forked from supabase/cli
-
Notifications
You must be signed in to change notification settings - Fork 0
268 lines (260 loc) · 10.4 KB
/
Copy pathrelease.yml
File metadata and controls
268 lines (260 loc) · 10.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
name: Release
on:
push:
branches:
- develop
- main
pull_request_review:
types: [submitted]
# workflow_dispatch is the manual re-cut path. Use it when:
# - a previous release published stale bytes under a version that
# semantic-release keeps re-computing (cut a fresh version forward), or
# - a downstream step (GH release, brew, scoop) failed after npm published
# and you need to rerun the whole pipeline against an explicit version.
workflow_dispatch:
inputs:
channel:
description: Release channel
required: true
type: choice
options:
- alpha
- beta
- stable
version:
description: npm package version to publish (must be unique on npm; pick the next unused version)
required: true
type: string
# Defaults to `true` so a stray "Run workflow" click can't accidentally
# publish — operators recovering from a stale-bytes run must consciously
# untick this when dispatching.
dry_run:
description: Dry run (skip actual publishing)
required: false
type: boolean
default: true
# The release pipeline mutates external package registries, git tags, GitHub
# Releases, Homebrew, and Scoop. Keep one release per ref active at a time so
# duplicate push events cannot race the same computed version.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: read
jobs:
fast-forward:
name: Fast-forward develop to main
if: |
github.event_name == 'pull_request_review' &&
github.event.pull_request.head.ref == 'develop' &&
github.event.pull_request.base.ref == 'main' &&
github.event.review.state == 'approved'
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write
steps:
- id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ vars.GH_APP_CLIENT_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
permission-contents: write
- uses: useblacksmith/checkout@c9796daa2a4bdebdab5bd16be2c09a70cd4e1121 # v1
with:
persist-credentials: true
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- name: Fast-forward main
run: |
git checkout main
git merge --ff-only "${{ github.event.pull_request.head.sha }}"
git push origin main
plan:
name: Plan release
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
timeout-minutes: 15
outputs:
should_release: ${{ steps.compute.outputs.should_release }}
version: ${{ steps.compute.outputs.version }}
shell: ${{ steps.compute.outputs.shell }}
npm_tag: ${{ steps.compute.outputs.npm_tag }}
prerelease: ${{ steps.compute.outputs.prerelease }}
brew_name: ${{ steps.compute.outputs.brew_name }}
scoop_name: ${{ steps.compute.outputs.scoop_name }}
publish_brew_scoop: ${{ steps.compute.outputs.publish_brew_scoop }}
dry_run: ${{ steps.compute.outputs.dry_run }}
channel: ${{ steps.compute.outputs.channel }}
steps:
# semantic-release runs `git push --dry-run HEAD:<branch>` as part of
# verifyAuth even in `dry_run: true` mode, so the token must have push
# access to the protected `develop`/`main` branches. The default
# GITHUB_TOKEN doesn't, so we mint an App-installation token from the
# same App used for fast-forward + brew/scoop pushes.
- id: app-token
if: github.event_name == 'push'
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ vars.GH_APP_CLIENT_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
permission-contents: write
# `persist-credentials: false` is required: otherwise checkout caches the
# default GITHUB_TOKEN as an `http.extraheader` in git config, and that
# Authorization header overrides the App token semantic-release puts in
# the push URL — making the dry-push identify as `github-actions[bot]`
# and get rejected by branch protection.
- uses: useblacksmith/checkout@c9796daa2a4bdebdab5bd16be2c09a70cd4e1121 # v1
with:
fetch-depth: 0
persist-credentials: false
- id: semantic-release
if: github.event_name == 'push'
uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
with:
working_directory: apps/cli
dry_run: true
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
- id: compute
env:
EVENT: ${{ github.event_name }}
REF_NAME: ${{ github.ref_name }}
DISPATCH_CHANNEL: ${{ inputs.channel }}
DISPATCH_VERSION: ${{ inputs.version }}
DISPATCH_DRY_RUN: ${{ inputs.dry_run }}
SR_PUBLISHED: ${{ steps.semantic-release.outputs.new_release_published }}
SR_VERSION: ${{ steps.semantic-release.outputs.new_release_version }}
run: |
set -euo pipefail
if [[ "$EVENT" == "workflow_dispatch" ]]; then
channel="$DISPATCH_CHANNEL"
version="$DISPATCH_VERSION"
dry_run="$DISPATCH_DRY_RUN"
should_release=true
else
dry_run=false
if [[ "$SR_PUBLISHED" != "true" ]]; then
echo "should_release=false" >> "$GITHUB_OUTPUT"
exit 0
fi
version="$SR_VERSION"
should_release=true
if [[ "$REF_NAME" == "develop" ]]; then
channel="beta"
else
channel="stable"
fi
fi
case "$channel" in
alpha)
shell=next
npm_tag=alpha
prerelease=true
brew_name=""
scoop_name=""
publish_brew_scoop=false
;;
beta)
shell=legacy
npm_tag=beta
prerelease=true
brew_name=supabase-beta
scoop_name=supabase-beta
publish_brew_scoop=true
;;
stable)
shell=legacy
npm_tag=latest
prerelease=false
brew_name=supabase
scoop_name=supabase
publish_brew_scoop=true
;;
*)
echo "Unknown channel: $channel" >&2
exit 1
;;
esac
{
echo "should_release=$should_release"
echo "version=$version"
echo "shell=$shell"
echo "npm_tag=$npm_tag"
echo "prerelease=$prerelease"
echo "brew_name=$brew_name"
echo "scoop_name=$scoop_name"
echo "publish_brew_scoop=$publish_brew_scoop"
echo "dry_run=$dry_run"
echo "channel=$channel"
} >> "$GITHUB_OUTPUT"
release:
name: Release
needs: plan
if: needs.plan.outputs.should_release == 'true'
# pull-requests: write is required by the nested propose-release-notes
# workflow (release-shared.yml -> propose-release-notes.yml). For nested
# reusable workflows, a called job's permissions can't exceed those granted
# to the calling job, so this must be declared here even though the propose
# job uses an App token for its actual PR creation.
permissions:
contents: write
id-token: write
pull-requests: write
uses: ./.github/workflows/release-shared.yml
with:
version: ${{ needs.plan.outputs.version }}
shell: ${{ needs.plan.outputs.shell }}
npm_tag: ${{ needs.plan.outputs.npm_tag }}
prerelease: ${{ needs.plan.outputs.prerelease == 'true' }}
publish_brew_scoop: ${{ needs.plan.outputs.publish_brew_scoop == 'true' }}
brew_name: ${{ needs.plan.outputs.brew_name }}
scoop_name: ${{ needs.plan.outputs.scoop_name }}
dry_run: ${{ needs.plan.outputs.dry_run == 'true' }}
channel: ${{ needs.plan.outputs.channel }}
secrets:
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
DF_FIREWALL_TOKEN: ${{ secrets.DF_FIREWALL_TOKEN }}
LINEAR_CLI_STABLE_RELEASE_ACCESS_KEY: ${{ secrets.LINEAR_CLI_STABLE_RELEASE_ACCESS_KEY }}
LINEAR_CLI_BETA_RELEASE_ACCESS_KEY: ${{ secrets.LINEAR_CLI_BETA_RELEASE_ACCESS_KEY }}
# Posts to the release Slack channel once the pipeline succeeds. Listing
# `release` in `needs` without a status function in `if:` keeps the implicit
# success() gate, so this only runs when both plan and release succeeded.
# The `if:` then filters to real (non-dry-run) stable cuts; alpha, beta, and
# dry runs stay silent. Nothing depends on this job, so a Slack/webhook
# failure can't affect the already-completed release.
notify-slack:
name: Notify Slack
needs: [plan, release]
if: >-
needs.plan.outputs.dry_run != 'true' &&
needs.plan.outputs.channel == 'stable'
uses: ./.github/workflows/slack-notify.yml
with:
status: success
version: ${{ needs.plan.outputs.version }}
channel: ${{ needs.plan.outputs.channel }}
secrets:
SLACK_RELEASE_WEBHOOK: ${{ secrets.SLACK_RELEASE_WEBHOOK }}
# Reports a broken release on every channel. `failure()` evaluates against the
# `needs` chain, so this fires whenever `plan` or `release` (and anything in
# the reusable release-shared workflow) fails. Skipped jobs — e.g. the
# fast-forward path or a release that never started — don't count as failures,
# so this stays quiet there. Dry runs are excluded; an operator running one is
# already watching it live. When `plan` fails its outputs are empty, so the
# message falls back to the workflow run link as the actionable detail.
notify-slack-failure:
name: Notify Slack (failure)
needs: [plan, release]
if: failure() && needs.plan.outputs.dry_run != 'true'
uses: ./.github/workflows/slack-notify.yml
with:
status: failure
version: ${{ needs.plan.outputs.version }}
channel: ${{ needs.plan.outputs.channel }}
secrets:
SLACK_RELEASE_WEBHOOK: ${{ secrets.SLACK_RELEASE_WEBHOOK }}