Revitalize admin shell for plugin tools (#35) #14
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: write | |
| env: | |
| GONOSUMCHECK: github.com/GoCodeAlone/* | |
| GONOSUMDB: github.com/GoCodeAlone/* | |
| GOPRIVATE: github.com/GoCodeAlone/* | |
| jobs: | |
| release: | |
| name: Build and Release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| - name: Build admin UI | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.RELEASES_TOKEN }} | |
| run: | | |
| git clone --depth 1 https://github.com/GoCodeAlone/workflow.git /tmp/workflow-ui-build | |
| # Write .npmrc so npm ci can authenticate to GitHub Packages | |
| # (fetch of @gocodealone/workflow-ui from npm.pkg.github.com). | |
| # Captured failure in workflow-plugin-admin#13 v1.0.1 release run. | |
| echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" > /tmp/workflow-ui-build/ui/.npmrc | |
| # Subshell isolates `cd` so the cp below runs from the repo workspace, | |
| # not /tmp/workflow-ui-build/ui. v1.0.2 release run surfaced this: | |
| # cd persisted across bash lines → cp tried to write | |
| # /tmp/workflow-ui-build/ui/internal/ui_dist (no such dir) instead of | |
| # ${GITHUB_WORKSPACE}/internal/ui_dist. | |
| ( cd /tmp/workflow-ui-build/ui && npm ci && npx vite build ) | |
| rm -rf internal/ui_dist && cp -r /tmp/workflow-ui-build/ui/dist internal/ui_dist | |
| rm -rf /tmp/workflow-ui-build | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: '1.26' | |
| cache: true | |
| - name: Configure git for private modules | |
| run: git config --global url."https://${{ secrets.RELEASES_TOKEN }}@github.com/".insteadOf "https://github.com/" | |
| - name: Install wfctl v0.63.2 | |
| run: | | |
| mkdir -p "${RUNNER_TEMP}/wfctl-bin" | |
| curl -sSfL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -o "${RUNNER_TEMP}/wfctl-bin/wfctl" \ | |
| "https://github.com/GoCodeAlone/workflow/releases/download/v0.63.2/wfctl-linux-amd64" | |
| chmod +x "${RUNNER_TEMP}/wfctl-bin/wfctl" | |
| - name: Validate plugin contract for publish (pre-build) | |
| run: "${{ runner.temp }}/wfctl-bin/wfctl plugin validate-contract --for-publish --tag ${{ github.ref_name }} ." | |
| - uses: goreleaser/goreleaser-action@v7 | |
| with: | |
| version: '~> v2' | |
| # --skip=validate bypasses goreleaser's git-dirty-state check. | |
| # The Build admin UI step rebuilds internal/ui_dist/ from workflow | |
| # repo HEAD, which may differ from this repo's committed snapshot | |
| # (kept in-tree for go:embed at dev time). Per workflow-plugin-admin | |
| # #13 v1.0.3 release run failure, dirty check fired on | |
| # internal/ui_dist/index.html. The fresh build is the intended | |
| # release artifact; skip-validate accepts that ui_dist drift is | |
| # expected at release time. | |
| args: release --clean --skip=validate | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASES_TOKEN }} | |
| GOPRIVATE: github.com/GoCodeAlone/* | |
| # workflow#765: runtime truth-check via plugin verify-capabilities. | |
| - name: Verify capabilities (runtime truth-check) | |
| run: | | |
| RUNNER_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') | |
| BIN=$(jq -r --arg arch "$RUNNER_ARCH" \ | |
| '[.[] | select(.type=="Binary" and .goos=="linux" and .goarch==$arch and (.name|startswith("workflow-plugin-admin")))] | .[0].path // ""' \ | |
| dist/artifacts.json) | |
| if [ -z "$BIN" ] || [ "$BIN" = "null" ]; then | |
| echo "::warning::No matching linux/$RUNNER_ARCH binary in dist/artifacts.json; skipping verify-capabilities" | |
| jq '.[] | {name, type, goos, goarch, path}' dist/artifacts.json | |
| exit 0 | |
| fi | |
| "${{ runner.temp }}/wfctl-bin/wfctl" plugin verify-capabilities --binary "$BIN" . | |
| - name: Update registry manifest | |
| if: success() | |
| # Non-blocking: REGISTRY_PAT may be unset; matches workflow-plugin-azure | |
| # release.yml precedent. Registry sync is informational; the release | |
| # itself was already published before this step runs. v1.0.4 + v1.1.2 | |
| # release runs were marked failure solely on this step (PAT empty). | |
| continue-on-error: true | |
| run: | | |
| VERSION="${GITHUB_REF_NAME#v}" | |
| PLUGIN_NAME="${GITHUB_REPOSITORY##*/}" | |
| REGISTRY_NAME="${PLUGIN_NAME#workflow-plugin-}" | |
| REGISTRY_NAME="${REGISTRY_NAME#workflow-}" | |
| BASE_URL="https://github.com/GoCodeAlone/${PLUGIN_NAME}/releases/download/v${VERSION}/${PLUGIN_NAME}" | |
| git clone "https://x-access-token:${REGISTRY_PAT}@github.com/GoCodeAlone/workflow-registry.git" /tmp/workflow-registry | |
| cd /tmp/workflow-registry | |
| MANIFEST="plugins/${REGISTRY_NAME}/manifest.json" | |
| if [[ ! -f "${MANIFEST}" ]]; then | |
| echo "No manifest found at ${MANIFEST}, skipping registry update." | |
| exit 0 | |
| fi | |
| jq --arg v "${VERSION}" \ | |
| --arg base "${BASE_URL}" \ | |
| '.version = $v | | |
| .downloads = [ | |
| {os: "linux", arch: "amd64", url: ($base + "-linux-amd64.tar.gz")}, | |
| {os: "linux", arch: "arm64", url: ($base + "-linux-arm64.tar.gz")}, | |
| {os: "darwin", arch: "amd64", url: ($base + "-darwin-amd64.tar.gz")}, | |
| {os: "darwin", arch: "arm64", url: ($base + "-darwin-arm64.tar.gz")} | |
| ]' "${MANIFEST}" > tmp.json && mv tmp.json "${MANIFEST}" | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| BRANCH="auto/sync-${PLUGIN_NAME}-v${VERSION}" | |
| git checkout -b "${BRANCH}" | |
| git add "plugins/${REGISTRY_NAME}/manifest.json" | |
| git commit -m "sync: ${PLUGIN_NAME} v${VERSION}" | |
| git push "https://x-access-token:${REGISTRY_PAT}@github.com/GoCodeAlone/workflow-registry.git" "${BRANCH}" | |
| gh pr create \ | |
| --repo GoCodeAlone/workflow-registry \ | |
| --head "${BRANCH}" \ | |
| --base main \ | |
| --title "sync: ${PLUGIN_NAME} v${VERSION}" \ | |
| --body "Auto-sync \`${PLUGIN_NAME}\` manifest to v${VERSION}" \ | |
| --label "auto-sync" || true | |
| env: | |
| REGISTRY_PAT: ${{ secrets.REGISTRY_PAT }} | |
| GH_TOKEN: ${{ secrets.REGISTRY_PAT }} | |
| notify-registry: | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Notify workflow-registry | |
| if: env.GH_TOKEN != '' | |
| uses: peter-evans/repository-dispatch@v3 | |
| with: | |
| token: ${{ secrets.REGISTRY_PAT }} | |
| repository: GoCodeAlone/workflow-registry | |
| event-type: plugin-release | |
| client-payload: >- | |
| {"plugin": "${{ github.repository }}", "tag": "${{ github.ref_name }}"} | |
| env: | |
| GH_TOKEN: ${{ secrets.REGISTRY_PAT }} | |
| continue-on-error: true | |
| - name: Publish GitHub release | |
| if: ${{ success() }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh release edit "${{ github.ref_name }}" --draft=false --repo "${{ github.repository }}" |