name: Release on: workflow_dispatch: inputs: version: description: 'Version to release (e.g., v2.99.0-rc1 or v2.99.0)' required: true type: string # Only one release workflow runs at a time; additional runs are queued. concurrency: group: release cancel-in-progress: false permissions: contents: read jobs: authorize: # Releasing acts as HaystackBot (a ruleset-bypass actor), so the ruleset # cannot enforce *who* started the release. Gate on the triggering user's # role instead: only maintainers/admins may run this workflow, even though # workflow_dispatch itself is available to anyone with write access. runs-on: ubuntu-slim steps: - name: Verify the triggering user may release env: GH_TOKEN: ${{ secrets.HAYSTACK_BOT_TOKEN }} ACTOR: ${{ github.triggering_actor }} run: | ROLE=$(gh api "repos/${{ github.repository }}/collaborators/${ACTOR}/permission" --jq '.role_name') echo "::notice::${ACTOR} has repository role '${ROLE}'" case "$ROLE" in admin|maintain) echo "✅ ${ACTOR} is authorized to trigger a release." ;; *) echo "::error::${ACTOR} has role '${ROLE}'. A release can only be triggered by a user with the 'maintain' or 'admin' role." exit 1 ;; esac parse-validate-version: needs: ["authorize"] runs-on: ubuntu-slim outputs: version: ${{ steps.parse-validate.outputs.version }} major_minor: ${{ steps.parse-validate.outputs.major_minor }} release_branch: ${{ steps.parse-validate.outputs.release_branch }} is_rc: ${{ steps.parse-validate.outputs.is_rc }} is_first_rc: ${{ steps.parse-validate.outputs.is_first_rc }} steps: - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 # needed to fetch tags and branches - name: Parse and validate version id: parse-validate env: GH_TOKEN: ${{ github.token }} VERSION: ${{ inputs.version }} run: .github/utils/parse_validate_version.sh "$VERSION" branch-off: needs: ["parse-validate-version"] if: needs.parse-validate-version.outputs.is_first_rc == 'true' uses: ./.github/workflows/branch_off.yml # https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows#passing-secrets-to-nested-workflows secrets: inherit create-release-tag: needs: ["parse-validate-version", "branch-off"] if: always() && needs.parse-validate-version.result == 'success' && needs.branch-off.result != 'failure' runs-on: ubuntu-slim permissions: contents: write steps: - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 # needed to fetch tags and branches # use this token so the created tag triggers workflows (does not happen with the default github.token) token: ${{ secrets.HAYSTACK_BOT_TOKEN }} - name: Update VERSION.txt and create tag env: GITHUB_TOKEN: ${{ secrets.HAYSTACK_BOT_TOKEN }} run: | git config --global user.name "github-actions[bot]" git config --global user.email "github-actions[bot]@users.noreply.github.com" git checkout ${{ needs.parse-validate-version.outputs.release_branch }} git pull origin ${{ needs.parse-validate-version.outputs.release_branch }} echo "${{ needs.parse-validate-version.outputs.version }}" > VERSION.txt git add VERSION.txt git commit -m "bump version to ${{ needs.parse-validate-version.outputs.version }}" git push origin ${{ needs.parse-validate-version.outputs.release_branch }} TAG="v${{ needs.parse-validate-version.outputs.version }}" git tag -m "$TAG" "$TAG" git push origin "$TAG" check-artifacts: needs: ["parse-validate-version", "create-release-tag"] if: always() && needs.parse-validate-version.result == 'success' && needs.create-release-tag.result == 'success' runs-on: ubuntu-latest outputs: github_url: ${{ steps.set-outputs.outputs.github_url }} pypi_url: ${{ steps.set-outputs.outputs.pypi_url }} docker_url: ${{ steps.set-outputs.outputs.docker_url }} env: GH_TOKEN: ${{ github.token }} VERSION: ${{ needs.parse-validate-version.outputs.version }} steps: - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 # needed to fetch tags and branches - name: Wait for release workflows run: | .github/utils/wait_for_workflows.sh "v${{ env.VERSION }}" \ "Project release on PyPi" \ "Project release on Github" \ "Docker image release" - name: Check artifacts run: | check() { for _ in {1..5}; do curl -sf "$2" > /dev/null && echo "✅ $1" && return 0; sleep 30; done echo "❌ $1 not found" && return 1 } check "GitHub Release" "https://api.github.com/repos/${{ github.repository }}/releases/tags/v${{ env.VERSION }}" check "PyPI package" "https://pypi.org/pypi/haystack-ai/${{ env.VERSION }}/json" check "Docker image" "https://hub.docker.com/v2/repositories/deepset/haystack/tags/base-v${{ env.VERSION }}" - name: Set artifact URLs id: set-outputs run: | { echo "github_url=https://github.com/${{ github.repository }}/releases/tag/v${{ env.VERSION }}" echo "pypi_url=https://pypi.org/project/haystack-ai/${{ env.VERSION }}/" echo "docker_url=https://hub.docker.com/r/deepset/haystack/tags?name=base-v${{ env.VERSION }}" } >> "$GITHUB_OUTPUT" bump-dc-pipeline-templates: needs: ["parse-validate-version", "check-artifacts"] if: always() && needs.check-artifacts.result == 'success' && needs.parse-validate-version.outputs.is_rc == 'true' runs-on: ubuntu-slim outputs: pr_url: ${{ steps.create-pr.outputs.pull-request-url }} env: VERSION: ${{ needs.parse-validate-version.outputs.version }} steps: - name: Checkout dc-pipeline-templates uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: deepset-ai/dc-pipeline-templates token: ${{ secrets.HAYSTACK_BOT_TOKEN }} - name: Update haystack pin run: sed -i "s/haystack-ai>=.*/haystack-ai>=${VERSION}/" requirements-test.txt - name: Create Pull Request id: create-pr uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: token: ${{ secrets.HAYSTACK_BOT_TOKEN }} commit-message: "Bump haystack to ${{ env.VERSION }}" branch: bump-haystack-${{ env.VERSION }} base: main title: "chore: bump haystack to ${{ env.VERSION }}" add-paths: requirements-test.txt body: | Bump haystack pin to `${{ env.VERSION }}` for platform testing. bump-deepset-cloud-custom-nodes: needs: ["parse-validate-version", "check-artifacts"] if: always() && needs.check-artifacts.result == 'success' && needs.parse-validate-version.outputs.is_rc == 'true' runs-on: ubuntu-slim outputs: pr_url: ${{ steps.create-pr.outputs.pull-request-url }} env: VERSION: ${{ needs.parse-validate-version.outputs.version }} steps: - name: Checkout haystack (for utils) uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: haystack sparse-checkout: .github/utils/update_haystack_dc_custom_nodes.py sparse-checkout-cone-mode: false - name: Checkout deepset-cloud-custom-nodes uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: deepset-ai/deepset-cloud-custom-nodes token: ${{ secrets.HAYSTACK_BOT_TOKEN }} path: deepset-cloud-custom-nodes - name: Set up Python uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: "3.13" - name: Install tomlkit run: | python -m pip install --upgrade pip pip install tomlkit --uploaded-prior-to=P1D - name: Update haystack-ai in uv.lock run: python haystack/.github/utils/update_haystack_dc_custom_nodes.py "${{ env.VERSION }}" deepset-cloud-custom-nodes/uv.lock - name: Create Pull Request id: create-pr uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: token: ${{ secrets.HAYSTACK_BOT_TOKEN }} path: deepset-cloud-custom-nodes commit-message: "Bump haystack to ${{ env.VERSION }}" branch: bump-haystack-${{ env.VERSION }} base: main title: "chore: bump haystack to ${{ env.VERSION }}" add-paths: uv.lock body: | Bump haystack pin to `${{ env.VERSION }}` for platform testing. bump-haystack-runtime: needs: ["parse-validate-version", "check-artifacts"] if: always() && needs.check-artifacts.result == 'success' && needs.parse-validate-version.outputs.is_rc == 'true' runs-on: ubuntu-slim outputs: pr_url: ${{ steps.wait-pr.outputs.pr_url }} env: VERSION: ${{ needs.parse-validate-version.outputs.version }} steps: - name: Trigger "Update package version" workflow env: GH_TOKEN: ${{ secrets.HAYSTACK_BOT_TOKEN }} run: | gh workflow run update-package-version.yaml \ -R deepset-ai/haystack-runtime \ -f haystack_version="${{ env.VERSION }}" - name: Wait for PR id: wait-pr env: GH_TOKEN: ${{ secrets.HAYSTACK_BOT_TOKEN }} run: | TRIGGER_TIME=$(date -u +%Y-%m-%dT%H:%M:%SZ) for i in $(seq 1 30); do PR_URL=$(gh pr list -R deepset-ai/haystack-runtime \ --head "bump/hs${{ env.VERSION }}" \ --json url,createdAt \ --jq ".[] | select(.createdAt >= \"$TRIGGER_TIME\") | .url") if [[ -n "$PR_URL" ]]; then echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT" echo "Found PR: $PR_URL" exit 0 fi echo "Attempt $i: PR not found yet, waiting 10s..." sleep 10 done echo "PR not found after 5 minutes" notify: needs: - "parse-validate-version" - "branch-off" - "create-release-tag" - "check-artifacts" - "bump-dc-pipeline-templates" - "bump-deepset-cloud-custom-nodes" - "bump-haystack-runtime" if: always() runs-on: ubuntu-slim steps: - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Prepare release notification env: VERSION: ${{ inputs.version }} GH_TOKEN: ${{ github.token }} RUN_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} HAS_FAILURE: ${{ contains(needs.*.result, 'failure') }} IS_RC: ${{ needs.parse-validate-version.outputs.is_rc }} IS_FIRST_RC: ${{ needs.parse-validate-version.outputs.is_first_rc }} MAJOR_MINOR: ${{ needs.parse-validate-version.outputs.major_minor }} GITHUB_URL: ${{ needs.check-artifacts.outputs.github_url }} PYPI_URL: ${{ needs.check-artifacts.outputs.pypi_url }} DOCKER_URL: ${{ needs.check-artifacts.outputs.docker_url }} BUMP_VERSION_PR_URL: ${{ needs.branch-off.outputs.bump_version_pr_url }} DC_PIPELINE_TEMPLATES_PR_URL: ${{ needs.bump-dc-pipeline-templates.outputs.pr_url }} DC_CUSTOM_NODES_PR_URL: ${{ needs.bump-deepset-cloud-custom-nodes.outputs.pr_url }} HAYSTACK_RUNTIME_PR_URL: ${{ needs.bump-haystack-runtime.outputs.pr_url }} run: .github/utils/prepare_release_notification.sh - name: Send release notification to Slack uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL_RELEASE }} webhook-type: incoming-webhook payload-file-path: slack_payload.json