Update to new BCR workflow (#402)

jchadwick-buf · web-flow · commit d7233046d01b · 2025-07-21T16:00:15.000-04:00
The GitHub App for BCR publishing we implemented in Q1 is now deprecated
in favor of a new approach using GitHub workflows. I think the main
reason for this is to support SLSA attestation for the BCR. Anyway, a
few changes needed to be made:

- Added myself as a maintainer; not _strictly_ necessary, but it's
useful.
- Remove "Create Release Draft" workflow; we have to use the BCR release
workflow in order to pass attestation.
- Add "Publish to BCR" action on release. This does the work that the
publish to BCR app did, and creates a PR on the BCR repo when a release
is published.
- Rename the "Create Release Tag" workflow to just "Release". It still
just creates a draft, but the workflow names were confusing before.
- Update the Release workflow to use the BCR release workflow. Add
necessary permissions for attestation.
- Update release_prep.sh to output the release notes snippet to
`stdout`. Ensure all other commands that might output to `stdout` are
redirected to `stderr`.
- Update the `RELEASING.md` documentation.

We will need to test this by making a new minor release.
diff --git a/.bcr/metadata.template.json b/.bcr/metadata.template.json
@@ -5,11 +5,14 @@
       "name": "Protovalidate Team",
       "email": "bcr-github@buf.build",
       "github": "bcr-buf"
+    },
+    {
+      "name": "John Chadwick",
+      "email": "jchadwick@buf.build",
+      "github": "jchadwick-buf"
     }
   ],
-  "repository": [
-    "github:bufbuild/protovalidate"
-  ],
+  "repository": ["github:bufbuild/protovalidate"],
   "versions": [],
   "yanked_versions": {}
 }
diff --git a/.github/workflows/create-release-draft.yaml b/.github/workflows/create-release-draft.yaml
diff --git a/.github/workflows/publish-to-bcr.yaml b/.github/workflows/publish-to-bcr.yaml
@@ -0,0 +1,24 @@
+name: Publish to BCR
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        description: 'Tag name for release (e.g. "v1.0.0")'
+        required: true
+
+permissions:
+  id-token: write
+  attestations: write
+  contents: write
+
+jobs:
+  publish:
+    uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v0.2.2
+    with:
+      tag_name: ${{ inputs.tag_name || github.ref_name }}
+      registry_fork: bufbuild/bazel-central-registry
+    secrets:
+      publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,4 +1,4 @@
-name: Create release tag
+name: Release
 
 on:
   workflow_dispatch:
@@ -8,6 +8,8 @@ on:
         required: true
 
 permissions:
+  id-token: write
+  attestations: write
   contents: write
 
 jobs:
@@ -17,7 +19,7 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-    
+
       - name: Create tag
         uses: actions/github-script@v7
         with:
@@ -52,10 +54,11 @@ jobs:
               ref: `refs/tags/${toolsTag}`,
               sha: toolsCommitTag.data.sha,
             });
-
-  create-release-draft:
-    name: Start release automation
+  release:
+    uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@v7.2.3
     needs: create-release-tag
-    uses: ./.github/workflows/create-release-draft.yaml
     with:
+      release_files: protovalidate-*.tar.gz
+      prerelease: false
+      draft: true
       tag_name: ${{ github.event.inputs.tag_name }}
diff --git a/.github/workflows/release_prep.sh b/.github/workflows/release_prep.sh
@@ -31,24 +31,24 @@ fi
 
 mv MODULE.bazel.tmp MODULE.bazel
 >&2 echo "MODULE.bazel contents:"
-cat MODULE.bazel
+>&2 cat MODULE.bazel
 
 # Create release archive
 >&2 echo "# Create release archive ${ARCHIVE}"
-git archive \
+>&2 git archive \
     --prefix="${PREFIX}/" \
     --output="${ARCHIVE}" \
     "$(git stash create)"
 
 >&2 echo "Release archive ${ARCHIVE} contents:"
-tar tvf "${ARCHIVE}"
+>&2 tar tvf "${ARCHIVE}"
 
 # Calculate SHA256 sum for WORKSPACE code
 SHA256=$(shasum -a 256 "${ARCHIVE}" | awk '{print $1}')
 
 # Generate release notes snippets
 >&2 echo "# Generate release notes snippets"
-> release_notes.md cat << EOF
+cat << EOF
 ## \`MODULE.bazel\` Usage
 \`\`\`bzl
 bazel_dep(name = "protovalidate", version = "${TAG:1}")
diff --git a/RELEASING.md b/RELEASING.md
@@ -9,9 +9,9 @@ Most of the protovalidate release process is automated, but in the event that
 automation can not be utilized, the manual steps are also included in the
 collapsed sections below.
 
-1.  **Run the [create release tag] workflow.**
+1.  **Run the [Release] workflow.**
 
-    Go to the [create release tag] workflow page and select <q>Run workflow</q>,
+    Go to the [Release] workflow page and select <q>Run workflow</q>,
     with the desired version tag (e.g. `v1.2.3`).
 
     <details>
@@ -28,31 +28,33 @@ collapsed sections below.
     in the event of manually cutting a release.
 
     Note that this workflow creates tags directly on GitHub instead of pushing
-    tags up, so it will not indirectly trigger the draft release automation in
-    that way. Instead, a workflow call is used. So, the creat release draft
-    workflow will appear nested under the create release tag workflow as a step.
+    tags up, so it will not indirectly trigger automations that trigger on tags.
+    The BCR release script is run as a workflow call. Creating the tags manually
+    will not trigger this.
 
     </details>
 
 1.  **Find the draft release.**
 
-    Upon either pushing a release tag or running the previous workflow, a
-    release draft should be created. Check for it in the [releases page].
+    Upon running the previous workflow, a release draft should be created.
+    Check for it in the [releases page].
 
-    If for some reason this doesn't happen, it is possible to directly trigger
-    the workflow by going to the [create release draft] action and selecting
-    <q>Run workflow</q>.
+    If for some reason this doesn't happen, check the workflow log for more
+    information.
 
     <details>
 
     <summary>Manually creating a release draft</summary>
 
+    Note that manually-created releases will not pass attestation and can not
+    be pushed to the BCR.
+
     To manually create a release draft, run `.github/workflows/release_prep.sh`
     with the version tag (e.g. `vX.Y.Z`) as an argument, while checked out to
     the release tag/commit:
 
     ```
-    .github/workflows/release_prep.sh v1.2.3
+    .github/workflows/release_prep.sh v1.2.3 >release_notes.md
     ```
 
     This will create two files:
@@ -76,8 +78,7 @@ collapsed sections below.
     created a new pull request. There may be failures in CI that need to be
     addressed.
 
-[create release tag]: https://github.com/bufbuild/protovalidate/actions/workflows/create-release-tag.yaml
-[create release draft]: https://github.com/bufbuild/protovalidate/actions/workflows/create-release-draft.yaml
+[Release]: https://github.com/bufbuild/protovalidate/actions/workflows/release.yaml
 [releases page]: https://github.com/bufbuild/protovalidate/releases
 [Bazel Central Registry repository]: https://github.com/bazelbuild/bazel-central-registry/pulls
-[Publish to BCR]: https://github.com/apps/publish-to-bcr
+[Publish to BCR]: https://github.com/apps/publish-to-bcr
