.github/workflows/auto-release.yml - third_party/github/FreeRTOS/FreeRTOS-Kernel - Git at Google

 name: Kernel-Auto-Release

 on:
   workflow_dispatch:
     inputs:
       commit_id:
         description: 'Commit ID'
         required: true
         default: 'HEAD'
       version_number:
         description: 'Version Number (Ex. 10.4.4)'
         required: true
         default: '10.4.4'
       main_br_version:
         description: "Version String for task.h on main branch (leave empty to leave as-is)."
         required: false
         default: ''

 jobs:
   release-packager:
     permissions:
       contents: write
       pull-requests: write
       id-token: write
     name: Release Packager
     runs-on: ubuntu-latest
     steps:
       # Install python 3
       - name: Tool Setup
         uses: actions/setup-python@v2
         with:
           architecture:   x64
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

       - name: Install GitHub CLI
         run: |
           command -v gh >/dev/null 2>&1 || {
             curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
             sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg
             echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
             sudo apt update
             sudo apt install gh
           }

       # Currently FreeRTOS/.github/scripts houses the release script. Download it for upcoming usage
       - name: Checkout FreeRTOS Release Tools
         uses: actions/checkout@v4.1.1
         with:
           repository: FreeRTOS/FreeRTOS
           path: tools

       # Simpler git auth if we use checkout action and forward the repo to release script
       - name: Checkout FreeRTOS Kernel
         uses: actions/checkout@v4.1.1
         with:
           path: local_kernel
           fetch-depth: 0

       - name: Configure git identity
         env:
           ACTOR: ${{ github.actor }}
         run: |
           git config --global user.name "$ACTOR"
           git config --global user.email "$ACTOR"@users.noreply.github.com

       - name: Create version branch
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
           COMMIT_ID: ${{ github.event.inputs.commit_id }}
         working-directory: ./local_kernel
         run: |
           git checkout -b "$VERSION_NUMBER" "$COMMIT_ID"
           git push -u origin "$VERSION_NUMBER"
           echo "COMMIT_SHA_1=$(git rev-parse HEAD)" >> $GITHUB_ENV

       - name: Create release preparation branch
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
         working-directory: ./local_kernel
         run: |
           git checkout -b "release-prep-$VERSION_NUMBER"

       - name: Update source files with version info
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
           MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
           COMMIT_SHA_1: ${{ env.COMMIT_SHA_1 }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # Install deps and run
           pip install -r ./tools/.github/scripts/release-requirements.txt
           ./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_1" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
           exit $?

       - name: Update version number in manifest.yml
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
         working-directory: ./local_kernel
         run: |
           ./.github/scripts/manifest_updater.py -v "$VERSION_NUMBER"
           exit $?

       - name: Commit and push release preparation branch
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
         working-directory: ./local_kernel
         run: |
           # The update_src_version.py script detaches HEAD by checking out a SHA.
           # Re-attach HEAD to the release prep branch, keeping all commits.
           git branch -f "release-prep-$VERSION_NUMBER" HEAD
           git checkout "release-prep-$VERSION_NUMBER"

           git add .
           if git diff --cached --quiet; then
             echo "No new changes to commit — source files and manifest already up to date."
           else
             git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml and source files'
           fi
           git push -u origin "release-prep-$VERSION_NUMBER"

       - name: Create pull request
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO_FULL_NAME: ${{ github.repository }}
         working-directory: ./local_kernel
         run: |
           PR_URL=$(gh pr create \
             --repo "$REPO_FULL_NAME" \
             --base "$VERSION_NUMBER" \
             --head "release-prep-$VERSION_NUMBER" \
             --title "[AUTO][RELEASE]: Release $VERSION_NUMBER" \
             --body "Automated release preparation for $VERSION_NUMBER. Updates version numbers in source files and manifest.yml.")
           echo "PR_URL=$PR_URL" >> $GITHUB_ENV

       - name: Wait for PR to be merged
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO_FULL_NAME: ${{ github.repository }}
         working-directory: ./local_kernel
         run: |
           PR_NUMBER=$(echo "$PR_URL" | grep -oE '[0-9]+$')
           while true; do
             STATE=$(gh pr view "$PR_NUMBER" --repo "$REPO_FULL_NAME" --json state --jq .state)
             if [ "$STATE" = "MERGED" ]; then
               echo "PR merged successfully"
               break
             elif [ "$STATE" = "CLOSED" ]; then
               echo "Error: PR was closed without merging"
               exit 1
             fi
             echo "Waiting for PR to be merged... (current state: $STATE)"
             sleep 30
           done

       - name: Re-checkout after merge
         uses: actions/checkout@v4.1.1
         with:
           path: local_kernel
           ref: ${{ github.event.inputs.version_number }}
           fetch-depth: 0

       - name: Generate SBOM
         uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main
         with:
           directory: ./local_kernel
           distribution-type: repository
           creator: Amazon Web Services, Inc.
           download-location: git+https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}.git@${{ github.event.inputs.version_number }}
           homepage: https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}
           namespace-prefix: https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/V${{ github.event.inputs.version_number }}/
           include-file-hashes: true

       - name: Commit SBOM file
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # SBOM generator writes files to the workspace root — copy them into the repo
           cp *SPDX* ./local_kernel/ 2>/dev/null || cp *spdx* ./local_kernel/ 2>/dev/null || true
           cd ./local_kernel
           git add .
           if git diff --cached --quiet; then
             echo "No SBOM changes to commit."
           else
             git commit -m '[AUTO][RELEASE]: Update SBOM'
             git push -u origin "$VERSION_NUMBER"
           fi
           echo "COMMIT_SHA_2=$(git rev-parse HEAD)" >> $GITHUB_ENV

       - name: Release
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
           MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
           COMMIT_SHA_2: ${{ env.COMMIT_SHA_2 }}
           REPO_OWNER: ${{ github.repository_owner }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # Install deps and run
           pip install -r ./tools/.github/scripts/release-requirements.txt
           ./tools/.github/scripts/release.py "$REPO_OWNER" --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_2" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
           exit $?

       - name: Backup Release Asset
         uses: FreeRTOS/CI-CD-Github-Actions/artifact-backup@main
         with:
           # This is dependent on the release script putting this zip file
           # in this exact location.
           artifact_path: ./FreeRTOS-KernelV${{ github.event.inputs.version_number }}.zip
           release_tag: V${{ github.event.inputs.version_number }}

       - name: Delete release preparation branch
         if: always()
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         working-directory: ./local_kernel
         run: |
           # Only delete release-prep branch if the PR was already merged
           PR_STATE=$(gh pr list --repo "${{ github.repository }}" --head "release-prep-$VERSION_NUMBER" --json state --jq '.[0].state' 2>/dev/null || echo "")
           if [ "$PR_STATE" = "MERGED" ] || [ -z "$PR_STATE" ]; then
             git push origin --delete "release-prep-$VERSION_NUMBER" || true
           else
             echo "Skipping release-prep branch deletion — PR is still open (state: $PR_STATE)"
           fi
	name: Kernel-Auto-Release

	on:
	workflow_dispatch:
	inputs:
	commit_id:
	description: 'Commit ID'
	required: true
	default: 'HEAD'
	version_number:
	description: 'Version Number (Ex. 10.4.4)'
	required: true
	default: '10.4.4'
	main_br_version:
	description: "Version String for task.h on main branch (leave empty to leave as-is)."
	required: false
	default: ''

	jobs:
	release-packager:
	permissions:
	contents: write
	pull-requests: write
	id-token: write
	name: Release Packager
	runs-on: ubuntu-latest
	steps:
	# Install python 3
	- name: Tool Setup
	uses: actions/setup-python@v2
	with:
	architecture: x64
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Install GitHub CLI
	run: \|
	command -v gh >/dev/null 2>&1 \|\| {
	curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \| sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
	sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg
	echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \| sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
	sudo apt update
	sudo apt install gh
	}

	# Currently FreeRTOS/.github/scripts houses the release script. Download it for upcoming usage
	- name: Checkout FreeRTOS Release Tools
	uses: actions/checkout@v4.1.1
	with:
	repository: FreeRTOS/FreeRTOS
	path: tools

	# Simpler git auth if we use checkout action and forward the repo to release script
	- name: Checkout FreeRTOS Kernel
	uses: actions/checkout@v4.1.1
	with:
	path: local_kernel
	fetch-depth: 0

	- name: Configure git identity
	env:
	ACTOR: ${{ github.actor }}
	run: \|
	git config --global user.name "$ACTOR"
	git config --global user.email "$ACTOR"@users.noreply.github.com

	- name: Create version branch
	env:
	VERSION_NUMBER: ${{ github.event.inputs.version_number }}
	COMMIT_ID: ${{ github.event.inputs.commit_id }}
	working-directory: ./local_kernel
	run: \|
	git checkout -b "$VERSION_NUMBER" "$COMMIT_ID"
	git push -u origin "$VERSION_NUMBER"
	echo "COMMIT_SHA_1=$(git rev-parse HEAD)" >> $GITHUB_ENV

	- name: Create release preparation branch
	env:
	VERSION_NUMBER: ${{ github.event.inputs.version_number }}
	working-directory: ./local_kernel
	run: \|
	git checkout -b "release-prep-$VERSION_NUMBER"

	- name: Update source files with version info
	env:
	VERSION_NUMBER: ${{ github.event.inputs.version_number }}
	MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
	COMMIT_SHA_1: ${{ env.COMMIT_SHA_1 }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	# Install deps and run
	pip install -r ./tools/.github/scripts/release-requirements.txt
	./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_1" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
	exit $?

	- name: Update version number in manifest.yml
	env:
	VERSION_NUMBER: ${{ github.event.inputs.version_number }}
	working-directory: ./local_kernel
	run: \|
	./.github/scripts/manifest_updater.py -v "$VERSION_NUMBER"
	exit $?

	- name: Commit and push release preparation branch
	env:
	VERSION_NUMBER: ${{ github.event.inputs.version_number }}
	working-directory: ./local_kernel
	run: \|
	# The update_src_version.py script detaches HEAD by checking out a SHA.
	# Re-attach HEAD to the release prep branch, keeping all commits.
	git branch -f "release-prep-$VERSION_NUMBER" HEAD
	git checkout "release-prep-$VERSION_NUMBER"

	git add .
	if git diff --cached --quiet; then
	echo "No new changes to commit — source files and manifest already up to date."
	else
	git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml and source files'
	fi
	git push -u origin "release-prep-$VERSION_NUMBER"

	- name: Create pull request
	env:
	VERSION_NUMBER: ${{ github.event.inputs.version_number }}
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	REPO_FULL_NAME: ${{ github.repository }}
	working-directory: ./local_kernel
	run: \|
	PR_URL=$(gh pr create \
	--repo "$REPO_FULL_NAME" \
	--base "$VERSION_NUMBER" \
	--head "release-prep-$VERSION_NUMBER" \
	--title "[AUTO][RELEASE]: Release $VERSION_NUMBER" \
	--body "Automated release preparation for $VERSION_NUMBER. Updates version numbers in source files and manifest.yml.")
	echo "PR_URL=$PR_URL" >> $GITHUB_ENV

	- name: Wait for PR to be merged
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	REPO_FULL_NAME: ${{ github.repository }}
	working-directory: ./local_kernel
	run: \|
	PR_NUMBER=$(echo "$PR_URL" \| grep -oE '[0-9]+$')
	while true; do
	STATE=$(gh pr view "$PR_NUMBER" --repo "$REPO_FULL_NAME" --json state --jq .state)
	if [ "$STATE" = "MERGED" ]; then
	echo "PR merged successfully"
	break
	elif [ "$STATE" = "CLOSED" ]; then
	echo "Error: PR was closed without merging"
	exit 1
	fi
	echo "Waiting for PR to be merged... (current state: $STATE)"
	sleep 30
	done

	- name: Re-checkout after merge
	uses: actions/checkout@v4.1.1
	with:
	path: local_kernel
	ref: ${{ github.event.inputs.version_number }}
	fetch-depth: 0

	- name: Generate SBOM
	uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main
	with:
	directory: ./local_kernel
	distribution-type: repository
	creator: Amazon Web Services, Inc.
	download-location: git+https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}.git@${{ github.event.inputs.version_number }}
	homepage: https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}
	namespace-prefix: https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/V${{ github.event.inputs.version_number }}/
	include-file-hashes: true

	- name: Commit SBOM file
	env:
	VERSION_NUMBER: ${{ github.event.inputs.version_number }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	# SBOM generator writes files to the workspace root — copy them into the repo
	cp SPDX ./local_kernel/ 2>/dev/null \|\| cp spdx ./local_kernel/ 2>/dev/null \|\| true
	cd ./local_kernel
	git add .
	if git diff --cached --quiet; then
	echo "No SBOM changes to commit."
	else
	git commit -m '[AUTO][RELEASE]: Update SBOM'
	git push -u origin "$VERSION_NUMBER"
	fi
	echo "COMMIT_SHA_2=$(git rev-parse HEAD)" >> $GITHUB_ENV

	- name: Release
	env:
	VERSION_NUMBER: ${{ github.event.inputs.version_number }}
	MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
	COMMIT_SHA_2: ${{ env.COMMIT_SHA_2 }}
	REPO_OWNER: ${{ github.repository_owner }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	# Install deps and run
	pip install -r ./tools/.github/scripts/release-requirements.txt
	./tools/.github/scripts/release.py "$REPO_OWNER" --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_2" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
	exit $?

	- name: Backup Release Asset
	uses: FreeRTOS/CI-CD-Github-Actions/artifact-backup@main
	with:
	# This is dependent on the release script putting this zip file
	# in this exact location.
	artifact_path: ./FreeRTOS-KernelV${{ github.event.inputs.version_number }}.zip
	release_tag: V${{ github.event.inputs.version_number }}

	- name: Delete release preparation branch
	if: always()
	env:
	VERSION_NUMBER: ${{ github.event.inputs.version_number }}
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	working-directory: ./local_kernel
	run: \|
	# Only delete release-prep branch if the PR was already merged
	PR_STATE=$(gh pr list --repo "${{ github.repository }}" --head "release-prep-$VERSION_NUMBER" --json state --jq '.[0].state' 2>/dev/null \|\| echo "")
	if [ "$PR_STATE" = "MERGED" ] \|\| [ -z "$PR_STATE" ]; then
	git push origin --delete "release-prep-$VERSION_NUMBER" \|\| true
	else
	echo "Skipping release-prep branch deletion — PR is still open (state: $PR_STATE)"
	fi