chore: release authz plugin v0.5.8 #22
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: ['v*'] | |
| permissions: | |
| contents: write | |
| env: | |
| GONOSUMCHECK: github.com/GoCodeAlone/* | |
| GONOSUMDB: github.com/GoCodeAlone/* | |
| GOPRIVATE: github.com/GoCodeAlone/* | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| cache: true | |
| - name: Configure git for private modules | |
| run: git config --global url."https://${{ secrets.RELEASES_TOKEN }}@github.com/".insteadOf "https://github.com/" | |
| - name: Install wfctl v0.63.2 | |
| run: | | |
| mkdir -p "${RUNNER_TEMP}/wfctl-bin" | |
| curl -sSfL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -o "${RUNNER_TEMP}/wfctl-bin/wfctl" \ | |
| "https://github.com/GoCodeAlone/workflow/releases/download/v0.63.2/wfctl-linux-amd64" | |
| chmod +x "${RUNNER_TEMP}/wfctl-bin/wfctl" | |
| - name: Validate plugin contract for publish (pre-build) | |
| run: "${{ runner.temp }}/wfctl-bin/wfctl plugin validate-contract --for-publish --tag ${{ github.ref_name }} ." | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v7 | |
| with: | |
| version: '~> v2' | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASES_TOKEN }} | |
| # workflow#765: runtime truth-check via plugin verify-capabilities. | |
| - name: Verify capabilities (runtime truth-check) | |
| run: | | |
| RUNNER_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') | |
| BIN=$(jq -r --arg arch "$RUNNER_ARCH" \ | |
| '[.[] | select(.type=="Binary" and .goos=="linux" and .goarch==$arch and (.name|startswith("workflow-plugin-authz")))] | .[0].path // ""' \ | |
| dist/artifacts.json) | |
| if [ -z "$BIN" ] || [ "$BIN" = "null" ]; then | |
| echo "::warning::No matching linux/$RUNNER_ARCH binary in dist/artifacts.json; skipping verify-capabilities" | |
| jq '.[] | {name, type, goos, goarch, path}' dist/artifacts.json | |
| exit 0 | |
| fi | |
| "${{ runner.temp }}/wfctl-bin/wfctl" plugin verify-capabilities --binary "$BIN" . | |
| - name: Update registry manifest | |
| if: success() && env.GH_TOKEN != '' | |
| continue-on-error: true | |
| run: | | |
| VERSION="${GITHUB_REF_NAME#v}" | |
| PLUGIN_NAME="${GITHUB_REPOSITORY##*/}" | |
| REGISTRY_NAME="${PLUGIN_NAME#workflow-plugin-}" | |
| REGISTRY_NAME="${REGISTRY_NAME#workflow-}" | |
| BASE_URL="https://github.com/GoCodeAlone/${PLUGIN_NAME}/releases/download/v${VERSION}/${PLUGIN_NAME}" | |
| git clone "https://x-access-token:${REGISTRY_PAT}@github.com/GoCodeAlone/workflow-registry.git" /tmp/workflow-registry | |
| cd /tmp/workflow-registry | |
| MANIFEST="plugins/${REGISTRY_NAME}/manifest.json" | |
| if [[ ! -f "${MANIFEST}" ]]; then | |
| echo "No manifest found at ${MANIFEST}, skipping registry update." | |
| exit 0 | |
| fi | |
| jq --arg v "${VERSION}" \ | |
| --arg base "${BASE_URL}" \ | |
| '.version = $v | | |
| .downloads = [ | |
| {os: "linux", arch: "amd64", url: ($base + "-linux-amd64.tar.gz")}, | |
| {os: "linux", arch: "arm64", url: ($base + "-linux-arm64.tar.gz")}, | |
| {os: "darwin", arch: "amd64", url: ($base + "-darwin-amd64.tar.gz")}, | |
| {os: "darwin", arch: "arm64", url: ($base + "-darwin-arm64.tar.gz")} | |
| ]' "${MANIFEST}" > tmp.json && mv tmp.json "${MANIFEST}" | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| BRANCH="auto/sync-${PLUGIN_NAME}-v${VERSION}" | |
| git checkout -b "${BRANCH}" | |
| git add "plugins/${REGISTRY_NAME}/manifest.json" | |
| git commit -m "sync: ${PLUGIN_NAME} v${VERSION}" | |
| git push "https://x-access-token:${REGISTRY_PAT}@github.com/GoCodeAlone/workflow-registry.git" "${BRANCH}" | |
| gh pr create \ | |
| --repo GoCodeAlone/workflow-registry \ | |
| --head "${BRANCH}" \ | |
| --base main \ | |
| --title "sync: ${PLUGIN_NAME} v${VERSION}" \ | |
| --body "Auto-sync \`${PLUGIN_NAME}\` manifest to v${VERSION}" \ | |
| --label "auto-sync" || true | |
| env: | |
| REGISTRY_PAT: ${{ secrets.REGISTRY_PAT }} | |
| GH_TOKEN: ${{ secrets.REGISTRY_PAT }} | |
| notify-registry: | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Notify workflow-registry | |
| if: env.GH_TOKEN != '' | |
| uses: peter-evans/repository-dispatch@v3 | |
| with: | |
| token: ${{ secrets.REGISTRY_PAT }} | |
| repository: GoCodeAlone/workflow-registry | |
| event-type: plugin-release | |
| client-payload: >- | |
| {"plugin": "${{ github.repository }}", "tag": "${{ github.ref_name }}"} | |
| env: | |
| GH_TOKEN: ${{ secrets.REGISTRY_PAT }} | |
| continue-on-error: true | |
| - name: Publish GitHub release | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.RELEASES_TOKEN || github.token }} | |
| script: | | |
| const tag = context.ref.replace('refs/tags/', ''); | |
| const { owner, repo } = context.repo; | |
| // listReleases returns drafts; getReleaseByTag 404s on drafts. GoReleaser | |
| // creates releases as draft; this step flips them to non-draft post-publish. | |
| const { data: releases } = await github.rest.repos.listReleases({ owner, repo, per_page: 100 }); | |
| const release = releases.find(r => r.tag_name === tag); | |
| if (!release) { | |
| throw new Error(`release for tag ${tag} not found in repo listing (latest 100 releases)`); | |
| } | |
| if (release.draft) { | |
| await github.rest.repos.updateRelease({ | |
| owner, | |
| repo, | |
| release_id: release.id, | |
| draft: false, | |
| }); | |
| } |