ospo-reusable-workflows/.github/workflows/release.yaml at main · github-community-projects/ospo-reusable-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
---
name: "Release"
on:
  workflow_call:
    inputs:
      publish:
        required: false
        type: boolean
        default: true
      release-config-name:
        required: true
        type: string
      update-major-tag:
        required: false
        type: boolean
        default: true
    secrets:
      github-token:
        required: true
    outputs:
      full-tag:
        description: "Full tag of release"
        value: ${{ jobs.create_release.outputs.full-tag }}
      short-tag:
        description: "Short tag of release"
        value: ${{ jobs.create_release.outputs.short-tag }}
      body:
        description: "Body content of release"
        value: ${{ jobs.create_release.outputs.body }}
permissions:
  contents: read
jobs:
  create_release:
    # Release if:
    # - Manual deployment (workflow_dispatch), OR
    # - PR was merged with a breaking, feature, vuln, or release label
    # Note: major/minor/patch labels alone do NOT trigger a release
    if: >
      github.event_name == 'workflow_dispatch' ||
      (github.event.pull_request.merged == true &&
       (contains(github.event.pull_request.labels.*.name, 'breaking') ||
        contains(github.event.pull_request.labels.*.name, 'feature') ||
        contains(github.event.pull_request.labels.*.name, 'vuln') ||
        contains(github.event.pull_request.labels.*.name, 'release')))
    outputs:
      full-tag: ${{ steps.release-drafter.outputs.tag_name }}
      short-tag: ${{ steps.get_tag_name.outputs.SHORT_TAG }}
      body: ${{ steps.release-drafter.outputs.body }}
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
        with:
          egress-policy: audit
      - uses: release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32 # v7.2.0
        id: release-drafter
        with:
          config-name: ${{ inputs.release-config-name }}
          publish: ${{ inputs.publish }}
          token: ${{ secrets.github-token }}
      - name: Get the Short Tag
        id: get_tag_name
        run: |
          short_tag=$(echo ${{ steps.release-drafter.outputs.tag_name }} | cut -d. -f1)
          echo "SHORT_TAG=$short_tag" >> "$GITHUB_OUTPUT"

  update_major_tag:
    needs: create_release
    if: ${{ inputs.update-major-tag && needs.create_release.outputs.full-tag != '' }}
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
        with:
          egress-policy: audit

      - name: Checkout Repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-tags: true
          ref: ${{ needs.create_release.outputs.full-tag }}
          persist-credentials: true

      - name: Force update major tag
        run: |
          git tag -f "${SHORT}" "${FULL}"
          git push -f origin "${SHORT}"
        env:
          SHORT: ${{ needs.create_release.outputs.short-tag }}
          FULL: ${{ needs.create_release.outputs.full-tag }}