-
Notifications
You must be signed in to change notification settings - Fork 2
95 lines (86 loc) · 3.66 KB
/
Copy pathrelease-please.yml
File metadata and controls
95 lines (86 loc) · 3.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: Release Please
# Maintains the single release PR (version bump + Communique-written
# CHANGELOG section) and, when that PR merges, creates the tag + GitHub
# Release and dispatches the tag-driven Release pipeline.
#
# Runs release-please as a library (src/tools/release-please-runner.ts)
# instead of googleapis/release-please-action because the stock action cannot
# use a custom changelog generator, and this repo's changelog entries come
# from Communique.
on:
workflow_dispatch:
push:
branches:
- main
concurrency:
group: release-please-${{ github.ref }}
cancel-in-progress: false
permissions:
actions: write
contents: write
issues: write
pull-requests: write
jobs:
release-please:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Check out main
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: main
fetch-depth: 0
persist-credentials: false
- name: Set up mise
uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
with:
install_args: --locked
- name: Install CI dependencies
run: mise run bootstrap-ci
- name: Run release-please with Communique notes
id: release_please
env:
GITHUB_TOKEN: ${{ github.token }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
COMMUNIQUE_MODEL: ${{ vars.COMMUNIQUE_MODEL }}
run: npx tsx src/tools/release-please-runner.ts
# Tags created with the workflow token never trigger `push: tags`
# workflows, so start the Release pipeline (quality gates, verified
# tarball, GitHub Release assets, npm publish) explicitly. The
# `!cancelled()` guard matters: the runner writes the release outputs
# before it rebuilds the release PR notes, so a notes failure (e.g. an
# LLM outage) still dispatches the pipeline for the tag it just created
# — a rerun could not recover that, because the merged release PR is
# already labeled `autorelease: tagged`.
- name: Dispatch the Release pipeline for created releases
if: ${{ !cancelled() && steps.release_please.outputs.releases_created == 'true' }}
env:
GH_TOKEN: ${{ github.token }}
RELEASE_TAGS: ${{ steps.release_please.outputs.release_tags }}
run: |
set -euo pipefail
read -ra tags <<< "$RELEASE_TAGS"
for tag in "${tags[@]}"; do
# Dispatch on the tag ref (not the default branch) so the run is
# attributed to the tag like the old `push: tags` flow, and the
# OIDC claims behind npm trusted publishing/provenance reference
# the tag instead of whatever main's head happens to be.
gh workflow run release.yml --ref "$tag" --field "tag=$tag"
done
# Branch pushes made with the workflow token never trigger
# `pull_request` workflows, so dispatch the checks explicitly — the
# dispatched runs report against the branch head SHA and satisfy the
# release PR's required status checks.
- name: Dispatch checks onto the release PR branch
if: ${{ !cancelled() && steps.release_please.outputs.prs_created == 'true' }}
env:
GH_TOKEN: ${{ github.token }}
PR_BRANCHES: ${{ steps.release_please.outputs.pr_branches }}
run: |
set -euo pipefail
read -ra branches <<< "$PR_BRANCHES"
for branch in "${branches[@]}"; do
gh workflow run ci.yml --ref "$branch"
gh workflow run validate-skills.yml --ref "$branch"
done