chore: bump ospo-reusable-workflows release.yaml to v1.0.1#35
Open
jmeridth wants to merge 3 commits into
Open
Conversation
## What Pin the reusable release workflow to v1.0.0 (SHA 592067a69a43d2285f933753d89a7c9d51b96530), use the reusable workflow's built-in GoReleaser support, add release.disable to .goreleaser.yaml, and add a Breaking Changes category to release-drafter. ## Why v1.0.0 of ospo-reusable-workflows broadens the release trigger to include breaking, feature, vuln, and release labels and folds GoReleaser, container image build, attestation, and discussion creation into the reusable workflow itself. Centralizing the GoReleaser step removes duplicated CI definition and keeps version pins on a single hardened source. ## Notes - The reusable workflow validates that the GoReleaser config sets `release.disable: true` to prevent the goreleaser step from racing the draft release. - The outer label-filter `if:` block is removed because the v1.0 reusable workflow handles label filtering internally. - Trigger updated to pull_request_target so the workflow can push tags via GITHUB_TOKEN. Signed-off-by: jmeridth <jmeridth@gmail.com>
## What Add packages and discussions permissions to the release job. v1.0 of ospo-reusable-workflows/release.yaml declares them on its internal release_image and release_discussion jobs, and GitHub validates them at workflow startup regardless of whether the if: filter would skip the job. ## Why The initial v1.0 bump shipped a too-narrow permissions block. When pull_request_target.closed fires on merge, GitHub validates the called workflow's job permissions against the caller and rejects the run with startup_failure. Aligning the caller's release job permissions with the ospo/stale-repos reference fixes the validation. ## Notes - All extra permissions are required by GitHub's static validation even when the matching reusable-workflow job is gated by if: and would not actually run. - This is also a template-source repo; downstream-generated plugins will pick up the corrected workflow. ## Testing After merging, the next merged PR will trigger a successful Release workflow startup (no more startup_failure). Signed-off-by: jmeridth <jmeridth@gmail.com>
## What Bump the pin on ospo-reusable-workflows/release.yaml from v1.0.0 to v1.0.1 (SHA e92cb6053ace495fe40a5f185988557afcdcecbc). ## Why v1.0.1 lands two fixes from upstream PR #138: 1. release_discussion runs only after publish_release succeeds. 2. release_goreleaser auto-installs syft when GoReleaser config declares an sboms: block. ## Notes - No caller-side configuration changes are required; v1.0.1 is backward-compatible with v1.0.0 inputs and secrets. - This is a templates repo; downstream-generated plugins pick up the corrected version automatically. - This commit folds into the existing PR; the cumulative PR now lands at v1.0.1. Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Pin the reusable release workflow to v1.0.0 (SHA 592067a69a43d2285f933753d89a7c9d51b96530), use the reusable workflow's built-in GoReleaser support, add
release.disableto.goreleaser.yaml, and add a Breaking Changes category to release-drafter.Why
v1.0.0 of ospo-reusable-workflows broadens the release trigger to include breaking, feature, vuln, and release labels and folds GoReleaser, container image build, attestation, and discussion creation into the reusable workflow itself. Centralizing the GoReleaser step removes duplicated CI definition and keeps version pins on a single hardened source.
Notes
release.disable: trueto prevent the goreleaser step from racing the draft release.if:block is removed because the v1.0 reusable workflow handles label filtering internally.pull_request_targetso the workflow can push tags viaGITHUB_TOKEN.go.mod(onlygo.mod.tmpl), sogo-version-fileis omitted from the workflowwith:inputs.goreleaserandattest-sbomsjobs are removed; the reusable workflow now performs GoReleaser, build provenance attestation, and SBOM handling internally.Testing
release.disable: true)