Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
183 changes: 0 additions & 183 deletions .circleci/config.yml

This file was deleted.

File renamed without changes.
149 changes: 149 additions & 0 deletions .github/workflows/main.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
name: Main
on:
push:
branches:
- main

permissions:
contents: read

# Every run publishes to RubyGems; serialise so close-together merges cannot
# race on version numbers. queue: max keeps every queued run (the default
# keeps only the newest pending), so a slow release approval delays later
# prereleases instead of cancelling them.
concurrency:
group: main
cancel-in-progress: false
queue: max
Comment on lines +14 to +17

jobs:
skip-ci-check:
runs-on: ubuntu-latest
outputs:
should_skip_ci: ${{ steps.skip_ci_check.outputs.should_skip_ci }}
steps:
- id: skip_ci_check
env:
HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
if [[ "$HEAD_COMMIT_MESSAGE" == *"[no ci]"* ]] \
|| [[ "$HEAD_COMMIT_MESSAGE" == *"[skip ci]"* ]] \
|| [[ "$HEAD_COMMIT_MESSAGE" == *"[ci skip]"* ]]; then
echo "should_skip_ci=true" >> "$GITHUB_OUTPUT"
else
echo "should_skip_ci=false" >> "$GITHUB_OUTPUT"
fi

check:
needs: [skip-ci-check]
if: needs.skip-ci-check.outputs.should_skip_ci != 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 Security — plan concern (D6 documents tracking asdf_install@v1; actions/checkout@v4 is plan YAML verbatim)

These jobs handle the git-crypt passphrase and RubyGems credentials while referencing actions by mutable tags. SHA-pinning third-party actions (with a version comment) is cheap insurance against the tag-repointing attack pattern (cf. tj-actions/changed-files). Fleet-wide post-migration hardening candidate.

- name: Install tools
uses: infrablocks/github-actions/asdf_install@v1
- name: Check
run: ./go library:check
- name: Notify Slack
if: always()
continue-on-error: true
run: ./go "slack:notify[${{ job.status }}]"
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

test:
needs: [skip-ci-check]
if: needs.skip-ci-check.outputs.should_skip_ci != 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install tools
uses: infrablocks/github-actions/asdf_install@v1
- name: Test
run: ./go test:unit
- name: Notify Slack
if: always()
continue-on-error: true
run: ./go "slack:notify[${{ job.status }}]"
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

prerelease:
needs: [check, test]
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- name: Install tools
uses: infrablocks/github-actions/asdf_install@v1
- name: Install secrets tools
run: sudo apt-get update && sudo apt-get install -y git-crypt gnupg
- name: Unlock git-crypt
run: ./go git_crypt:unlock_with_encrypted_gpg_key
env:
ENCRYPTION_PASSPHRASE: ${{ secrets.ENCRYPTION_PASSPHRASE }}
- name: Configure RubyGems credentials
run: |
mkdir -p ~/.gem
cp config/secrets/rubygems/credentials ~/.gem/credentials
chmod 0600 ~/.gem/credentials
- name: Set CI git author
run: ./go repository:set_ci_author
- name: Prerelease
run: ./go "version:bump[pre]" && ./go release
- name: Push release commit
run: git push && git push --tags
Comment on lines +93 to +96
- name: Notify Slack of release hold
continue-on-error: true
run: ./go "slack:notify[success,on_hold]"
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
- name: Notify Slack
if: always()
continue-on-error: true
run: ./go "slack:notify[${{ job.status }}]"
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

release:
needs: [prerelease]
runs-on: ubuntu-latest
environment: release
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
ref: main
- name: Pull latest main
# Approval can land long after the run starts; release publishes main
# as of approval time, not the tested SHA — parity with the old
# release.sh, which also pulled. prerelease.sh never pulled, so the
# prerelease job deliberately has no pull.
run: git pull
Comment on lines +119 to +124
- name: Install tools
uses: infrablocks/github-actions/asdf_install@v1
- name: Install secrets tools
run: sudo apt-get update && sudo apt-get install -y git-crypt gnupg
- name: Unlock git-crypt
run: ./go git_crypt:unlock_with_encrypted_gpg_key
env:
ENCRYPTION_PASSPHRASE: ${{ secrets.ENCRYPTION_PASSPHRASE }}
- name: Configure RubyGems credentials
run: |
mkdir -p ~/.gem
cp config/secrets/rubygems/credentials ~/.gem/credentials
chmod 0600 ~/.gem/credentials
- name: Set CI git author
run: ./go repository:set_ci_author
- name: Release
run: ./go "version:bump[minor]" && ./go release
- name: Push release commit
run: git push && git push --tags
Comment on lines +140 to +143
- name: Notify Slack
if: always()
continue-on-error: true
run: ./go "slack:notify[${{ job.status }}]"
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
Loading
Loading