GHA-155 Add branch freeze functionality to automated release workflow (#70)

nils-werner-sonarsource · web-flow · commit a972635c92bf · 2025-12-10T13:50:01.000+01:00
diff --git a/.github/workflows/automated-release.yml b/.github/workflows/automated-release.yml
@@ -111,6 +111,15 @@ on:
         required: false
         type: boolean
         default: false
+      freeze-branch:
+        description: "Freeze the branch during the release"
+        required: false
+        type: boolean
+        default: true
+      slack-channel:
+        description: "Slack channel for notifications"
+        required: false
+        type: string
 
     outputs:
       new-version:
@@ -121,12 +130,47 @@ env:
   USE_JIRA_SANDBOX: ${{ inputs.use-jira-sandbox == true && 'true' || 'false' }}
 
 jobs:
-  # Step 1: Prepare Release
+  # This job freezes the specified branch to prevent changes during the release process.
+  freeze-branch:
+    name: Freeze ${{ inputs.branch }} branch
+    if: ${{ inputs.freeze-branch }}
+    runs-on: ${{ inputs.runner-environment }}
+    permissions:
+      id-token: write
+    steps:
+      - &freeze-branch-secrets
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/github/token/{REPO_OWNER_NAME_DASH}-lock token | lock_token;
+            development/kv/data/slack token | slack_api_token;
+      - &freeze-branch-toggle
+        uses: sonarsource/gh-action-lt-backlog/ToggleLockBranch@v2
+        with:
+          github-token: ${{ fromJSON(steps.secrets.outputs.vault).lock_token }}
+          slack-token: ${{ fromJSON(steps.secrets.outputs.vault).slack_api_token }}
+          slack-channel: ${{ inputs.slack-channel }}
+          branch-pattern: ${{ inputs.branch }}
+      - name: Summary
+        if: ${{ inputs.verbose }}
+        shell: bash
+        env:
+          BRANCH: ${{ inputs.branch }}
+          SLACK_CHANNEL: ${{ inputs.slack-channel || 'not set' }}
+        run: |
+          echo "## 🧊 Freeze Branch" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### What happened" >> $GITHUB_STEP_SUMMARY
+          echo "- Locked branch pattern \`$BRANCH\` to prevent changes during the release." >> $GITHUB_STEP_SUMMARY
+          echo "- Notifications sent to Slack channel: \`$SLACK_CHANNEL\`." >> $GITHUB_STEP_SUMMARY
+
   # This step determines the release version, Jira version name, and gathers release notes.
   # It sets up the necessary outputs for subsequent steps.
   # These outputs include the release version, Jira version name, release notes, Jira release notes, and Jira release URL.
   prepare-release:
     name: Prepare Release
+    needs: [ freeze-branch ]
     runs-on: ${{ inputs.runner-environment }}
     permissions:
       statuses: read
@@ -179,7 +223,6 @@ jobs:
           echo "- Release version: \`${{ steps.get-release-version.outputs.release-version }}\`." >> $GITHUB_STEP_SUMMARY
           echo "- Jira version name: \`${{ steps.get-jira-version.outputs.jira-version-name }}\`." >> $GITHUB_STEP_SUMMARY
 
-  # Step 2: Create Release Ticket
   # This step creates a Jira release ticket using the prepared release information.
   # It outputs the release ticket key and URL for further use.
   create-release-ticket:
@@ -222,7 +265,6 @@ jobs:
           echo "- Ticket key: \`${{ steps.create-ticket.outputs.release-ticket-key }}\`." >> $GITHUB_STEP_SUMMARY
           echo "- Ticket link: ${{ steps.create-ticket.outputs.release-ticket-url }}" >> $GITHUB_STEP_SUMMARY
 
-  # Step 3: Publish GitHub Release
   # This step publishes the GitHub release using the prepared release information and the created Jira release ticket.
   # It outputs the GitHub release URL for further use.
   publish-github-release:
@@ -261,7 +303,30 @@ jobs:
           echo "### Results" >> $GITHUB_STEP_SUMMARY
           echo "- Release page: ${{ steps.publish-github-release.outputs.release-url }}" >> $GITHUB_STEP_SUMMARY
 
-  # Step 4: Release in Jira
+  # This job unfreezes the specified branch after the GitHub release is published.
+  unfreeze-branch:
+    name: Unfreeze ${{ inputs.branch }} branch
+    if: ${{ inputs.freeze-branch }}
+    runs-on: ${{ inputs.runner-environment }}
+    needs: [ publish-github-release ]
+    permissions:
+      id-token: write
+    steps:
+      - *freeze-branch-secrets
+      - *freeze-branch-toggle
+      - name: Summary
+        if: ${{ inputs.verbose }}
+        shell: bash
+        env:
+          BRANCH: ${{ inputs.branch }}
+          SLACK_CHANNEL: ${{ inputs.slack-channel || 'not set' }}
+        run: |
+          echo "## 🔓 Unfreeze Branch" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### What happened" >> $GITHUB_STEP_SUMMARY
+          echo "- Unlocked branch pattern \`$BRANCH\` after publishing the GitHub release." >> $GITHUB_STEP_SUMMARY
+          echo "- Notifications sent to Slack channel: \`$SLACK_CHANNEL\`." >> $GITHUB_STEP_SUMMARY
+
   # This step releases the version in Jira and moves the release ticket to the "Technical Release Done" status.
   # It outputs the new version name and integration ticket keys and URLs.
   release-in-jira:
@@ -309,7 +374,6 @@ jobs:
           echo "### Results" >> $GITHUB_STEP_SUMMARY
           echo "- New Jira version: \`${{ steps.create-jira-version.outputs.jira-new-version-name }}\`." >> $GITHUB_STEP_SUMMARY
 
-  # Step 5: Create Integration Tickets
   # This step creates integration tickets in various Jira projects based on the inputs provided.
   # It creates tickets for SLVS, SLVSCODE, SLE, SLI, SQC, and SQS as specified.
   # It outputs the integration ticket keys for SQC and SQS for further use.
@@ -422,7 +486,6 @@ jobs:
           if [ "$SQC_INTEGRATION" = "true" ]; then echo "- SQC ticket \`${{ steps.create-sqc-ticket.outputs.ticket-key }}\` — ${{ steps.create-sqc-ticket.outputs.ticket-url }}" >> $GITHUB_STEP_SUMMARY; fi
           if [ "$SQS_INTEGRATION" = "true" ]; then echo "- SQS ticket \`${{ steps.create-sqs-ticket.outputs.ticket-key }}\` — ${{ steps.create-sqs-ticket.outputs.ticket-url }}" >> $GITHUB_STEP_SUMMARY; fi
 
-  # Step 6: Update Analyzers in SQS and SQC
   # This step updates the analyzers in SQS and SQC by creating pull requests based on the integration tickets created in the previous step.
   # It outputs the pull request URLs for SQS and SQC for further use.
   update-analyzers:
@@ -485,7 +548,6 @@ jobs:
           if [ "$SQS_INTEGRATION" = "true" ]; then echo "- SQS PR: ${{ steps.update-sqs.outputs.pull-request-url }}" >> $GITHUB_STEP_SUMMARY; fi
           if [ "$SQC_INTEGRATION" = "true" ]; then echo "- SQC PR: ${{ steps.update-sqc.outputs.pull-request-url }}" >> $GITHUB_STEP_SUMMARY; fi
 
-  # Step 7: Summarize Release
   # This step summarizes the results of the entire release process.
   # It checks the outcomes of all previous steps and generates a summary indicating whether the release was
   # successful or failed, along with relevant links and information.
diff --git a/docs/AUTOMATED_RELEASE.md b/docs/AUTOMATED_RELEASE.md
@@ -6,14 +6,15 @@ This reusable GitHub Actions workflow automates the end-to-end release process a
 
 The workflow orchestrates these steps:
 
-1. Determine the release version and Jira version name
-2. Optionally generate Jira release notes if not provided
-3. Create a Jira release ticket
-4. Publish a GitHub release (draft or final)
-5. Release the current Jira version and create the next version in Jira
-6. Optionally create integration tickets (SLVS, SLVSCODE, SLE, SLI, SQC, SQS)
-7. Optionally open analyzer update PRs in SQS and SQC
-8. Optionally post per-job and final workflow summaries when `verbose` is enabled
+1. Optionally freeze (lock) the target branch at the start of the release
+2. Determine the release version and Jira version name
+3. Optionally generate Jira release notes if not provided
+4. Create a Jira release ticket
+5. Publish a GitHub release (draft or final)
+6. Release the current Jira version and create the next version in Jira
+7. Optionally create integration tickets (SLVS, SLVSCODE, SLE, SLI, SQC, SQS)
+8. Optionally open analyzer update PRs in SQS and SQC
+9. Optionally post per-job and final workflow summaries when `verbose` is enabled
 
 ## Dependencies
 
@@ -28,6 +29,7 @@ This workflow composes several actions from this repository:
 - `SonarSource/release-github-actions/create-integration-ticket`
 - `SonarSource/release-github-actions/update-analyzer`
 - `SonarSource/release-github-actions/update-release-ticket-status`
+- Branch lock/unlock via `sonarsource/gh-action-lt-backlog/ToggleLockBranch`
 
 ## Inputs
 
@@ -57,6 +59,8 @@ This workflow composes several actions from this repository:
 | `runner-environment`         | Runner labels/environment                                                                                        | No       | `sonar-m`    |
 | `release-process`            | Release process documentation URL                                                                               | No       | General page |
 | `verbose`                    | When `true`, posts per-job summaries and a final run summary                                                    | No       | `false`      |
+| `freeze-branch`              | When `true`, locks the target branch during the release and unlocks it after publishing                         | No       | `true`       |
+| `slack-channel`              | Slack channel to notify when locking/unlocking the branch                                                       | No       | -            |
 
 ## Outputs
 
@@ -112,11 +116,17 @@ jobs:
       sqs-integration: true
       sqc-integration: true
       release-automation-secret-name: "sonar-csd-release-automation"
+      slack-channel: "release-notifications"
       verbose: ${{ inputs.verbose }}
 ```
 
 ## Notes
 
+- When `freeze-branch: true`, the workflow will:
+  - Lock the specified branch at the start of the release
+  - Proceed with the release steps
+  - Unlock the branch after the GitHub release is published
+  - Send lock/unlock notifications to the configured `slack-channel` if provided
 - When `release-notes` is empty, Jira release notes are fetched and used.
 - Integration tickets and analyzer update PRs are created only if their respective flags are enabled and prerequisites are met (e.g., secret name for PR creation).
 - Summaries:
