ado-aw/.github/workflows/release.yml at main · githubnext/ado-aw · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
name: Release

# Note: the v0.34.0 entry re-records the on.pr.mode change from #922,
# whose squash-merge body broke release-please's commit parser and was
# silently dropped from the v0.33.2 release PR (#924).

on:
  push:
    branches:
      - main
  workflow_dispatch:
    inputs:
      tag_name:
        description: "Release tag to upload assets to (e.g., v0.1.1)"
        required: true
        type: string

env:
  CARGO_TERM_COLOR: always

permissions:
  contents: write
  pull-requests: write

jobs:
  release-please:
    name: Release Please
    if: github.event_name == 'push'
    runs-on: ubuntu-latest
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
      tag_name: ${{ steps.release.outputs.tag_name }}
    steps:
      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
        id: release

  build:
    name: Build (Linux)
    needs: release-please
    if: >-
      always() &&
      (needs.release-please.outputs.release_created == 'true' || github.event_name == 'workflow_dispatch')
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable

      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8

      - name: Build
        run: cargo build --release --verbose

      - name: Run tests
        run: cargo test --verbose

      - name: Prepare release assets
        run: |
          set -euo pipefail
          cp target/release/ado-aw target/release/ado-aw-linux-x64

      - name: Set up Node.js for ado-script bundle
        uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: "npm"
          cache-dependency-path: scripts/ado-script/package-lock.json

      - name: Build ado-script TypeScript bundle (gate.js)
        working-directory: scripts/ado-script
        run: |
          npm ci
          npm run build
        # `npm run build` runs codegen + ncc and outputs gate.js + import.js.

      - name: Package ado-script bundle
        run: |
          set -euo pipefail
          cd scripts
          zip -r ../ado-script.zip ado-script/gate.js ado-script/import.js ado-script/exec-context-pr.js ado-script/exec-context-pr-synth.js ado-script/exec-context-manual.js ado-script/exec-context-pipeline.js ado-script/exec-context-ci-push.js ado-script/exec-context-workitem.js ado-script/exec-context-schedule.js ado-script/exec-context-pr-checks.js ado-script/exec-context-repo.js

      - name: Upload release assets
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG="${{ needs.release-please.outputs.tag_name || github.event.inputs.tag_name }}"
          gh release upload "$TAG" \
            target/release/ado-aw-linux-x64 \
            ado-script.zip \
            scripts/install/install-linux.sh \
            scripts/install/install-macos.sh \
            scripts/install/install-windows.ps1 \
            --clobber

  build-windows:
    name: Build (Windows)
    needs: release-please
    if: >-
      always() &&
      (needs.release-please.outputs.release_created == 'true' || github.event_name == 'workflow_dispatch')
    runs-on: windows-2022
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable

      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8

      - name: Build
        run: cargo build --release --verbose

      - name: Run tests
        run: cargo test --verbose

      - name: Prepare release assets
        run: |
          Copy-Item target/release/ado-aw.exe target/release/ado-aw-windows-x64.exe

      - name: Upload release assets
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          $TAG = "${{ needs.release-please.outputs.tag_name || github.event.inputs.tag_name }}"
          gh release upload "$TAG" `
            target/release/ado-aw-windows-x64.exe `
            --clobber

  build-macos-arm64:
    name: Build (macOS arm64)
    needs: release-please
    if: >-
      always() &&
      (needs.release-please.outputs.release_created == 'true' || github.event_name == 'workflow_dispatch')
    runs-on: macos-14
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable

      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8

      - name: Build
        run: cargo build --release --verbose

      - name: Run tests
        run: cargo test --verbose

      - name: Prepare release assets
        run: |
          set -euo pipefail
          cd target/release
          cp ado-aw ado-aw-darwin-arm64

      - name: Upload release assets
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG="${{ needs.release-please.outputs.tag_name || github.event.inputs.tag_name }}"
          gh release upload "$TAG" \
            target/release/ado-aw-darwin-arm64 \
            --clobber

  checksums:
    name: Generate Checksums
    needs: [release-please, build, build-windows, build-macos-arm64]
    if: >-
      always() &&
      (needs.release-please.outputs.release_created == 'true' || github.event_name == 'workflow_dispatch') &&
      needs.build.result == 'success' &&
      needs.build-windows.result == 'success' &&
      needs.build-macos-arm64.result == 'success'
    runs-on: ubuntu-22.04
    steps:
      - name: Download release binaries and generate checksums
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          TAG="${{ needs.release-please.outputs.tag_name || github.event.inputs.tag_name }}"
          gh release download "$TAG" \
            --pattern "ado-aw-*" \
            --pattern "ado-script.zip" \
            --pattern "install-linux.sh" \
            --pattern "install-macos.sh" \
            --pattern "install-windows.ps1" \
            --repo "${{ github.repository }}"
          test -f ado-aw-linux-x64 || { echo "Missing ado-aw-linux-x64"; exit 1; }
          test -f ado-aw-windows-x64.exe || { echo "Missing ado-aw-windows-x64.exe"; exit 1; }
          test -f ado-aw-darwin-arm64 || { echo "Missing ado-aw-darwin-arm64"; exit 1; }
          test -f ado-script.zip || { echo "Missing ado-script.zip"; exit 1; }
          test -f install-linux.sh || { echo "Missing install-linux.sh"; exit 1; }
          test -f install-macos.sh || { echo "Missing install-macos.sh"; exit 1; }
          test -f install-windows.ps1 || { echo "Missing install-windows.ps1"; exit 1; }
          sha256sum \
            ado-aw-linux-x64 \
            ado-aw-windows-x64.exe \
            ado-aw-darwin-arm64 \
            ado-script.zip \
            install-linux.sh \
            install-macos.sh \
            install-windows.ps1 \
            > checksums.txt

      - name: Upload checksums
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG="${{ needs.release-please.outputs.tag_name || github.event.inputs.tag_name }}"
          gh release upload "$TAG" checksums.txt --clobber --repo "${{ github.repository }}"

  trigger-recompile-safe-output-fixtures:
    name: Trigger safe-output fixture recompile
    needs: [release-please, checksums]
    # Run only once all release assets (binaries + checksums.txt) are uploaded.
    # Releases published via release-please do NOT fire the `release: published`
    # event on other workflows (GitHub suppresses this to prevent recursive
    # triggers), so we explicitly dispatch the recompile workflow here. The
    # default GITHUB_TOKEN has the `actions:write` scope needed to run
    # `gh workflow run`; the dispatched workflow uses its own secrets for any
    # downstream PR creation.
    if: >-
      always() &&
      (needs.release-please.outputs.release_created == 'true' || github.event_name == 'workflow_dispatch') &&
      needs.checksums.result == 'success'
    runs-on: ubuntu-22.04
    permissions:
      actions: write
    steps:
      - name: Dispatch recompile-safe-output-fixtures
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          TAG="${{ needs.release-please.outputs.tag_name || github.event.inputs.tag_name }}"
          echo "Dispatching recompile-safe-output-fixtures for $TAG"
          gh workflow run recompile-safe-output-fixtures.lock.yml \
            --repo "${{ github.repository }}" \
            --ref main \
            -f "version=$TAG"