-
Notifications
You must be signed in to change notification settings - Fork 0
150 lines (138 loc) · 6.08 KB
/
release.yml
File metadata and controls
150 lines (138 loc) · 6.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: Release
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
tag:
description: 'Tag to release (e.g. v1.1.1)'
required: true
permissions:
contents: write
env:
GONOSUMCHECK: github.com/GoCodeAlone/*
GONOSUMDB: github.com/GoCodeAlone/*
GOPRIVATE: github.com/GoCodeAlone/*
jobs:
release:
# ubuntu-latest (GitHub-hosted) matches DO / aws / gcp plugins. The
# GoCodeAlone org's Default self-hosted runner group disallows public
# repositories, so the previous [self-hosted, Linux, X64] selector blocked
# this public repo's release job indefinitely.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
fetch-depth: 0
# On push-tag, github.ref is refs/tags/<tag>; on workflow_dispatch,
# check out the requested tag explicitly so re-triggers for stuck
# tags work without a force-tag dance.
ref: ${{ inputs.tag || github.ref }}
- name: Configure git for private modules
run: git config --global url."https://${{ secrets.RELEASES_TOKEN }}@github.com/".insteadOf "https://github.com/"
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache: false
- name: Install wfctl v0.74.6
env:
GH_TOKEN: ${{ secrets.RELEASES_TOKEN || github.token }}
WFCTL_VERSION: v0.74.6
run: |
set -euo pipefail
runner_arch=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
asset="wfctl-linux-${runner_arch}"
download_dir="$(mktemp -d)"
case "${asset}" in
wfctl-linux-amd64) expected_sha="e471470fbf82bcf9bb11de338b727b0c38b426c955f1740e0d6e88eca604436a" ;;
wfctl-linux-arm64) expected_sha="bf4525f2769d52336d9634a8d22baa8af3a981ed6be8a4a213c1aa8a4cf2c688" ;;
*) echo "::error::unsupported wfctl asset ${asset}"; exit 1 ;;
esac
gh release download "${WFCTL_VERSION}" \
--repo GoCodeAlone/workflow \
--pattern "${asset}" \
--dir "${download_dir}"
actual_sha="$(sha256sum "${download_dir}/${asset}" | awk '{print $1}')"
if [ "${actual_sha}" != "${expected_sha}" ]; then
echo "::error::wfctl checksum mismatch for ${asset}: expected ${expected_sha}, got ${actual_sha}"
exit 1
fi
mkdir -p "${RUNNER_TEMP}/wfctl-bin"
install -m 0755 "${download_dir}/${asset}" "${RUNNER_TEMP}/wfctl-bin/wfctl"
echo "${RUNNER_TEMP}/wfctl-bin" >> "$GITHUB_PATH"
- name: Validate plugin contract for publish (pre-build)
run: wfctl plugin validate-contract --for-publish --tag "${{ inputs.tag || github.ref_name }}" .
- uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
with:
distribution: goreleaser
version: '~> v2'
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# workflow#765: runtime truth-check via plugin verify-capabilities.
- name: Verify capabilities (runtime truth-check)
run: |
RUNNER_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
BIN=$(jq -r --arg arch "$RUNNER_ARCH" \
'[.[] | select(.type=="Binary" and .goos=="linux" and .goarch==$arch and (.name|startswith("workflow-plugin-azure")))] | .[0].path // ""' \
dist/artifacts.json)
if [ -z "$BIN" ] || [ "$BIN" = "null" ]; then
echo "::warning::No matching linux/$RUNNER_ARCH binary in dist/artifacts.json; skipping verify-capabilities"
jq '.[] | {name, type, goos, goarch, path}' dist/artifacts.json
exit 0
fi
wfctl plugin verify-capabilities --binary "$BIN" .
- name: Verify shipped plugin.json carries tag (post-build)
run: |
if [ -f .release/plugin.json ]; then
wfctl plugin validate-contract --for-publish --tag "${{ inputs.tag || github.ref_name }}" --release-dir .release .
else
wfctl plugin validate-contract --for-publish --tag "${{ inputs.tag || github.ref_name }}" --release-dir . .
fi
publish-release:
if: startsWith(github.ref, 'refs/tags/v')
needs: [release]
runs-on: ubuntu-latest
steps:
- name: Publish GitHub release
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
github-token: ${{ secrets.RELEASES_TOKEN || github.token }}
script: |
const tag = context.ref.replace('refs/tags/', '');
const { owner, repo } = context.repo;
// listReleases returns drafts; getReleaseByTag 404s on drafts. GoReleaser
// creates releases as draft; this step flips them to non-draft post-publish.
const { data: releases } = await github.rest.repos.listReleases({ owner, repo, per_page: 100 });
const release = releases.find(r => r.tag_name === tag);
if (!release) {
throw new Error(`release for tag ${tag} not found in repo listing (latest 100 releases)`);
}
if (release.draft) {
await github.rest.repos.updateRelease({
owner,
repo,
release_id: release.id,
draft: false,
});
}
notify-workflow-registry:
name: Notify workflow-registry
runs-on: ubuntu-latest
permissions:
contents: read
needs: publish-release
if: >-
!github.event.deleted
&& !contains(github.ref_name, '-')
&& github.repository == 'GoCodeAlone/workflow-plugin-azure'
steps:
- name: Trigger registry manifest sync
uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
with:
token: ${{ secrets.repo_dispatch_token }}
repository: GoCodeAlone/workflow-registry
event-type: plugin-release
client-payload: |-
{"plugin": "azure", "tag": "${{ github.ref_name }}"}