-
Notifications
You must be signed in to change notification settings - Fork 1
162 lines (157 loc) · 6.45 KB
/
Copy pathrelease.yml
File metadata and controls
162 lines (157 loc) · 6.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: Release
on:
push:
branches: [main]
workflow_dispatch: {}
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: read
jobs:
release-please:
name: Release Please
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write
pull-requests: write
outputs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
steps:
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
id: app-token
with:
client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
id: release
with:
token: ${{ steps.app-token.outputs.token }}
config-file: release-please-config.json
manifest-file: .release-please-manifest.json
release:
name: Package and Upload
needs: [release-please]
if: needs.release-please.outputs.release_created == 'true'
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: write
id-token: write
attestations: write
env:
VSCE_PAT: ${{ secrets.VSCE_PAT }}
OVSX_PAT: ${{ secrets.OVSX_PAT }}
steps:
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
ref: ${{ needs.release-please.outputs.tag_name }}
- uses: ./.github/actions/setup-node
- run: npm run check
- run: npx @vscode/vsce package --out patchloom.vsix
- name: Attest build provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: patchloom.vsix
- name: Upload attestation bundle as .intoto.jsonl (for Scorecard Signed-Releases)
# Scorecard's Signed-Releases check requires .intoto.jsonl *release assets* (not just API attestations).
# See ~/.grok/skills/ci-build-release/SKILL.md
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mkdir -p attestation-bundles
tmpdir=$(mktemp -d)
pushd "$tmpdir" > /dev/null
if gh attestation download "$OLDPWD/patchloom.vsix" \
--repo "${{ github.repository }}" 2>/dev/null; then
for bundle in *.jsonl; do
[ -f "$bundle" ] || continue
cp "$bundle" "$OLDPWD/attestation-bundles/patchloom.vsix.intoto.jsonl"
break
done
fi
popd > /dev/null
rm -rf "$tmpdir"
if ls attestation-bundles/*.intoto.jsonl >/dev/null 2>&1; then
gh release upload "${{ needs.release-please.outputs.tag_name }}" attestation-bundles/*.intoto.jsonl --clobber
fi
- name: Upload .vsix to GitHub Release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload "${{ needs.release-please.outputs.tag_name }}" patchloom.vsix
- name: Apply custom release notes
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [ -f RELEASE_NOTES.md ]; then
echo "Custom release notes found, updating release body..."
gh release edit "${{ needs.release-please.outputs.tag_name }}" --notes-file RELEASE_NOTES.md
else
echo "No custom release notes, using auto-generated notes"
fi
# See ~/.grok/skills/vsce-publish/SKILL.md (or /vsce-publish) for the full
# one-time browser setup (aex.dev.azure.com, PAT scopes, Open VSX agreement
# + create-namespace + ownership claim), secret names, and troubleshooting.
- name: Publish to VS Code Marketplace
if: env.VSCE_PAT != ''
run: npx @vscode/vsce publish --packagePath patchloom.vsix
- name: Publish to Open VSX
if: env.OVSX_PAT != ''
run: npx ovsx publish patchloom.vsix
- name: Extract version from tag
id: version
run: echo "version=${TAG_NAME#patchloom-}" >> "$GITHUB_OUTPUT"
env:
TAG_NAME: ${{ needs.release-please.outputs.tag_name }}
- name: Update version badge
continue-on-error: true
uses: schneegans/dynamic-badges-action@0e50b8bad39e7e1afd3e4e9c2b7dd145fad07501 # v1.8.0
with:
auth: ${{ secrets.GIST_TOKEN }}
gistID: d01e4551b744b77e2927555e43a4b935
filename: version.json
label: VS Code Marketplace
message: ${{ steps.version.outputs.version }}
color: blue
namedLogo: visualstudiocode
logoColor: white
# Clean up RELEASE_NOTES.md after release (uses App token so the PR triggers CI/auto-approve)
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
if: hashFiles('RELEASE_NOTES.md') != ''
id: cleanup-token
with:
client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Clean up release notes file
if: steps.cleanup-token.outcome == 'success'
env:
GH_TOKEN: ${{ steps.cleanup-token.outputs.token }}
run: |
if git ls-tree HEAD --name-only | grep -q '^RELEASE_NOTES.md$'; then
TAG="${{ needs.release-please.outputs.tag_name }}"
BRANCH="chore/cleanup-release-notes-${TAG}"
gh api "repos/${{ github.repository }}/git/refs" \
-f ref="refs/heads/$BRANCH" \
-f sha="$(git rev-parse HEAD)"
FILE_SHA=$(gh api \
"repos/${{ github.repository }}/contents/RELEASE_NOTES.md?ref=$BRANCH" \
--jq '.sha')
gh api --method DELETE \
"repos/${{ github.repository }}/contents/RELEASE_NOTES.md" \
-f message="chore: remove release notes override" \
-f sha="$FILE_SHA" \
-f branch="$BRANCH"
PR_URL=$(gh pr create --base main --head "$BRANCH" \
--title "chore: remove release notes override" \
--body "Auto-cleanup after ${TAG} release.")
gh pr merge "$PR_URL" --auto --squash
fi