diff --git a/.github/actions/github/branch-protection/lock/action.yml b/.github/actions/github/branch-protection/lock/action.yml index 7a493cce..d8f345a1 100644 --- a/.github/actions/github/branch-protection/lock/action.yml +++ b/.github/actions/github/branch-protection/lock/action.yml @@ -5,6 +5,9 @@ inputs: branch: description: 'Branch name to lock.' required: true + token: + description: 'GitHub token with administration:write (repo admin) permission. Use a PAT; GITHUB_TOKEN cannot call the branch protection API.' + required: true runs: using: composite @@ -12,7 +15,7 @@ runs: - name: 'Lock branch ${{ inputs.branch }}' shell: bash env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ inputs.token }} run: | if ! gh api --method PUT /repos/${{ github.repository }}/branches/${{ inputs.branch }}/protection \ --input - << 'EOF' diff --git a/.github/actions/github/branch-protection/unlock/action.yml b/.github/actions/github/branch-protection/unlock/action.yml index 5bd37baa..9c41d395 100644 --- a/.github/actions/github/branch-protection/unlock/action.yml +++ b/.github/actions/github/branch-protection/unlock/action.yml @@ -5,6 +5,9 @@ inputs: branch: description: 'Branch name to unlock.' required: true + token: + description: 'GitHub token with administration:write (repo admin) permission. Use a PAT; GITHUB_TOKEN cannot call the branch protection API.' + required: true runs: using: composite @@ -12,7 +15,7 @@ runs: - name: 'Unlock branch ${{ inputs.branch }}' shell: bash env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ inputs.token }} run: | gh api --method DELETE /repos/${{ github.repository }}/branches/${{ inputs.branch }}/protection || true echo "🔓 Branch protection removed from '${{ inputs.branch }}'." >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 5fa8e79f..6f79680c 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -15,7 +15,6 @@ permissions: actions: read contents: write pull-requests: write - administration: write concurrency: group: bump-version diff --git a/.github/workflows/promote-branch.yml b/.github/workflows/promote-branch.yml index 645d712c..8e566ec3 100644 --- a/.github/workflows/promote-branch.yml +++ b/.github/workflows/promote-branch.yml @@ -1,4 +1,4 @@ -name: 'Promote branch' +name: 'Promote branch' on: workflow_dispatch: @@ -21,7 +21,6 @@ permissions: id-token: write contents: write pull-requests: write - administration: write concurrency: group: 'promote-branch-${{ inputs.promotion-type }}-${{github.ref_name }}' @@ -206,18 +205,18 @@ jobs: dotnet-version: ${{ env.dotnet-sdk-version }} - name: 'Create target branch' if: ${{ needs.workflow-variables.outputs.target-branch-exists == 'false' }} + env: + base-branch: ${{ needs.workflow-variables.outputs.base-branch }} + target-branch: ${{ needs.workflow-variables.outputs.target-branch }} run: | - git config user.name "$(git log -n 1 --pretty=format:%an)" - git config user.email "$(git log -n 1 --pretty=format:%ae)" git fetch origin - git switch ${{ needs.workflow-variables.outputs.base-branch }} - git checkout -b ${{ needs.workflow-variables.outputs.target-branch }} origin/${{ needs.workflow-variables.outputs.target-branch }} || git checkout -b ${{ needs.workflow-variables.outputs.target-branch }} - git push --set-upstream origin ${{ needs.workflow-variables.outputs.target-branch }} + git push origin origin/${{ env.base-branch }}:refs/heads/${{ env.target-branch }} - name: 'Lock target branch' if: ${{ needs.workflow-variables.outputs.target-branch-exists == 'false' }} uses: './.github/actions/github/branch-protection/lock' with: branch: ${{ needs.workflow-variables.outputs.target-branch }} + token: ${{ secrets.GH_ADMIN_TOKEN }} - name: 'Create PR: "Promote ${{ env.current-branch }} to ${{ env.target-branch }}"' if: ${{ needs.workflow-variables.outputs.pull-request-exists == 'false' }} env: diff --git a/.github/workflows/publish-documentation.yml b/.github/workflows/publish-documentation.yml index 2a579943..67fe7ee5 100644 --- a/.github/workflows/publish-documentation.yml +++ b/.github/workflows/publish-documentation.yml @@ -2,12 +2,7 @@ on: workflow_dispatch: - push: - branches: - - 'release/**' - paths: - - 'src/**' - - 'api-reference/**' + workflow_call: permissions: actions: read @@ -100,8 +95,8 @@ jobs: id: discover-versions shell: bash run: | - versions=$(ls api-reference/ | grep -E '^\d+\.\d+$' | sort -V | paste -sd ',' -) - latest=$(ls api-reference/ | grep -E '^\d+\.\d+$' | sort -V | tail -1) + versions=$(ls api-reference/ | grep -E '^[0-9]+\.[0-9]+$' | sort -V | paste -sd ',' -) + latest=$(ls api-reference/ | grep -E '^[0-9]+\.[0-9]+$' | sort -V | tail -1) echo "versions=$versions" >> $GITHUB_OUTPUT echo "latest=$latest" >> $GITHUB_OUTPUT diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ad996933..3d4b1996 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: 'Release' +name: 'Release' on: push: @@ -13,7 +13,6 @@ permissions: pages: write id-token: write contents: write - administration: write concurrency: group: release-${{ github.head_ref || github.ref }} @@ -207,9 +206,20 @@ jobs: ${{ runner.temp }}/${{ env.nuget-packages-directory }}/**/*.nupkg ${{ runner.temp }}/${{ env.nuget-packages-directory }}/**/*.snupkg + publish-documentation: + name: 'Publish documentation' + needs: [pack, validate-release, workflow-variables] + if: ${{ needs.workflow-variables.outputs.is-release == 'true' }} + uses: ./.github/workflows/publish-documentation.yml + permissions: + actions: read + pages: write + id-token: write + publish-package: name: 'Publish package' - needs: [pack, validate-release] + needs: [pack, validate-release, publish-documentation] + if: ${{ always() && needs.pack.result == 'success' && needs.validate-release.result == 'success' && (needs.publish-documentation.result == 'success' || needs.publish-documentation.result == 'skipped') }} env: package-artifact-name: ${{ needs.pack.outputs.package-artifact-name }} runs-on: ubuntu-latest @@ -244,12 +254,14 @@ jobs: steps: - name: 'Checkout ${{ github.head_ref || github.ref }}' uses: actions/checkout@v6 + with: + fetch-tags: true - name: 'Determine notes start tag' id: determine-notes-start-tag run: | - notes-start-tag=$(git describe --abbrev=0 --tags) - echo "notes-start-tag=$notes-start-tag" >> $GITHUB_OUTPUT + notes_start_tag=$(git describe --abbrev=0 --tags 2>/dev/null || echo "") + echo "notes-start-tag=$notes_start_tag" >> $GITHUB_OUTPUT shell: bash - name: 'Create GitHub Release' @@ -358,6 +370,7 @@ jobs: uses: './.github/actions/github/branch-protection/lock' with: branch: ${{ steps.resolve-support-branch.outputs.support-branch }} + token: ${{ secrets.GH_ADMIN_TOKEN }} - name: 'Write support branch summary' run: |