From 64edfab36de8a9c3671b082943b056a09801e11e Mon Sep 17 00:00:00 2001 From: Jon Langevin Date: Mon, 1 Jun 2026 01:08:04 -0400 Subject: [PATCH 1/2] ci: canonical registry notify (repo_dispatch_token, bare-name payload) Replace the old notify-registry job (REGISTRY_PAT + full github.repository payload) with the fleet-canonical notify-workflow-registry job: pinned peter-evans/repository-dispatch@v4 SHA, repo_dispatch_token secret, bare plugin name payload {"plugin":"teams",...}, and pre-release filter (!contains(github.ref_name,'-')). Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/release.yml | 55 +++++++++-------------------------- 1 file changed, 14 insertions(+), 41 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0cfe5eb..3a60eec 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,49 +45,22 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - notify-registry: - if: startsWith(github.ref, 'refs/tags/v') - needs: [release] + notify-workflow-registry: + name: Notify workflow-registry runs-on: ubuntu-latest + permissions: + contents: read + needs: release + if: >- + !github.event.deleted + && !contains(github.ref_name, '-') + && github.repository == 'GoCodeAlone/workflow-plugin-teams' steps: - # workflow#765: runtime truth-check via plugin verify-capabilities. - - name: Verify capabilities (runtime truth-check) - run: | - RUNNER_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') - BIN=$(jq -r --arg arch "$RUNNER_ARCH" \ - '[.[] | select(.type=="Binary" and .goos=="linux" and .goarch==$arch and (.name|startswith("workflow-plugin-teams")))] | .[0].path // ""' \ - dist/artifacts.json) - if [ -z "$BIN" ] || [ "$BIN" = "null" ]; then - echo "::warning::No matching linux/$RUNNER_ARCH binary in dist/artifacts.json; skipping verify-capabilities" - jq '.[] | {name, type, goos, goarch, path}' dist/artifacts.json - exit 0 - fi - "${{ runner.temp }}/wfctl-bin/wfctl" plugin verify-capabilities --binary "$BIN" . - - name: Notify workflow-registry - if: env.GH_TOKEN != '' - uses: peter-evans/repository-dispatch@v3 + - name: Trigger registry manifest sync + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 with: - token: ${{ secrets.REGISTRY_PAT }} + token: ${{ secrets.repo_dispatch_token }} repository: GoCodeAlone/workflow-registry event-type: plugin-release - client-payload: >- - {"plugin": "${{ github.repository }}", "tag": "${{ github.ref_name }}"} - env: - GH_TOKEN: ${{ secrets.REGISTRY_PAT }} - continue-on-error: true - - name: Publish GitHub release - uses: actions/github-script@v7 - with: - github-token: ${{ github.token }} - script: | - const tag = process.env.GITHUB_REF_NAME; - const { owner, repo } = context.repo; - const { data: release } = await github.rest.repos.getReleaseByTag({ owner, repo, tag }); - if (release.draft) { - await github.rest.repos.updateRelease({ - owner, - repo, - release_id: release.id, - draft: false, - }); - } + client-payload: |- + {"plugin": "teams", "tag": "${{ github.ref_name }}"} From ad64a36f1015bfd674d3e442e70c81f46336f655 Mon Sep 17 00:00:00 2001 From: Jon Langevin Date: Mon, 1 Jun 2026 01:14:37 -0400 Subject: [PATCH 2/2] ci: preserve verify-capabilities + Publish GitHub release steps Prior commit dropped the whole notify-registry job (which also held verify-capabilities + the draft->non-draft Publish step). Restore them (job renamed notify-registry -> publish-release), keep only the broken dispatch removed, add canonical notify-workflow-registry. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/release.yml | 37 ++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3a60eec..395855c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,12 +45,47 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + publish-release: + if: startsWith(github.ref, 'refs/tags/v') + needs: [release] + runs-on: ubuntu-latest + steps: + # workflow#765: runtime truth-check via plugin verify-capabilities. + - name: Verify capabilities (runtime truth-check) + run: | + RUNNER_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') + BIN=$(jq -r --arg arch "$RUNNER_ARCH" \ + '[.[] | select(.type=="Binary" and .goos=="linux" and .goarch==$arch and (.name|startswith("workflow-plugin-teams")))] | .[0].path // ""' \ + dist/artifacts.json) + if [ -z "$BIN" ] || [ "$BIN" = "null" ]; then + echo "::warning::No matching linux/$RUNNER_ARCH binary in dist/artifacts.json; skipping verify-capabilities" + jq '.[] | {name, type, goos, goarch, path}' dist/artifacts.json + exit 0 + fi + "${{ runner.temp }}/wfctl-bin/wfctl" plugin verify-capabilities --binary "$BIN" . + - name: Publish GitHub release + uses: actions/github-script@v7 + with: + github-token: ${{ github.token }} + script: | + const tag = process.env.GITHUB_REF_NAME; + const { owner, repo } = context.repo; + const { data: release } = await github.rest.repos.getReleaseByTag({ owner, repo, tag }); + if (release.draft) { + await github.rest.repos.updateRelease({ + owner, + repo, + release_id: release.id, + draft: false, + }); + } + notify-workflow-registry: name: Notify workflow-registry runs-on: ubuntu-latest permissions: contents: read - needs: release + needs: publish-release if: >- !github.event.deleted && !contains(github.ref_name, '-')