ci: migrate release process from GitHub Actions to Buildkite with Chinmina

.buildkite/hooks/pre-command

@@ -1,5 +1,18 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 set -eou pipefail
 
-export BUILD_ROLE="arn:aws:iam::226140413739:role/build-role-master-cfparams"
-export BUILD_AGENT="build-restricted-arm"
+# note: find some env definitions in the pipeline environment file
+
+# defined in the pipeline environment file, checked that they're set here
+: "${RELEASE_USERNAME:?"RELEASE_USERNAME is not set"}"
+: "${RELEASE_EMAIL:?"RELEASE_EMAIL is not set"}"
+
+: "${RELEASE_SLACK_CHANNEL:?"RELEASE_SLACK_CHANNEL is not set"}"
+: "${RELEASE_SLACK_TEAM:?"RELEASE_SLACK_TEAM is not set"}"
+
+# used by the pipeline
+export BUILD_AGENT="build-restricted-arm"
+
+# required to release and tag properly
+git config user.email "${RELEASE_EMAIL}"
+git config user.name "${RELEASE_USERNAME}"

.buildkite/pipeline.yaml

@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 steps:
   - block: "Release build"
     branches:
@@ -19,23 +20,26 @@ steps:
         hint: "(optional) forced version (X.X.X)"
         required: false
 
-  - label: ":github: Trigger release"
+  - label: ":rocket: Release"
+    key: "release"
     branches:
       - main
-    command: "bin/ci_trigger_release"
+    command: "bin/ci_release"
     agents:
       queue: ${BUILD_AGENT}
     plugins:
-      - aws-assume-role-with-web-identity#v1.4.0:
-          role-arn: ${BUILD_ROLE}
-          role-session-duration: 900 # limit role assumption validity to 15 minutes
-      - cultureamp/aws-sm#v2.2.0:
-          env:
-            GITHUB_TOKEN: /cfparams/GITHUB_TOKEN
+      - chinmina/chinmina-git-credentials#v1.6.0:
+          profiles:
+            - "pipeline:binary-release"
+          exclusive: true
+      - chinmina/chinmina-token#v1.4.0:
+          environment:
+            - GITHUB_TOKEN=pipeline:binary-release
+            - GITHUB_HOMEBREW_TAP_TOKEN=org:homebrew-tap-publish
 
 notify:
   - slack:
       channels:
-        - "#team_sre_foundations_alerts"
-      message: ":fyii: <!subteam^S03CQLT3G2J>: A new version of CFParams is ready to be released :shipit:"
+        - "$RELEASE_SLACK_CHANNEL"
+      message: ":fyii: $RELEASE_SLACK_TEAM A new version of cfparams is ready to be released :shipit:"
     if: 'build.branch == "main" && build.state == "blocked"'

.goreleaser.yaml

@@ -16,11 +16,11 @@ checksum:
   name_template: "checksums.txt"
 
 archives:
-  - format: "binary"
+  - formats: [binary]
     name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
 
 snapshot:
-  name_template: "{{ incpatch .Version }}-next"
+  version_template: "{{ incpatch .Version }}-next"
 
 changelog:
   use: github-native
@@ -32,32 +32,21 @@ changelog:
       - "^docs:"
       - "^test:"
 
-brews:
+release:
+  mode: replace
+
+homebrew_casks:
   - name: cfparams
+    skip_upload: auto
     repository:
       owner: cultureamp
       name: homebrew-tap
+      token: "{{ .Env.GITHUB_HOMEBREW_TAP_TOKEN }}"
     commit_author:
-      name: cultureamp-ci
-      email: 36431315+cultureamp-ci@users.noreply.github.com
+      name: "{{ .Env.RELEASE_USERNAME }}"
+      email: "{{ .Env.RELEASE_EMAIL }}"
 
-    directory: Formula
     homepage: https://github.com/cultureamp/cfparams
     description: Wrangle parameters for AWS CloudFormation
 
-    test: |
-      minimal = testpath/"minimal.yaml"
-      minimal.write <<~EOS
-        Parameters:
-          TestParameter:
-            Type: String
-            Default: testvalue
-        Resources:
-          S3Bucket:
-            Type: AWS::S3::Bucket
-      EOS
-      system "#{bin}/cfparams --template=minimal.yaml"
-    install: |
-      bin.install "cfparams_{{ .Os }}_{{ .Arch }}" => "cfparams"
-
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json

.tool-versions

@@ -1 +1,2 @@
-golang 1.25.5
+golang     1.25.5
+goreleaser 2.12.4

bin/ci_calculate_version

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+set -eou pipefail
+
+# Clean up version.txt on exit
+trap 'rm -f version.txt' EXIT
+
+function version_from_user() {
+  local release_version="$1"
+  local output_file="$2"
+
+  # ensure leading 'v'
+  release_version="v${release_version#v}"
+  echo "${release_version}" > "$output_file"
+}
+
+function version_from_release_type() {
+  local release_type="$1"
+  local output_file="$2"
+
+  # Build git-cliff command
+  local cliff_args=(--bumped-version --output "$output_file")
+
+  # Add count-tags filter for prereleases
+  if [ "$release_type" != "stable" ]; then
+    local count_tags_pattern
+    count_tags_pattern='\.\d+\.\d+(?:-'"${release_type}"'\.\d+)?$'
+    cliff_args+=(--unreleased --count-tags "$count_tags_pattern")
+  fi
+
+  # Run git-cliff, writing version to file
+  docker compose run --rm git-cliff "${cliff_args[@]}"
+
+  local calculated_version
+  calculated_version="$(cat "$output_file")"
+  if [[ "$release_type" != "stable" && ! "$calculated_version" =~ -${release_type}\.[0-9]+$ ]]; then
+    calculated_version="${calculated_version}-${release_type}.1"
+    echo "${calculated_version}" > "$output_file"
+  fi
+}
+
+function main() {
+  local release_version;release_version="$(buildkite-agent meta-data get "release-version" --default "")"
+  local release_type;release_type="$(buildkite-agent meta-data get "release-type")"
+  local version_source;
+
+  # Validate release type
+  if [[ ! "$release_type" =~ ^(stable|alpha|beta)$ ]]; then
+      echo >&2 "❌ Release type must be 'stable', 'alpha', or 'beta'. Got: '${release_type}'"
+      exit 1
+  fi
+
+  local version_tag
+
+  # Calculate version
+  if [ -n "$release_version" ]; then
+    version_source="user supplied"
+    version_from_user "$release_version" "version.txt"
+  else
+    version_source="calculated from git history for release type '${release_type}'"
+    version_from_release_type "$release_type" "version.txt"
+  fi
+  version_tag=$(cat version.txt)
+
+  echo "Version: ${version_tag} (${version_source})"
+
+  # Store version tag for subsequent steps
+  buildkite-agent meta-data set "version-tag" "${version_tag}"
+}
+
+main "$@"

bin/ci_create_tag

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -eou pipefail
+
+#
+# ci_create_tag
+#
+# Create a tag in the Github remote repo using git CLI. Reads version tag from
+# Buildkite meta-data. Git credentials are configured by chinmina-git-credentials plugin.
+#
+
+function main() {
+    local version_tag;version_tag="$(buildkite-agent meta-data get "version-tag")"
+    local commit_sha;commit_sha=$(git rev-parse HEAD)
+
+    echo "Creating tag '${version_tag}' at commit ${commit_sha}..."
+
+    # Create annotated tag
+    git tag -a "${version_tag}" -m "Version ${version_tag} created by release pipeline"
+
+    # Push tag to origin
+    git push origin "${version_tag}"
+
+    echo "✅ Tag ${version_tag} created successfully"
+}
+
+main "$@"

bin/ci_goreleaser

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -eou pipefail
+
+#
+# ci_goreleaser
+#
+# Run GoReleaser to build and publish the release.
+# Expects GITHUB_TOKEN and GITHUB_HOMEBREW_TAP_TOKEN from environment (set by Chinmina).
+#
+
+function main() {
+    if [ -z "$GITHUB_TOKEN" ]; then
+        >&2 echo "❌ Environment variable GITHUB_TOKEN is required"
+        exit 1
+    fi
+
+    if [ -z "$GITHUB_HOMEBREW_TAP_TOKEN" ]; then
+        >&2 echo "❌ Environment variable GITHUB_HOMEBREW_TAP_TOKEN is required"
+        exit 1
+    fi
+
+    echo "Fetching tags..."
+    git fetch --tags
+
+    echo "Running GoReleaser..."
+    docker compose run --rm goreleaser release --clean --verbose
+}
+
+main "$@"

bin/ci_pipeline

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -eou pipefail
+
+buildkite-agent pipeline upload