workflow-plugin-crypto/.github/workflows/release.yml at main · GoCodeAlone/workflow-plugin-crypto · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: Release
on:
  push:
    tags:
      - 'v*'
permissions:
  contents: write
jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
      - uses: GoCodeAlone/setup-wfctl@v1
        with:
          version: v0.63.2
      - name: Validate plugin contract for publish (pre-build)
        run: wfctl plugin validate-contract --for-publish --tag "${{ github.ref_name }}" .
      - uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser
          version: '~> v2'
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Verify shipped plugin.json carries tag (post-build)
        run: |
          if [ -f .release/plugin.json ]; then
            wfctl plugin validate-contract --for-publish --tag "${{ github.ref_name }}" --release-dir .release .
          else
            wfctl plugin validate-contract --for-publish --tag "${{ github.ref_name }}" --release-dir . .
          fi
      # workflow#765: runtime truth-check via plugin verify-capabilities.
      # Spawns the built plugin binary, calls PluginService.GetManifest via raw gRPC,
      # diffs Name + Version against plugin.json. Catches ldflag-missing bug where
      # validate-contract (static) passes but binary surfaces sentinel "(devel) [@ sha]".
      - name: Verify capabilities (runtime truth-check)
        run: |
          RUNNER_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
          BIN=$(jq -r --arg arch "$RUNNER_ARCH" \
            '[.[] | select(.type=="Binary" and .goos=="linux" and .goarch==$arch and (.name|startswith("workflow-plugin-crypto")))] | .[0].path // ""' \
            dist/artifacts.json)
          if [ -z "$BIN" ] || [ "$BIN" = "null" ]; then
            echo "::warning::No matching linux/$RUNNER_ARCH workflow-plugin-crypto binary in dist/artifacts.json; skipping verify-capabilities"
            jq '.[] | {name, type, goos, goarch, path}' dist/artifacts.json
            exit 0
          fi
          wfctl plugin verify-capabilities --binary "$BIN" .
      - name: Publish GitHub release
        if: ${{ success() }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: gh release edit "${{ github.ref_name }}" --draft=false --repo "${{ github.repository }}"

  # Registry publication is intentionally separate from binary release until
  # workflow-compute consumes provider catalog plugins from the registry.