-
Notifications
You must be signed in to change notification settings - Fork 222
131 lines (113 loc) · 4.91 KB
/
Copy pathrelease.yaml
File metadata and controls
131 lines (113 loc) · 4.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Release
on:
schedule:
- cron: '0 0 * * 1' # every Monday at 00:00 UTC
workflow_dispatch:
permissions: {}
jobs:
release:
name: Release
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow
permissions:
id-token: write
contents: write
steps:
- uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: block
allowed-endpoints: >
*.blob.core.windows.net:443
*.githubapp.com:443
api.github.com:443
dl.google.com:443
fulcio.sigstore.dev:443
github.com:443
go.dev:443
goreleaser.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
rekor.sigstore.dev:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
tuf-repo-cdn.sigstore.dev:443
uploads.github.com:443
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Check if any changes since last release
id: check
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git fetch --tags # no creds needed: repo is public; if this ever goes private, pass token explicitly here
TAG=$(git tag --points-at HEAD)
if [ -z "$TAG" ]; then
echo "No tag points at HEAD, checking if changes warrant a release."
# Get the last release tag
LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
if [ -n "$LAST_TAG" ]; then
echo "Last release tag: $LAST_TAG"
# Get all changed files since last tag
CHANGED_FILES=$(git diff --name-only "$LAST_TAG"..HEAD)
# Only release if changes include .go files, go.mod, go.sum, or LICENSE
RELEASE_WORTHY_CHANGES=$(echo "$CHANGED_FILES" | grep -E '(\.go$|^go\.mod$|^go\.sum$|^LICENSE$)' || true)
if [ -z "$RELEASE_WORTHY_CHANGES" ]; then
echo "No Go source files, go.mod, go.sum, or LICENSE changed since last release. Skipping release."
echo "need_release=no" >> "$GITHUB_OUTPUT"
else
echo "Found release-worthy changes since last release:"
echo "$RELEASE_WORTHY_CHANGES"
echo "need_release=yes" >> "$GITHUB_OUTPUT"
fi
else
echo "No previous tags found. Creating first release."
echo "need_release=yes" >> "$GITHUB_OUTPUT"
fi
else
RELEASE=$(gh release view "$TAG" --json tagName --jq '.tagName' || echo "none")
if [ "$RELEASE" == "$TAG" ]; then
echo "A release exists for tag $TAG, which has the latest changes, so no need for a new tag or release."
echo "need_release=no" >> "$GITHUB_OUTPUT"
else
echo "Tag $TAG exists, but no release is associated. Need a new release."
echo "need_release=yes" >> "$GITHUB_OUTPUT"
echo "existing_tag=$TAG" >> "$GITHUB_OUTPUT"
fi
fi
- name: Bump version and push tag
id: create_tag
uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
if: steps.check.outputs.need_release == 'yes' && steps.check.outputs.existing_tag == ''
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
if: steps.check.outputs.need_release == 'yes'
with:
persist-credentials: false
ref: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }}
fetch-depth: 0
- uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
if: steps.check.outputs.need_release == 'yes'
with:
go-version-file: './go.mod'
check-latest: true
# Cosign is used by goreleaser to sign release artifacts.
- uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
if: steps.check.outputs.need_release == 'yes'
with:
# https://github.com/goreleaser/goreleaser/issues/6195
cosign-release: "v2.6.1"
- uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 # v7.2.3
if: steps.check.outputs.need_release == 'yes'
with:
version: latest
install-only: true
- name: Release
if: steps.check.outputs.need_release == 'yes'
run: make release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }}