-
Notifications
You must be signed in to change notification settings - Fork 0
94 lines (88 loc) · 3.73 KB
/
release.yml
File metadata and controls
94 lines (88 loc) · 3.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: Release
on:
push:
tags:
- "v*"
permissions:
contents: write
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
fetch-depth: 0
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache: false
- name: Configure Go private modules
run: git config --global url."https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
- name: Install wfctl v0.74.6
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
WFCTL_VERSION: v0.74.6
run: |
set -euo pipefail
runner_arch=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
asset="wfctl-linux-${runner_arch}"
download_dir="$(mktemp -d)"
gh release download "${WFCTL_VERSION}" \
--repo GoCodeAlone/workflow \
--pattern "${asset}" \
--pattern checksums.txt \
--dir "${download_dir}"
(cd "${download_dir}" && grep " ${asset}$" checksums.txt | sha256sum -c -)
mkdir -p "${RUNNER_TEMP}/wfctl-bin"
install -m 0755 "${download_dir}/${asset}" "${RUNNER_TEMP}/wfctl-bin/wfctl"
echo "${RUNNER_TEMP}/wfctl-bin" >> "$GITHUB_PATH"
- name: Validate plugin contract for publish (pre-build)
run: "wfctl plugin validate-contract --for-publish --tag ${{ github.ref_name }} ."
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
with:
version: "~> v2"
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOPRIVATE: github.com/GoCodeAlone/*
GONOSUMCHECK: github.com/GoCodeAlone/*
# workflow#765: runtime truth-check via plugin verify-capabilities.
- name: Verify capabilities (runtime truth-check)
run: |
RUNNER_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
BIN=$(jq -r --arg arch "$RUNNER_ARCH" \
'[.[] | select(.type=="Binary" and .goos=="linux" and .goarch==$arch and (.name|startswith("workflow-plugin-infra")))] | .[0].path // ""' \
dist/artifacts.json)
if [ -z "$BIN" ] || [ "$BIN" = "null" ]; then
echo "::warning::No matching linux/$RUNNER_ARCH binary in dist/artifacts.json; skipping verify-capabilities"
jq '.[] | {name, type, goos, goarch, path}' dist/artifacts.json
exit 0
fi
"wfctl" plugin verify-capabilities --binary "$BIN" .
- name: Verify shipped plugin.json carries tag (post-build)
run: '"wfctl" plugin validate-contract --for-publish --tag ${{ github.ref_name }} --release-dir . .'
- name: Publish GitHub release
if: ${{ success() }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release edit "${{ github.ref_name }}" --draft=false --repo "${{ github.repository }}"
notify-workflow-registry:
name: Notify workflow-registry
runs-on: ubuntu-latest
permissions:
contents: read
needs: release
if: >-
!github.event.deleted
&& !contains(github.ref_name, '-')
&& github.repository == 'GoCodeAlone/workflow-plugin-infra'
steps:
- name: Trigger registry manifest sync
uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
with:
token: ${{ secrets.repo_dispatch_token }}
repository: GoCodeAlone/workflow-registry
event-type: plugin-release
client-payload: |-
{"plugin": "infra", "tag": "${{ github.ref_name }}"}