From f5faff051b690f3571c1f24a8856901235f549f7 Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin@piware.de>
Date: Tue, 7 Jun 2022 09:35:28 +0200
Subject: [PATCH] Move release from cockpituous to action-release and packit

This gets rid of our "release" environment with high-profile secrets,
and the cockpituous/release infra.

The upstream release uses our shared
https://github.com/cockpit-project/action-release/ action.
---
 .github/workflows/release.yml.disabled | 45 +++++++++++++-------------
 README.md                              | 28 +++++++++-------
 cockpituous-release                    | 34 -------------------
 packit.yaml                            | 22 +++++++++++++
 4 files changed, 61 insertions(+), 68 deletions(-)
 delete mode 100644 cockpituous-release

diff --git a/.github/workflows/release.yml.disabled b/.github/workflows/release.yml.disabled
index ed7b334..e680fe8 100644
--- a/.github/workflows/release.yml.disabled
+++ b/.github/workflows/release.yml.disabled
@@ -1,3 +1,6 @@
+# Create a GitHub upstream release. Replace "TARNAME" with your project tarball
+# name and enable this by dropping the ".disabled" suffix from the file name.
+# See README.md.
 name: release
 on:
   push:
@@ -5,31 +8,27 @@ on:
       # this is a glob, not a regexp
       - '[0-9]*'
 jobs:
-  cockpituous:
+  source:
     runs-on: ubuntu-latest
-    environment: release
     container:
-      image: ghcr.io/cockpit-project/release
+      image: ghcr.io/cockpit-project/unit-tests
+      options: --user root
+    permissions:
+      # create GitHub release
+      contents: write
     steps:
-      - name: Set up configuration and secrets
-        run: |
-          # override GitHub's bind mount from host, we don't want anything from there and it interferes with ssh
-          export HOME=$(getent passwd $(id -u) | cut -f6 -d:)
+      - name: Clone repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
 
-          # secrets come from https://github.com/organizations/ORGNAME/settings/secrets or https://github.com/OWNER/REPO/settings/secrets
-          # see https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets
-          echo '${{ secrets.SSH_KNOWN_HOSTS }}' > ~/.ssh/known_hosts
-          echo '${{ secrets.FEDPKG_SSH_PUBLIC }}' > ~/.ssh/id_rsa.pub
-          echo '${{ secrets.FEDPKG_SSH_PRIVATE }}' > ~/.ssh/id_rsa
-          chmod 600 ~/.ssh/id_rsa
-          # FIXME: Set your Fedora user account name here
-          echo 'yourfedorauser' > ~/.config/bodhi-user
-          echo '${{ secrets.GITHUB_TOKEN }}' > ~/.config/github-token
-          echo '${{ secrets.FEDORA_PASSWORD }}' > ~/.fedora-password
+      - name: Workaround for https://github.com/actions/checkout/pull/697
+        run: git fetch --force origin $(git describe --tags):refs/tags/$(git describe --tags)
 
-      - name: Run cockpituous
-        run: |
-          # override GitHub's bind mount from host, we don't want anything from there and it interferes with ssh
-          export HOME=$(getent passwd $(id -u) | cut -f6 -d:)
-          cd /build
-          release-runner -r https://github.com/$GITHUB_REPOSITORY -t $(basename $GITHUB_REF) ./cockpituous-release
+      - name: Build release
+        run: make dist
+
+      - name: Publish GitHub release
+        uses: cockpit-project/action-release@62db9d9850a1adec300500d84035c4f523fd5290
+        with:
+          filename: "TARNAME-${{ github.ref_name }}.tar.xz"
diff --git a/README.md b/README.md
index 23feb35..dede86d 100644
--- a/README.md
+++ b/README.md
@@ -132,19 +132,25 @@ change:
 # Automated release
 
 Once your cloned project is ready for a release, you should consider automating
-that.  [Cockpituous release](https://github.com/cockpit-project/cockpituous/tree/main/release)
-and [Packit](https://packit.dev/) aim to fully automate project releases to
-GitHub, Fedora, Ubuntu, COPR, Docker Hub, and other places. The intention is
-that the only manual step for releasing a project is to create a signed tag for
-the version number; pushing the tag then triggers a [GitHub
-action](https://github.com/features/actions) that calls a set of release
-scripts.
+that. The intention is that the only manual step for releasing a project is to create
+a signed tag for the version number, which includes a summary of the noteworthy
+changes:
 
-starter-kit includes an example [cockpitous release script](./cockpituous-release)
+```
+123
 
-and a [packit.yaml](./packit.yaml) control file with detailed comments how to
-use it. There is also an [example GitHub release action](.github/workflows/release.yml.disabled)
-to set up secrets and run cockpituous.
+- this new feature
+- fix bug #123
+```
+
+Pushing the release tag triggers the [release.yml](.github/workflows/release.yml.disabled)
+[GitHub action](https://github.com/features/actions) workflow. This creates the
+official release tarball and publishes as upstream release to GitHub. The
+workflow is disabled by default -- to use it, edit the file as per the comment
+at the top, and rename it to just `*.yml`.
+
+The Fedora and COPR releases are done with [Packit](https://packit.dev/),
+see the [packit.yaml](./packit.yaml) control file.
 
 # Automated maintenance
 
diff --git a/cockpituous-release b/cockpituous-release
deleted file mode 100644
index aca4f08..0000000
--- a/cockpituous-release
+++ /dev/null
@@ -1,34 +0,0 @@
-# This is a script run to release this project through Cockpituous:
-# https://github.com/cockpit-project/cockpituous/tree/main/release
-
-# Anything that start with 'job' may run in a way that it SIGSTOP's
-# itself when preliminary preparition and then gets a SIGCONT in
-# order to complete its work.
-#
-# Check cockpituous documentation for available release targets.
-#
-# This gets run through a GitHub action: enable and adjust
-# .github/workflows/release.yml.disabled once you are ready.
-
-RELEASE_SOURCE="_release/source"
-RELEASE_SPEC="cockpit-starter-kit.spec"
-RELEASE_SRPM="_release/srpm"
-
-job release-source
-job release-srpm -V
-
-# Once you have a Fedora package, can upload to Fedora automatically: Provide the
-# secrets in .github/workflows/release.yml on GitHub, and enable the following:
-
-## Authenticate for pushing into Fedora dist-git
-# cat ~/.fedora-password | kinit yourfedorauser@FEDORAPROJECT.ORG
-## Do fedora builds for the tag, using tarball
-# job release-koji rawhide
-# job release-koji f36
-# job release-bodhi F36
-
-# These are likely the first of your release targets; but run them after Fedora uploads,
-# so that failures there will fail the release early, before publishing on GitHub
-
-# this needs no explicit secrets, just the GitHub action provided default one
-# job release-github
diff --git a/packit.yaml b/packit.yaml
index b7a7e96..bcba1b0 100644
--- a/packit.yaml
+++ b/packit.yaml
@@ -3,6 +3,8 @@
 # See https://packit.dev/docs/configuration/ for the format of this file
 
 specfile_path: cockpit-starter-kit.spec
+# use the nicely formatted release description from our upstream release, instead of git shortlog
+copy_upstream_release_description: true
 
 srpm_build_deps:
   - make
@@ -37,3 +39,23 @@ jobs:
   #    targets:
   #      - fedora-all
   #      - centos-stream-9-x86_64
+
+  # Build releases in Fedora: https://packit.dev/docs/configuration/#propose_downstream
+  #- job: propose_downstream
+  #  trigger: release
+  #  metadata:
+  #    dist_git_branches:
+  #      - fedora-all
+
+  #- job: koji_build
+  #  trigger: commit
+  #  metadata:
+  #    dist_git_branches:
+  #      - fedora-all
+
+  #- job: bodhi_update
+  #  trigger: commit
+  #  metadata:
+  #    dist_git_branches:
+  #      # rawhide updates are created automatically
+  #      - fedora-branched