Fix admin contribution grant bridge (#37) #15
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: write | |
| env: | |
| GONOSUMCHECK: github.com/GoCodeAlone/* | |
| GONOSUMDB: github.com/GoCodeAlone/* | |
| GOPRIVATE: github.com/GoCodeAlone/* | |
| jobs: | |
| release: | |
| name: Build and Release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| - name: Build admin UI | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.RELEASES_TOKEN }} | |
| run: | | |
| git clone --depth 1 https://github.com/GoCodeAlone/workflow.git /tmp/workflow-ui-build | |
| # Write .npmrc so npm ci can authenticate to GitHub Packages | |
| # (fetch of @gocodealone/workflow-ui from npm.pkg.github.com). | |
| # Captured failure in workflow-plugin-admin#13 v1.0.1 release run. | |
| echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" > /tmp/workflow-ui-build/ui/.npmrc | |
| # Subshell isolates `cd` so the cp below runs from the repo workspace, | |
| # not /tmp/workflow-ui-build/ui. v1.0.2 release run surfaced this: | |
| # cd persisted across bash lines → cp tried to write | |
| # /tmp/workflow-ui-build/ui/internal/ui_dist (no such dir) instead of | |
| # ${GITHUB_WORKSPACE}/internal/ui_dist. | |
| ( cd /tmp/workflow-ui-build/ui && npm ci && npx vite build ) | |
| rm -rf internal/ui_dist && cp -r /tmp/workflow-ui-build/ui/dist internal/ui_dist | |
| rm -rf /tmp/workflow-ui-build | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: '1.26' | |
| cache: true | |
| - name: Configure git for private modules | |
| run: git config --global url."https://${{ secrets.RELEASES_TOKEN }}@github.com/".insteadOf "https://github.com/" | |
| - name: Install wfctl v0.63.2 | |
| run: | | |
| mkdir -p "${RUNNER_TEMP}/wfctl-bin" | |
| curl -sSfL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -o "${RUNNER_TEMP}/wfctl-bin/wfctl" \ | |
| "https://github.com/GoCodeAlone/workflow/releases/download/v0.63.2/wfctl-linux-amd64" | |
| chmod +x "${RUNNER_TEMP}/wfctl-bin/wfctl" | |
| - name: Validate plugin contract for publish (pre-build) | |
| run: "${{ runner.temp }}/wfctl-bin/wfctl plugin validate-contract --for-publish --tag ${{ github.ref_name }} ." | |
| - uses: goreleaser/goreleaser-action@v7 | |
| with: | |
| version: '~> v2' | |
| # --skip=validate bypasses goreleaser's git-dirty-state check. | |
| # The Build admin UI step rebuilds internal/ui_dist/ from workflow | |
| # repo HEAD, which may differ from this repo's committed snapshot | |
| # (kept in-tree for go:embed at dev time). Per workflow-plugin-admin | |
| # #13 v1.0.3 release run failure, dirty check fired on | |
| # internal/ui_dist/index.html. The fresh build is the intended | |
| # release artifact; skip-validate accepts that ui_dist drift is | |
| # expected at release time. | |
| args: release --clean --skip=validate | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASES_TOKEN }} | |
| GOPRIVATE: github.com/GoCodeAlone/* | |
| # workflow#765: runtime truth-check via plugin verify-capabilities. | |
| - name: Verify capabilities (runtime truth-check) | |
| run: | | |
| RUNNER_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') | |
| BIN=$(jq -r --arg arch "$RUNNER_ARCH" \ | |
| '[.[] | select(.type=="Binary" and .goos=="linux" and .goarch==$arch and (.name|startswith("workflow-plugin-admin")))] | .[0].path // ""' \ | |
| dist/artifacts.json) | |
| if [ -z "$BIN" ] || [ "$BIN" = "null" ]; then | |
| echo "::warning::No matching linux/$RUNNER_ARCH binary in dist/artifacts.json; skipping verify-capabilities" | |
| jq '.[] | {name, type, goos, goarch, path}' dist/artifacts.json | |
| exit 0 | |
| fi | |
| "${{ runner.temp }}/wfctl-bin/wfctl" plugin verify-capabilities --binary "$BIN" . | |
| publish-release: | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Publish GitHub release | |
| if: ${{ success() }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh release edit "${{ github.ref_name }}" --draft=false --repo "${{ github.repository }}" | |
| notify-workflow-registry: | |
| name: Notify workflow-registry | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| needs: publish-release | |
| if: >- | |
| !github.event.deleted | |
| && !contains(github.ref_name, '-') | |
| && github.repository == 'GoCodeAlone/workflow-plugin-admin' | |
| steps: | |
| - name: Trigger registry manifest sync | |
| uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 | |
| with: | |
| token: ${{ secrets.repo_dispatch_token }} | |
| repository: GoCodeAlone/workflow-registry | |
| event-type: plugin-release | |
| client-payload: |- | |
| {"plugin": "admin", "tag": "${{ github.ref_name }}"} |