Publish Release #111
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Release | |
| on: | |
| # Manual Trigger | |
| workflow_dispatch: | |
| inputs: | |
| run_id: | |
| description: 'Build Workflow Run ID' | |
| required: true | |
| is_draft: | |
| description: 'Create as Draft' | |
| type: boolean | |
| default: true | |
| # Automatic Trigger (Chained) | |
| workflow_run: | |
| workflows: ["Build OpenSSL"] | |
| types: | |
| - completed | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| issues: write | |
| jobs: | |
| publish: | |
| name: Publish to GitHub Releases | |
| # Run if triggered manually, OR if triggered automatically and the build succeeded | |
| if: > | |
| github.event_name == 'workflow_dispatch' || | |
| github.event.workflow_run.conclusion == 'success' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Determine Target Run ID & Settings | |
| id: run_info | |
| run: | | |
| if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
| # Manual run: use the inputs provided by the human | |
| echo "TARGET_RUN_ID=${{ inputs.run_id }}" >> $GITHUB_ENV | |
| echo "IS_DRAFT=${{ inputs.is_draft }}" >> $GITHUB_ENV | |
| echo "SOURCE_BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV | |
| else | |
| # Automatic run: get the ID from the triggering workflow | |
| echo "TARGET_RUN_ID=${{ github.event.workflow_run.id }}" >> $GITHUB_ENV | |
| # Always create as draft for automatic runs to allow human review! | |
| echo "IS_DRAFT=true" >> $GITHUB_ENV | |
| # In workflow_run, ref_name is always 'main'. We need the head_branch of the trigger. | |
| echo "SOURCE_BRANCH=${{ github.event.workflow_run.head_branch }}" >> $GITHUB_ENV | |
| fi | |
| - name: Checkout Repo | |
| uses: actions/checkout@v6 | |
| - name: Download Build Metadata | |
| uses: actions/download-artifact@v8 | |
| with: | |
| run-id: ${{ env.TARGET_RUN_ID }} | |
| name: build-metadata | |
| path: metadata/ | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Download Release Archives | |
| uses: actions/download-artifact@v8 | |
| with: | |
| run-id: ${{ env.TARGET_RUN_ID }} | |
| pattern: openssl-* | |
| path: artifacts/ | |
| merge-multiple: true | |
| skip-decompress: true | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract Version & Configure Release | |
| id: config | |
| shell: bash | |
| run: | | |
| if [ ! -f "metadata/version.txt" ]; then | |
| echo "Error: metadata/version.txt not found!" | |
| exit 1 | |
| fi | |
| # Read the version from the artifact (xargs trims any accidental whitespace/newlines) | |
| VERSION=$(cat metadata/version.txt | xargs) | |
| echo "Detected OpenSSL Version: $VERSION" | |
| # Determine Release Suffix | |
| DEFAULT_BRANCH="${{ github.event.repository.default_branch }}" | |
| if [ -z "$DEFAULT_BRANCH" ]; then DEFAULT_BRANCH="main"; fi | |
| if [ "$SOURCE_BRANCH" != "$DEFAULT_BRANCH" ]; then | |
| SUFFIX="-$SOURCE_BRANCH" | |
| else | |
| SUFFIX="" | |
| fi | |
| # Determine Tag Name | |
| TAG_NAME="v$VERSION$SUFFIX" | |
| echo "Target Tag: $TAG_NAME" | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "tag_name=$TAG_NAME" >> $GITHUB_OUTPUT | |
| echo "suffix=$SUFFIX" >> $GITHUB_OUTPUT | |
| - name: Create or Update Release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ steps.config.outputs.version }} | |
| TAG_NAME: ${{ steps.config.outputs.tag_name }} | |
| SUFFIX: ${{ steps.config.outputs.suffix }} | |
| run: | | |
| # 1. Check if the release already exists | |
| if gh release view "$TAG_NAME" > /dev/null 2>&1; then | |
| echo "Release $TAG_NAME already exists. Proceeding to update artifacts..." | |
| else | |
| echo "Release $TAG_NAME does not exist. Creating new release..." | |
| DRAFT_FLAG="" | |
| if [ "$IS_DRAFT" == "true" ]; then | |
| DRAFT_FLAG="--draft" | |
| fi | |
| gh release create "$TAG_NAME" \ | |
| --title "OpenSSL Distribution $VERSION$SUFFIX" \ | |
| --notes "Pre-compiled OpenSSL $VERSION binaries for multiple platforms." \ | |
| $DRAFT_FLAG | |
| fi | |
| # 2. Upload artifacts | |
| # The --clobber flag overwrites existing files with the same name safely | |
| echo "Uploading artifacts to $TAG_NAME..." | |
| gh release upload "$TAG_NAME" artifacts/openssl-*.zip --clobber | |
| - name: Notify Maintainers (Create Issue) | |
| if: env.IS_DRAFT == 'true' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ steps.config.outputs.version }} | |
| TAG_NAME: ${{ steps.config.outputs.tag_name }} | |
| run: | | |
| # Get the direct URL to the draft release | |
| RELEASE_URL=$(gh release view "$TAG_NAME" --json url -q .url) | |
| # Check if an issue already exists for this release to avoid spamming on re-runs | |
| EXISTING_ISSUE=$(gh issue list --search "in:title Review Required: OpenSSL $TAG_NAME" --json number -q '.[0].number') | |
| if [ -z "$EXISTING_ISSUE" ]; then | |
| echo "Creating notification issue..." | |
| BODY=$(cat <<EOF | |
| A new draft release for **OpenSSL $VERSION** has been generated automatically. | |
| All artifacts have been successfully built and uploaded. | |
| 👉 [**Click here to review and publish the release**]($RELEASE_URL) | |
| EOF | |
| ) | |
| gh issue create \ | |
| --title "👀 Review Required: OpenSSL $TAG_NAME Draft Release" \ | |
| --body "$BODY" | |
| else | |
| echo "Notification issue already exists (#$EXISTING_ISSUE). Skipping." | |
| fi |