workflow-plugin-auth/.github/workflows/release.yml at main · GoCodeAlone/workflow-plugin-auth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Release

on:
  push:
    tags:
      - "v*"

permissions:
  contents: write

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
          cache: true

      - name: Configure Go private modules
        run: git config --global url."https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"

      - name: Install wfctl v0.63.2
        run: |
          mkdir -p "${RUNNER_TEMP}/wfctl-bin"
          curl -sSfL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
            -o "${RUNNER_TEMP}/wfctl-bin/wfctl" \
            "https://github.com/GoCodeAlone/workflow/releases/download/v0.63.2/wfctl-linux-amd64"
          chmod +x "${RUNNER_TEMP}/wfctl-bin/wfctl"
      - name: Validate plugin contract for publish (pre-build)
        run: "${{ runner.temp }}/wfctl-bin/wfctl plugin validate-contract --for-publish --tag ${{ github.ref_name }} ."
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          version: "~> v2"
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GOPRIVATE: github.com/GoCodeAlone/*
          GONOSUMCHECK: github.com/GoCodeAlone/*
      # workflow#765: runtime truth-check via plugin verify-capabilities.
      - name: Verify capabilities (runtime truth-check)
        run: |
          RUNNER_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
          BIN=$(jq -r --arg arch "$RUNNER_ARCH" \
            '[.[] | select(.type=="Binary" and .goos=="linux" and .goarch==$arch and (.name|startswith("workflow-plugin-auth")))] | .[0].path // ""' \
            dist/artifacts.json)
          if [ -z "$BIN" ] || [ "$BIN" = "null" ]; then
            echo "::warning::No matching linux/$RUNNER_ARCH binary in dist/artifacts.json; skipping verify-capabilities"
            jq '.[] | {name, type, goos, goarch, path}' dist/artifacts.json
            exit 0
          fi
          "${{ runner.temp }}/wfctl-bin/wfctl" plugin verify-capabilities --binary "$BIN" .
      - name: Verify shipped plugin.json carries tag (post-build)
        run: "${{ runner.temp }}/wfctl-bin/wfctl plugin validate-contract --for-publish --tag ${{ github.ref_name }} --release-dir . ."
      - name: Publish GitHub release
        if: ${{ success() }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: gh release edit "${{ github.ref_name }}" --draft=false --repo "${{ github.repository }}"

  notify-workflow-registry:
    name: Notify workflow-registry
    runs-on: ubuntu-latest
    permissions:
      contents: read
    needs: release
    if: >-
      !github.event.deleted
      && !contains(github.ref_name, '-')
      && github.repository == 'GoCodeAlone/workflow-plugin-auth'
    steps:
      - name: Trigger registry manifest sync
        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697  # v4
        with:
          token: ${{ secrets.repo_dispatch_token }}
          repository: GoCodeAlone/workflow-registry
          event-type: plugin-release
          client-payload: |-
            {"plugin": "auth", "tag": "${{ github.ref_name }}"}