shared-config/.github/workflows/cd.yml at a937aaa053fb587ff6b50c06288c5a87a28372e2 · rubyatscale/shared-config · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
name: CD

on:
  workflow_call:
jobs:
  deploy: # zizmor: ignore[secrets-outside-env] reusable workflow; environments are managed by callers
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Tag and Push Gem
        id: tag-and-push-gem
        uses: discourse/publish-rubygems-action@4bd305c65315cb691bad1e8de97a87aaf29a0a85 # v3
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
          GIT_EMAIL: ${{secrets.GUSTO_GIT_EMAIL}}
          GIT_NAME: ${{secrets.GUSTO_GIT_NAME}}
          RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}
      - name: Create GitHub Release
        # zizmor: ignore[template-injection] gem_version comes from a trusted prior step
        run: gh release create v${{steps.tag-and-push-gem.outputs.gem_version}} --generate-notes
        if: ${{ steps.tag-and-push-gem.outputs.new_version == 'true' }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  notify_on_failure: # zizmor: ignore[secrets-outside-env] reusable workflow; environments are managed by callers
    runs-on: ubuntu-latest
    needs: [deploy]
    if: ${{ failure() && github.ref == 'refs/heads/main' }}
    steps:
      - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3
        with:
          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
          webhook-type: incoming-webhook
          payload: |
            text: "${{ github.repository }}/${{ github.ref }}: FAILED\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"