-
Notifications
You must be signed in to change notification settings - Fork 59
96 lines (90 loc) · 3.69 KB
/
release.yml
File metadata and controls
96 lines (90 loc) · 3.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
name: "Publish a draft release with assets attached"
on:
push:
tags:
- '*'
permissions:
contents: read
jobs:
build-assets:
# See build-assets.yml for a list of the permissions and why they are needed
permissions:
contents: read
id-token: write
attestations: write
uses: ./.github/workflows/build-assets.yml
create-draft-release:
runs-on: ubuntu-latest
needs:
- build-assets
permissions:
# contents:write is required to create the draft release
contents: write
steps:
- uses: actions/checkout@v6
with:
fetch-tags: 'true'
ref: ${{ github.ref }}
# The changelog is generated locally using jwage/changelog-generator and
# that forms the signed tag body. The `--notes-from-tag` option below
# will copy the release notes from the tag so it will contain the changelog
# Note we must create a *draft* release first, to allow attaching assets
# before the release is finalised when using immutable releases.
- name: Create draft release from tag
env:
GH_TOKEN: ${{ github.token }}
run: gh release create "${{ github.ref_name }}" --title "${{ github.ref_name }}" --draft --notes-from-tag
attach-release-assets:
runs-on: ubuntu-latest
needs:
- create-draft-release
permissions:
# contents:write is required to upload the binaries to the release.
contents: write
steps:
- uses: actions/checkout@v6
- name: Fetch built PHAR from artifacts
uses: actions/download-artifact@v8
with:
name: pie-${{ github.sha }}.phar
- name: Fetch the executable PIEs from artifacts
uses: actions/download-artifact@v8
with:
path: executable-pie-binaries
pattern: pie-${{ github.sha }}-*.bin
merge-multiple: true
- name: Verify the PHAR and binaries
env:
GH_TOKEN: ${{ github.token }}
run: |
gh attestation verify pie.phar --repo ${{ github.repository }} ;
find executable-pie-binaries -type f -exec gh attestation verify {} --repo ${{ github.repository }} \;
# Once the PHAR and binaries have been attached to the release, it is
# ready for review before publishing it. Note that if immutable releases
# are enabled, the tag, pre-release/latest release flag, and all assets
# become immutable, so checking this over is a manual exercise.
# More info: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases
- name: Attach the assets to the draft release
env:
GH_TOKEN: ${{ github.token }}
run: |
gh release upload "${{ github.ref_name }}" "pie.phar" --clobber ;
find executable-pie-binaries -type f -exec gh release upload "${{ github.ref_name }}" {} --clobber \;
build-and-push-docker-image:
if: ${{ startsWith(github.ref, 'refs/tags/') }}
needs:
- build-assets
# See build-and-push-docker-image.yml for a list of the permissions and why they are needed
permissions:
contents: read
id-token: write
attestations: write
packages: write
uses: ./.github/workflows/build-and-push-docker-image.yml
with:
# @TODO v1.0 Consider introducing more granular tags (major and major.minor)
# @see https://github.com/php/pie/pull/122#pullrequestreview-2477496308
# @see https://github.com/php/pie/pull/122#discussion_r1867331273
tags: |
${{ ((!contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc')) && 'type=raw,value=bin') || '' }}
type=semver,pattern={{version}},suffix=-bin