workflow-plugin-migrations/.github/workflows/release.yml at main · GoCodeAlone/workflow-plugin-migrations · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Release
on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write
  id-token: write  # for OIDC/cosign keyless signing (future)

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
      - name: Install Syft for SBOM generation
        uses: anchore/sbom-action/download-syft@v0
      - name: Install wfctl v0.63.2
        run: |
          mkdir -p "${RUNNER_TEMP}/wfctl-bin"
          curl -sSfL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
            -o "${RUNNER_TEMP}/wfctl-bin/wfctl" \
            "https://github.com/GoCodeAlone/workflow/releases/download/v0.63.2/wfctl-linux-amd64"
          chmod +x "${RUNNER_TEMP}/wfctl-bin/wfctl"
      - name: Validate plugin contract for publish (pre-build)
        run: |
          "${{ runner.temp }}/wfctl-bin/wfctl" plugin validate-contract --for-publish --tag "${{ github.ref_name }}" .
      - uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser
          version: '~> v2'
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # workflow#765: runtime truth-check via plugin verify-capabilities.
      - name: Verify capabilities (runtime truth-check)
        run: |
          if [ ! -f dist/artifacts.json ]; then
            echo "::error::dist/artifacts.json was not generated by GoReleaser"
            exit 1
          fi
          RUNNER_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
          BIN=$(jq -r --arg arch "$RUNNER_ARCH" \
            '[.[] | select(.type=="Binary" and .goos=="linux" and .goarch==$arch and (.name|startswith("workflow-plugin-migrations")))] | .[0].path // ""' \
            dist/artifacts.json)
          if [ -z "$BIN" ] || [ "$BIN" = "null" ]; then
            echo "::error::No matching linux/$RUNNER_ARCH workflow-plugin-migrations binary in dist/artifacts.json"
            jq '.[] | {name, type, goos, goarch, path}' dist/artifacts.json
            exit 1
          fi
          "${{ runner.temp }}/wfctl-bin/wfctl" plugin verify-capabilities --binary "$BIN" .
      - name: Verify shipped plugin.json carries tag (post-build)
        run: |
          "${{ runner.temp }}/wfctl-bin/wfctl" plugin validate-contract --for-publish --tag "${{ github.ref_name }}" --release-dir . .

  docker:
    name: Build & Push workflow-migrate image
    runs-on: ubuntu-latest
    needs: release
    permissions:
      contents: write
      packages: write

    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Compute image tags
        id: meta
        run: |
          VERSION="${{ github.ref_name }}"
          TAGS="ghcr.io/gocodealone/workflow-migrate:${VERSION}"
          # Append :latest only for stable releases (no pre-release component)
          if [[ "${VERSION}" != *-* ]]; then
            TAGS="${TAGS}"$'\n'"ghcr.io/gocodealone/workflow-migrate:latest"
          fi
          {
            echo "tags<<EOF"
            echo "${TAGS}"
            echo "EOF"
          } >> "$GITHUB_OUTPUT"

      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: cmd/workflow-migrate/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: |
            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
            org.opencontainers.image.version=${{ github.ref_name }}
            org.opencontainers.image.revision=${{ github.sha }}
      - name: Publish release (was draft during asset upload)
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: gh release edit ${{ github.ref_name }} --draft=false --repo ${{ github.repository }}

  notify-workflow-registry:
    name: Notify workflow-registry
    runs-on: ubuntu-latest
    permissions:
      contents: read
    needs: release
    if: >-
      !github.event.deleted
      && !contains(github.ref_name, '-')
      && github.repository == 'GoCodeAlone/workflow-plugin-migrations'
    steps:
      - name: Trigger registry manifest sync
        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697  # v4
        with:
          token: ${{ secrets.repo_dispatch_token }}
          repository: GoCodeAlone/workflow-registry
          event-type: plugin-release
          client-payload: |-
            {"plugin": "workflow-plugin-migrations", "tag": "${{ github.ref_name }}"}