMIT_USER"
-          git config --file "$REPO_DIR/.git/config" user.email "$COMMIT_EMAIL"
+          git config --file "$REPO_DIR/.git/config" user.name "github-actions[bot]"
+          git config --file "$REPO_DIR/.git/config" user.email "41898282+github-actions[bot]@users.noreply.github.com"
           alias-release "$REPO_DIR" "$GITHUB_REF"
         env:
           REPO_DIR: caller
-          GH_TOKEN: ${{ secrets.token || github.token }}
-          COMMIT_USER: ${{ inputs.commit-user-name }}
-          COMMIT_EMAIL: ${{ inputs.commit-user-email }}
+          GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/wf-finalize-release.yaml b/.github/workflows/wf-finalize-release.yaml
@@ -6,18 +6,6 @@ on:
         description: If true (the default), draft the release for later manual approval.
         type: boolean
         default: true
-      attach-tarball:
-        description: If true, attach a tarball including all submodules to the release.
-        type: boolean
-        default: false
-
-    secrets:
-      token:
-        description: >
-          Personal access token (PAT) used to fetch the repository and submodules.
-          Required if `draft` is false (to allow triggering alias workflow) or if
-          `attach-tarball` is true _and_ one or more of the submodules are private.
-        required: false
 
 jobs:
   finalize-release:
@@ -31,7 +19,7 @@ jobs:
         env:
           REPO: ${{ github.repository }}
           RUN_ID: ${{ github.run_id }}
-          GH_TOKEN: ${{ secrets.token || github.token }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           ACTION_DATA=$(gh api "repos/$REPO/actions/runs/$RUN_ID")
           echo "::debug::$ACTION_DATA"
@@ -44,6 +32,7 @@ jobs:
           repository: uclahs-cds/tool-create-release
           path: reusable
           ref: ${{ steps.workflow-parsing.outputs.SHA }}
+          token: ${{ secrets.UCLAHS_CDS_REPO_READ_TOKEN }}
 
       - name: Set up python
         uses: actions/setup-python@v5
@@ -53,29 +42,9 @@ jobs:
       # Install the bundled package
       - run: pip install ./reusable
 
-      - name: Establish variables for tarball attachment
-        id: set-repo-name
-        run: |
-          REPO_NAME=$(echo "${{ github.repository }}" | cut -d'/' -f2)
-          echo "REPO_NAME=$REPO_NAME" >> "$GITHUB_OUTPUT"
-          mkdir source
-          echo "CLONE_PATH=source/$REPO_NAME" >> "$GITHUB_OUTPUT"
-
-      # Only check out the calling repository if we're going to attach a
-      # tarball to the release
-      - name: Clone repository to create tarball
-        uses: actions/checkout@v4
-        if: ${{ inputs.attach-tarball }}
-        with:
-          path: ${{ steps.set-repo-name.outputs.CLONE_PATH }}
-          submodules: 'recursive'
-          token: ${{ secrets.token || github.token }}
-
       - name: Finalize release
-        id: finalize-release
-        run: finalize-release "$DRAFT" --archival-path "$CLONE_PATH"
+        run: finalize-release "$DRAFT"
         env:
           DRAFT: ${{ inputs.draft }}
           # Use the other token to allow the aliasing workflow to run
-          GH_TOKEN: ${{ secrets.token || github.token }}
-          CLONE_PATH: ${{ steps.set-repo-name.outputs.CLONE_PATH }}
+          GH_TOKEN: ${{ secrets.UCLAHS_CDS_REPO_READ_TOKEN }}
diff --git a/.github/workflows/wf-prepare-release.yaml b/.github/workflows/wf-prepare-release.yaml
@@ -28,22 +28,10 @@ on:
         required: false
       version_files:
         type: string
-        description: >
-          Comma-separated list of relative paths to files with version numbers
-          that should be updated. Every file must have exactly one line that
-          looks like `version = "xxxx"` - some effort is made to handle
-          different quoting styles, leading underscores, etc.
+        description: Comma-separated list of relative paths to files with version numbers that should be updated. Every file must have exactly one line that looks like `version = "xxxx"` - some effort is made to handle different quoting styles, leading underscores, etc.
         required: false
         default: ""
 
-    secrets:
-      token:
-        description: >
-          Personal access token (PAT) used to open the pull request. Must be
-          provided in order for any actions to run in response to the PR
-          creation.
-        required: false
-
 jobs:
   prepare-release:
     runs-on: ubuntu-latest
@@ -62,7 +50,7 @@ jobs:
         env:
           REPO: ${{ github.repository }}
           RUN_ID: ${{ github.run_id }}
-          GH_TOKEN: ${{ secrets.token || github.token }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           ACTION_DATA=$(gh api "repos/$REPO/actions/runs/$RUN_ID")
           echo "::debug::$ACTION_DATA"
@@ -75,6 +63,7 @@ jobs:
           repository: uclahs-cds/tool-create-release
           path: reusable
           ref: ${{ steps.workflow-parsing.outputs.SHA }}
+          token: ${{ secrets.UCLAHS_CDS_REPO_READ_TOKEN }}
 
       - name: Checkout calling repository
         uses: actions/checkout@v4
@@ -115,7 +104,7 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v7
         with:
-          token: ${{ secrets.token || github.token }}
+          token: ${{ secrets.UCLAHS_CDS_REPO_READ_TOKEN }}
           path: caller
           add-paths: ${{ inputs.changelog }},${{ inputs.version_files }}
           commit-message: ${{ steps.bump-changelog.outputs.commit_message }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,15 +8,6 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## Unreleased
 
-### Added
-
-- Add `attach-tarball` argument to finalize workflow to attach source tarball with release
-
-### Changed
-
-- Remove hard-coded UCLA secrets, add explicit `secrets` inputs to workflows
-- Automatically delete release branch after merging pull request
-
 ### Fixed
 
 - Added `import mdformat.renderer` to fix issue with mdformat v0.7.22
diff --git a/README.md b/README.md
@@ -49,7 +49,6 @@ Usage of this tool requires adding three workflows to each calling repository (n
 
 1. Create a new release with auto-generated notes and the target tag.
   * By default the new release is a draft, so no public release or tag are created without user intervention.
-1. Optionally, attach a source tarball including all submodules to the new release.
 1. Comment on the release PR with a link to the new release.
 1. Delete the merged release branch.
 
@@ -115,14 +114,6 @@ Parameters can be specified using the [`with`](https://docs.github.com/en/action
 | `wf-prepare-release.yaml` | `changelog` | string | no | Relative path to the CHANGELOG file. Defaults to `./CHANGELOG.md`. |
 | `wf-prepare-release.yaml` | `timezone` | string | no | IANA timezone to use when calculating the current date for the CHANGELOG. Defaults to `America/Los_Angeles`. |
 | `wf-finalize-release.yaml` | `draft` | boolean | no | If true (the default), mark the new release as a draft and require manual intervention to continue. |
-| `wf-finalize-release.yaml` | `attach-tarball` | boolean | no | If true (not the default), attach a tarball of the repository source, including all submodules, to the release. |
-| `wf-alias-release.yaml` | `commit-user-name` | string | no | User name to use while tagging new commits (defaults to `github-actions[bot]`) |
-| `wf-alias-release.yaml` | `commit-user-email` | string | no | User email to use while tagging new commits (defaults to `41898282+github-actions[bot]@users.noreply.github.com`) |
-
-All three workflows also accept a `token` secret which is required for full functionality (e.g. CI/CD checks on the opened pull request). The provided [personal access token](https://github.com/settings/tokens/new) should be stored as a secret in the repository and have the following scopes:
-
-* `repo`
-* `workflow`
 
 ### Updating hard-coded strings with `version_files`
 
diff --git a/bumpchanges/finalize.py b/bumpchanges/finalize.py
@@ -9,7 +9,6 @@
 
 from dataclasses import dataclass, field
 from pathlib import Path
-from typing import Optional
 
 
 from .logging import setup_logging, NOTICE, LoggingMixin
@@ -77,7 +76,7 @@ def __post_init__(self):
         except ValueError:
             pass
 
-    def create(self, draft: bool, archival_path: Optional[Path]):
+    def create(self, draft: bool):
         """Create the release and return the URL."""
         args = [
             "gh",
@@ -121,45 +120,6 @@ def create(self, draft: bool, archival_path: Optional[Path]):
             width=2000,
         )
 
-        # Create and upload a tarball if the archival path exists
-        if archival_path:
-            self.logger.info("Creating tarball")
-
-            tarball = Path(
-                os.environ["GITHUB_WORKSPACE"],
-                f"{archival_path.name}-{self.tag}.tar.gz",
-            )
-
-            subprocess.run(
-                ["tar", "--exclude-vcs", "-czvf", tarball, archival_path.name],
-                cwd=archival_path.parent,
-                check=True,
-            )
-
-            try:
-                subprocess.run(
-                    [
-                        "gh",
-                        "release",
-                        "upload",
-                        self.tag,
-                        "--repo",
-                        self.owner_repo,
-                        f"{tarball}#Source code with submodules (tar.gz)",
-                    ],
-                    check=True,
-                )
-                comment_body += (
-                    "\n\nA source tarball including all submodules "
-                    "has been attached to the release."
-                )
-
-            except subprocess.CalledProcessError:
-                self.logger.error("Failed to attach tarball to release!")
-                comment_body += (
-                    "\n\n**ERROR:** Failed to attach source tarball to release!"
-                )
-
         subprocess.run(
             [
                 "gh",
@@ -181,29 +141,15 @@ def entrypoint():
 
     parser = argparse.ArgumentParser()
     parser.add_argument("draft", type=str_to_bool)
-    parser.add_argument(
-        "--archival-path", help="Path to a directory to tar and attach to the release"
-    )
 
     args = parser.parse_args()
 
     try:
         # Parse the environment to create the release
         new_release = PreparedRelease.from_environment()
 
-        archival_path = Path(args.archival_path) if args.archival_path else None
-        if archival_path and not archival_path.exists():
-            archival_path = None
-
-        if archival_path:
-            # Sanity-check that the cloned name matches the environment
-            repo_name = new_release.owner_repo.split("/", maxsplit=1)[-1]
-            if repo_name != archival_path.name:
-                raise RuntimeError(f"{repo_name} != {archival_path.name}!")
-
         # Draft or create the release
-        new_release.create(args.draft, archival_path)
-
+        new_release.create(args.draft)
     except:
         logging.getLogger(__name__).exception("Failed to create new release")
         raise
diff --git a/templates/alias-release.yaml b/templates/alias-release.yaml
@@ -16,5 +16,4 @@ permissions:
 jobs:
   update-alias:
     uses: uclahs-cds/tool-create-release/.github/workflows/wf-alias-release.yaml@v1
-    secrets:
-      token: ${{ secrets.YOUR_PAT }}
+    secrets: inherit
diff --git a/templates/finalize-release.yaml b/templates/finalize-release.yaml
@@ -19,8 +19,6 @@ jobs:
   finalize-release:
     if: ${{ github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'automation-create-release') }}
     uses: uclahs-cds/tool-create-release/.github/workflows/wf-finalize-release.yaml@v1
+    secrets: inherit
     with:
       draft: false
-      attach-tarball: false
-    secrets:
-      token: ${{ secrets.YOUR_PAT }}
diff --git a/templates/prepare-release-non-semantic-version.yaml b/templates/prepare-release-non-semantic-version.yaml
@@ -22,5 +22,4 @@ jobs:
     with:
       bump_type: "exact"
       exact_version: ${{ inputs.version }}
-    secrets:
-      token: ${{ secrets.YOUR_PAT }}
+    secrets: inherit
diff --git a/templates/prepare-release.yaml b/templates/prepare-release.yaml
@@ -29,5 +29,4 @@ jobs:
     with:
       bump_type: ${{ inputs.bump_type }}
       prerelease: ${{ inputs.prerelease }}
-    secrets:
-      token: ${{ secrets.YOUR_PAT }}
+    secrets: inherit
