Split create_draft_release worfklow into hotfix / normal

[bouwkast]

Summary of changes

This creates two new GitHub workflows: one to create a draft hotfix release and another to create a normal draft release.

Reason for change

During the recent hotfixes I accidentally ran the current create_draft_release workflow on the master branch (but it failed). If this would have succeeded we would have pushed the 3.27.0 artifacts to NuGet too soon when we just wanted to push 3.26.3 artifacts from that hotfix branch.

Splitting this helps prevent that from happening in the future.

Implementation details

• .github/workflows/_create_draft_release.yml
  • This is a re-usable form of create_draft_release.yml - I copy/pasted that one. I'll paste below in "Other details" the diff between the files
• .github/workflows/create_hotfix_draft_release.yml
  • Can only be run on hotfix/* branches
  • Skips doing anything with the vNext milestone (main difference)
  • Does everything that create_draft_release.yml would do if ran against a hotfix/ branch
• .github/workflows/create_normal_draft_release.yml
  • Can only be run on master <- we can consider allowing others at a later point, but we don't have any other release lines that we currently support
  • Does everything that create_draft_release.yml would do if ran on master

Test coverage

None!

Other details

Note that I have NOT removed the current create_draft_release workflow. This is to ensure that when it comes time to release if these new workflows do not work that we won't be blocked. Testing workflows is always a bit challenging 🤷
I can try to see if this works in a fork though if that is desired :)

https://datadoghq.atlassian.net/browse/LANGPLAT-833

$ git diff --no-index .github/workflows/create_draft_release.yml .github/workflows/_create_draft_release.yml
diff --git a/.github/workflows/create_draft_release.yml b/.github/workflows/_create_draft_release.yml
index 4b17dab58..ba5280dbf 100644
--- a/.github/workflows/create_draft_release.yml
+++ b/.github/workflows/_create_draft_release.yml
@@ -1,14 +1,34 @@
-name: Create draft release
+name: Create reusable draft release

 on:
-  workflow_dispatch:
+  workflow_call:
     inputs:
       forced_commit_id:
         description: 'Force using artifacts from specific commit? If provided, this will try and use the artifacts from the given commit, regardless of build status'
         required: false
+        type: string
       ignore_gitlab_failures:
         description: "DANGER Force ignoring any issues with the GitLab artifacts or SSI. Don't use this unless you _really_ know what you're doing"
         required: false
+        type: boolean
+        default: false
+      is_hotfix:
+        description: 'Is this a hotfix release? If true, skips vNext milestone renaming'
+        required: true
+        type: boolean
+    secrets:
+      AZURE_DEVOPS_TOKEN:
+        required: true
+      NUGET_API_KEY:
+        required: true
+      GH_APP_ID:
+        required: true
+      GH_APP_PRIVATE_KEY:
+        required: true
+      DD_PREPROD_API_KEY:
+        required: true
+      DD_PUBLIC_SYMBOL_API_KEY:
+        required: true

 jobs:
   create_draft_release:
@@ -33,10 +53,10 @@ jobs:
       - name: Set SHA
         id: set_sha
         run: |
-          if [ -z "${{ github.event.inputs.forced_commit_id }}" ]; then
+          if [ -z "${{ inputs.forced_commit_id }}" ]; then
               commitsha="${GITHUB_SHA}"
           else
-              commitsha="${{ github.event.inputs.forced_commit_id }}"
+              commitsha="${{ inputs.forced_commit_id }}"
           fi
           echo "Using sha $commitsha"
           echo "sha=${commitsha}" >> $GITHUB_OUTPUT
@@ -78,7 +98,7 @@ jobs:
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

       - name: "Check GitLab status"
-        if: ${{ !github.event.inputs.ignore_gitlab_failures }}
+        if: ${{ !inputs.ignore_gitlab_failures }}
         run: ./tracer/build.sh VerifyReleaseReadiness
         env:
           CommitSha: "${{ steps.set_sha.outputs.sha }}"
@@ -92,7 +112,7 @@ jobs:
         id: assets
         run: ./tracer/build.sh DownloadReleaseArtifacts
         env:
-          TargetBranch: ${{ github.event.ref }}
+          TargetBranch: ${{ github.ref }}
           CommitSha: "${{ steps.set_sha.outputs.sha }}"
           GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"

@@ -105,7 +125,7 @@ jobs:
       - name: "Rename vNext milestone"
         id: rename
         # We don't rename vNext/vNext-v1 for hotfix releases
-        if: ${{ !contains(github.event.ref, 'hotfix') }}
+        if: ${{ !inputs.is_hotfix && !contains(github.ref, 'hotfix') }}
         run: ./tracer/build.sh RenameVNextMilestone
         env:
           Version: ${{steps.versions.outputs.full_version}}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[andrewlock]

Thanks for doing this! And great call RE leaving the existing workflow in place

[andrewlock]

TIL about secrets:

[andrewlock]

Technically we may need to do this from a "release" branch in the future too, but we can 100% deal with that if it comes to it

[andrewlock]

Isn't the contains(github.ref, 'hotfix') superfluous? 🤔 Given we're explicitly providing a variable saying it's a hotfix, I think it might be better to just use that, otherwise the checks could get out of sync?

[bouwkast]

Yeah that is a good point I can swap it to just using the is_hotfix

Initially my thought was just as a layer of extra protection, but yeah definitely see how this can cause it to be out of sync