ci-workflows/.github/workflows/bump-release.yml at master · go-openapi/ci-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
name: Bump Release

permissions:
  contents: read

# description: |
#   Manual action to bump the current version and cut a release.
#
#   Determine which version to bump.
#   Push corresponding tag, with comment.
#   Build a github release on pushed tag.

defaults:
  run:
    shell: bash

on:
  workflow_call:
    inputs:
      bump-type:
        description: Type of bump (patch, minor, major)
        type: string
        default: patch
        required: false
      tag-message-title:
        description: Tag message title to prepend to the release notes
        required: false
        type: string
      tag-message-body:
        description: |
          Tag message body to prepend to the release notes.
          (use "|" to replace end of line).
        required: false
        type: string
      enable-tag-signing:
        description: |
          Enable PGP tag-signing by a bot user.

          When enabled, you must pass the GPG secrets to this workflow.
        required: false
        type: string
        default: 'true'
      cliff-config:
        type: string
        required: false
        default: '.cliff.toml'
        description: 'Path to the git-cliff config file in the caller repository'
      cliff-config-url:
        type: string
        required: false
        default: 'https://raw.githubusercontent.com/go-openapi/ci-workflows/refs/heads/master/.cliff.toml'
        description: 'URL to the remote git-cliff config file (used if local config does not exist)'
    secrets:
      gpg-private-key:
        description: |
          GPG private key in armored format for signing tags.

          Default for go-openapi: CI_BOT_GPG_PRIVATE_KEY

          Required when enable-tag-signing is true.
        required: false
      gpg-passphrase:
        description: |
          Passphrase to unlock the GPG private key.

          Default for go-openapi: CI_BOT_GPG_PASSPHRASE

          Required when enable-tag-signing is true.
        required: false
      gpg-fingerprint:
        description: |
          Fingerprint of the GPG signing key (spaces removed).

          Default for go-openapi: CI_BOT_SIGNING_KEY

          Required when enable-tag-signing is true.
        required: false

jobs:
  tag-release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    outputs:
      next-tag: ${{ steps.bump-release.outputs.next-tag }}
    steps:
      -
        name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      -
        name: Determine bump type
        id: bump-check
        run: |
          BUMP_TYPE="${{ inputs.bump-type }}"

          if [[ "${BUMP_TYPE}" == "patch" ]] ; then
            echo "bump-patch=true" >> "${GITHUB_OUTPUT}"
            echo "bump-minor=false" >> "${GITHUB_OUTPUT}"
            echo "bump-major=false" >> "${GITHUB_OUTPUT}"
          elif [[ "${BUMP_TYPE}" == "minor" ]] ; then
            echo "bump-patch=false" >> "${GITHUB_OUTPUT}"
            echo "bump-minor=true" >> "${GITHUB_OUTPUT}"
            echo "bump-major=false" >> "${GITHUB_OUTPUT}"
          elif [[ "${BUMP_TYPE}" == "major" ]] ; then
            echo "bump-patch=false" >> "${GITHUB_OUTPUT}"
            echo "bump-minor=false" >> "${GITHUB_OUTPUT}"
            echo "bump-major=true" >> "${GITHUB_OUTPUT}"
          else
            echo "::error::invalid parameter ${BUMP_TYPE}"
            exit 1
          fi
      -
        name: Determine next tag
        id: bump-release
        uses: go-openapi/gh-actions/ci-jobs/next-tag@1ade8c4f9415b844bec4a7545967157c5bace961 # v1.14.12
        with:
          bump-patch: ${{ steps.bump-check.outputs.bump-patch }}
          bump-minor: ${{ steps.bump-check.outputs.bump-minor }}
          bump-major: ${{ steps.bump-check.outputs.bump-major }}
      -
        name: Configure bot credentials
        if: ${{ inputs.enable-tag-signing == 'true' }}
        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@1ade8c4f9415b844bec4a7545967157c5bace961 # v1.14.12
        # This is using the GPG signature of bot-go-openapi.
        #
        # For go-openapi repos (using secrets: inherit):
        #   Falls back to: CI_BOT_GPG_PRIVATE_KEY, CI_BOT_GPG_PASSPHRASE, CI_BOT_SIGNING_KEY
        #
        # For other orgs: explicitly pass secrets with your custom names
        # NOTE(fredbi): extracted w/ gpg -K --homedir gnupg --keyid-format LONG --with-keygrip --fingerprint --with-subkey-fingerprint
        with:
          enable-gpg-signing: 'true'
          gpg-private-key: ${{ secrets.gpg-private-key || secrets.CI_BOT_GPG_PRIVATE_KEY }}
          gpg-passphrase: ${{ secrets.gpg-passphrase || secrets.CI_BOT_GPG_PASSPHRASE }}
          gpg-fingerprint: ${{ secrets.gpg-fingerprint || secrets.CI_BOT_SIGNING_KEY }}
          enable-tag-signing: 'true'
          enable-commit-signing: 'false'
      -
        name: Create and sign tag
        env:
          NEXT_TAG: ${{ steps.bump-release.outputs.next-tag }}
          MESSAGE_TITLE: ${{ inputs.tag-message-title }}
          MESSAGE_BODY: ${{ inputs.tag-message-body }}
        run: |
          # Construct the tag message.
          # A blank line between title and body is required for git to
          # distinguish %(contents:subject) from %(contents:body).
          # Body lines use "|" as paragraph separator (workflow inputs
          # do not support multiline strings).
          set -x
          MESSAGE="${MESSAGE_TITLE}"
          if [[ -n "${MESSAGE_BODY}" ]] ; then
            BODY=$(printf '%s' "${MESSAGE_BODY}" | sed 's/|/\n\n/g')
            MESSAGE=$(printf "%s\n\n%s\n" "${MESSAGE}" "${BODY}")
          fi
          echo "::notice title=tag-message::${MESSAGE}"

          SIGNED=""
          if [[ '${{ inputs.enable-tag-signing }}' == 'true' ]] ; then
             SIGNED="-s"
          else
             # whenever not signed, we need a DCO
             git config --global user.name "bot-go-openapi"
             git config --global user.email "gogatekeeper-openapi@yahoo.com"
          fi

          git tag "${SIGNED}" -m "${MESSAGE}" "${NEXT_TAG}"
          if [[ -n "${SIGNED}" ]] ; then
            git tag -v "${NEXT_TAG}"
          fi
          git push origin "${NEXT_TAG}"

  gh-release:
    # trigger release creation explictly.
    # The previous tagging action does not trigger the normal release workflow
    # (github prevents cascading triggers from happening).
    name: Create release
    needs: [ tag-release ]
    permissions:
      contents: write
    uses: ./.github/workflows/release.yml
    with:
      tag: ${{ needs.tag-release.outputs.next-tag }}
      cliff-config: ${{ inputs.cliff-config }}
      cliff-config-url: ${{ inputs.cliff-config-url }}
    secrets: inherit