Skip to content

Release / Publish

Release / Publish #7

Workflow file for this run

name: Release / Publish
on:
push:
tags: ['v*']
workflow_dispatch:
inputs:
version:
description: 'Version (e.g. 1.0.1) — used when dispatched manually for a dry-run.'
required: true
type: string
dry_run:
description: 'Skip actual publication to registries (still builds and uploads artifacts).'
required: false
type: boolean
default: true
env:
CARGO_TERM_COLOR: always
jobs:
resolve:
name: resolve version
runs-on: ubuntu-latest
outputs:
version: ${{ steps.v.outputs.version }}
dry_run: ${{ steps.v.outputs.dry_run }}
steps:
- id: v
shell: bash
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
echo "version=${{ inputs.version }}" >> "$GITHUB_OUTPUT"
echo "dry_run=${{ inputs.dry_run }}" >> "$GITHUB_OUTPUT"
else
echo "version=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
echo "dry_run=false" >> "$GITHUB_OUTPUT"
fi
build-binaries:
needs: resolve
uses: ./.github/workflows/build-binaries.yml
with:
version: ${{ needs.resolve.outputs.version }}
github-release:
name: GitHub Release
needs: [resolve, build-binaries]
if: needs.resolve.outputs.dry_run != 'true'
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
path: dist
pattern: binaries-*
merge-multiple: true
- name: Generate combined SHA256SUMS
run: |
cd dist
ls -la
sha256sum *.tar.gz *.zip 2>/dev/null > SHA256SUMS || true
cat SHA256SUMS
- uses: softprops/action-gh-release@v2
with:
tag_name: v${{ needs.resolve.outputs.version }}
name: v${{ needs.resolve.outputs.version }}
generate_release_notes: true
files: |
dist/*.tar.gz
dist/*.zip
dist/SHA256SUMS
publish-crates:
name: Publish to crates.io
needs: resolve
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Authenticate with crates.io (OIDC trusted publishing)
id: cargo-auth
if: needs.resolve.outputs.dry_run != 'true'
uses: rust-lang/crates-io-auth-action@v1
- name: cargo publish pcf
shell: bash
run: |
if [ "${{ needs.resolve.outputs.dry_run }}" = "true" ]; then
cargo publish -p pcf --allow-dirty --dry-run
else
cargo publish -p pcf --allow-dirty --token "${{ steps.cargo-auth.outputs.token }}"
fi
- name: Wait for crates.io index
if: needs.resolve.outputs.dry_run != 'true'
run: sleep 45
- name: cargo publish pcf-sig
shell: bash
run: |
if [ "${{ needs.resolve.outputs.dry_run }}" = "true" ]; then
cargo publish -p pcf-sig --allow-dirty --dry-run
else
cargo publish -p pcf-sig --allow-dirty --token "${{ steps.cargo-auth.outputs.token }}"
fi
- name: Wait for crates.io index
if: needs.resolve.outputs.dry_run != 'true'
run: sleep 45
- name: cargo publish pfs-ms
shell: bash
run: |
if [ "${{ needs.resolve.outputs.dry_run }}" = "true" ]; then
cargo publish -p pfs-ms --allow-dirty --dry-run
else
cargo publish -p pfs-ms --allow-dirty --token "${{ steps.cargo-auth.outputs.token }}"
fi
- name: Wait for crates.io index
if: needs.resolve.outputs.dry_run != 'true'
run: sleep 45
- name: cargo publish pcf-debug
shell: bash
run: |
if [ "${{ needs.resolve.outputs.dry_run }}" = "true" ]; then
cargo publish -p pcf-debug --allow-dirty --dry-run
else
cargo publish -p pcf-debug --allow-dirty --token "${{ steps.cargo-auth.outputs.token }}"
fi
- name: Wait for crates.io index
if: needs.resolve.outputs.dry_run != 'true'
run: sleep 45
- name: cargo publish pcf-compact
shell: bash
run: |
if [ "${{ needs.resolve.outputs.dry_run }}" = "true" ]; then
cargo publish -p pcf-compact --allow-dirty --dry-run
else
cargo publish -p pcf-compact --allow-dirty --token "${{ steps.cargo-auth.outputs.token }}"
fi
publish-npm:
name: Publish to npm
needs: resolve
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
defaults:
run:
working-directory: implementations/ts
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
cache-dependency-path: implementations/ts/package-lock.json
registry-url: 'https://registry.npmjs.org'
- name: Ensure npm >= 11.5.1 (trusted publishing support)
run: npm install -g npm@latest
- run: npm ci
- run: npm run build -w @kduma-oss/pcf
- run: npm run build -w @kduma-oss/pcf-sig
- name: npm publish pcf (OIDC trusted publishing, auto-provenance)
run: |
if [ "${{ needs.resolve.outputs.dry_run }}" = "true" ]; then
npm publish -w @kduma-oss/pcf --access public --dry-run
else
npm publish -w @kduma-oss/pcf --access public
fi
- name: npm publish pcf-sig
run: |
if [ "${{ needs.resolve.outputs.dry_run }}" = "true" ]; then
npm publish -w @kduma-oss/pcf-sig --access public --dry-run
else
npm publish -w @kduma-oss/pcf-sig --access public
fi
publish-nuget:
name: Publish to NuGet
needs: resolve
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
defaults:
run:
working-directory: implementations/dotnet/pcf
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0.x'
- run: dotnet restore
- name: dotnet pack
run: |
dotnet pack src/Pcf/Pcf.csproj \
-c Release \
-p:Version='${{ needs.resolve.outputs.version }}' \
-o out
- name: NuGet login (OIDC trusted publishing)
id: nuget-login
if: needs.resolve.outputs.dry_run != 'true'
uses: NuGet/login@v1
with:
user: krystianduma
- name: dotnet nuget push
if: needs.resolve.outputs.dry_run != 'true'
run: |
dotnet nuget push out/*.nupkg \
--source https://api.nuget.org/v3/index.json \
--api-key '${{ steps.nuget-login.outputs.NUGET_API_KEY }}' \
--skip-duplicate
- name: Dry-run note
if: needs.resolve.outputs.dry_run == 'true'
run: 'echo "Dry-run - skipping dotnet nuget push. Package would be out/*.nupkg."'
- uses: actions/upload-artifact@v4
with:
name: nuget-package
path: implementations/dotnet/pcf/out/*.nupkg
publish-nuget-sig:
name: Publish KDuma.Pcf.Sig to NuGet
needs: [resolve, publish-nuget]
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
defaults:
run:
working-directory: implementations/dotnet/pcf-sig
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0.x'
- run: dotnet restore
- name: dotnet pack
run: |
dotnet pack src/Pcf.Sig/Pcf.Sig.csproj \
-c Release \
-p:Version='${{ needs.resolve.outputs.version }}' \
-o out
- name: NuGet login (OIDC trusted publishing)
id: nuget-login
if: needs.resolve.outputs.dry_run != 'true'
uses: NuGet/login@v1
with:
user: krystianduma
- name: dotnet nuget push
if: needs.resolve.outputs.dry_run != 'true'
run: |
dotnet nuget push out/*.nupkg \
--source https://api.nuget.org/v3/index.json \
--api-key '${{ steps.nuget-login.outputs.NUGET_API_KEY }}' \
--skip-duplicate
- name: Dry-run note
if: needs.resolve.outputs.dry_run == 'true'
run: 'echo "Dry-run - skipping dotnet nuget push. Package would be out/*.nupkg."'
- uses: actions/upload-artifact@v4
with:
name: nuget-package-sig
path: implementations/dotnet/pcf-sig/out/*.nupkg
split-php:
name: Split PHP to packagist source repo
needs: resolve
if: needs.resolve.outputs.dry_run != 'true'
uses: ./.github/workflows/php-split.yml
with:
tag: v${{ needs.resolve.outputs.version }}
secrets: inherit