executor/.github/workflows/release.yml at 05d456cdc536ca1a3ee74f848bf93c8a1e04a18d · RhysSullivan/executor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Release
run-name: prepare release

on:
  push:
    branches:
      - main

permissions:
  contents: read

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      actions: write
      contents: write
      id-token: write
      pull-requests: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: 1.3.11

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: 24
          registry-url: https://registry.npmjs.org

      - name: Update npm for trusted publishing
        run: |
          npm install -g npm@latest
          npm --version

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Create or update release pull request
        id: changesets
        uses: changesets/action@v1
        with:
          version: bun run changeset:version
          commit: Version Packages
          title: Version Packages
          createGithubReleases: false
        env:
          # PAT (RELEASE_PAT) so the auto-opened Version Packages PR
          # triggers downstream workflows (pkg-pr-new, CI). PRs authored
          # by the default GITHUB_TOKEN do not trigger other workflows by
          # GitHub design. Falls back to GITHUB_TOKEN when the secret is
          # not set, so the workflow keeps working in forks / before the
          # secret is configured.
          GITHUB_TOKEN: ${{ secrets.RELEASE_PAT || secrets.GITHUB_TOKEN }}

      - name: Smoke test packed @executor-js library packages
        if: steps.changesets.outputs.hasChangesets == 'false'
        run: bun run release:smoke:packages

      - name: Publish @executor-js library packages
        if: steps.changesets.outputs.hasChangesets == 'false'
        run: bun run release:publish:packages

      - name: Detect release version change
        if: steps.changesets.outputs.hasChangesets == 'false'
        id: detect_release
        run: |
          before="${{ github.event.before }}"
          if [ "$before" = "0000000000000000000000000000000000000000" ]; then
            before="$(git rev-list --max-count=1 HEAD^ 2>/dev/null || true)"
          fi

          version="$(node -e "console.log(JSON.parse(require('fs').readFileSync('apps/cli/package.json', 'utf8')).version)")"
          if [ -n "$before" ] && git cat-file -e "$before:apps/cli/package.json" 2>/dev/null; then
            previous_version="$(git show "$before:apps/cli/package.json" | node -e "let data = ''; process.stdin.setEncoding('utf8'); process.stdin.on('data', (chunk) => { data += chunk; }); process.stdin.on('end', () => { console.log(JSON.parse(data).version ?? ''); });")"
          else
            previous_version=""
          fi

          release_tag="v$version"
          if [ -n "$previous_version" ] && [ "$previous_version" != "$version" ]; then
            echo "changed=true" >> "$GITHUB_OUTPUT"
          elif ! git ls-remote --exit-code --tags origin "refs/tags/$release_tag" >/dev/null 2>&1; then
            echo "changed=true" >> "$GITHUB_OUTPUT"
          else
            echo "changed=false" >> "$GITHUB_OUTPUT"
          fi

          echo "version=$version" >> "$GITHUB_OUTPUT"

      - name: Validate release tag
        if: steps.changesets.outputs.hasChangesets == 'false' && steps.detect_release.outputs.changed == 'true'
        id: validate_release
        env:
          RELEASE_VERSION: ${{ steps.detect_release.outputs.version }}
        run: bun run scripts/validate-release-ref.ts --version-env RELEASE_VERSION --output tag

      - name: Create and push release tag
        if: steps.changesets.outputs.hasChangesets == 'false' && steps.detect_release.outputs.changed == 'true'
        env:
          GH_TOKEN: ${{ secrets.RELEASE_PAT || github.token }}
          RELEASE_TAG: ${{ steps.validate_release.outputs.tag }}
        run: |
          auth_remote="https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
          if git ls-remote --exit-code --tags "$auth_remote" "refs/tags/$RELEASE_TAG" >/dev/null 2>&1; then
            echo "Tag $RELEASE_TAG already exists."
            exit 0
          fi

          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git tag "$RELEASE_TAG"
          git push "$auth_remote" "$RELEASE_TAG"

      - name: Trigger CLI publish
        if: steps.changesets.outputs.hasChangesets == 'false' && steps.detect_release.outputs.changed == 'true'
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_TAG: ${{ steps.validate_release.outputs.tag }}
        run: |
          gh workflow run publish-executor-package.yml --ref "$RELEASE_TAG" -f tag="$RELEASE_TAG"

      # Desktop build downloads CLI binaries from the release, so it must
      # run after CLI publish completes. Trigger it from the CLI workflow
      # or manually via: gh workflow run publish-desktop.yml -f tag=vX.Y.Z