ci: 👷 update workflows from t-squared, improve releasing (#267) #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| # Limit token permissions for security | |
| permissions: read-all | |
| jobs: | |
| release: | |
| if: "!startsWith(github.event.head_commit.message, 'build: 🔖 update version')" | |
| runs-on: ubuntu-latest | |
| # To generate releases, this job needs write access to the repository contents. | |
| permissions: | |
| contents: write | |
| # Can only release one version at a time, so need to stop any other jobs that | |
| # are also trying to release, to prevent conflicts. | |
| concurrency: | |
| group: release-group | |
| cancel-in-progress: true | |
| steps: | |
| # This is a useful security step to check for unexpected outbound calls from the runner, | |
| # which could indicate a compromised token or runner. | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| # Using this security pattern for GitHub Apps is recommended by GitHub and ensures that | |
| # the token is only available for a short time and has limited permissions. Check out | |
| # <https://guidebook.seedcase-project.org/operations/security> for more details. | |
| - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 | |
| id: app-token | |
| with: | |
| client-id: ${{ vars.UPDATE_VERSION_APP_ID }} | |
| private-key: ${{ secrets.UPDATE_VERSION_TOKEN }} | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| # Only need the last commit from the repo. | |
| fetch-depth: 0 | |
| # Requires the token in order to push changes to the repo for the release. | |
| token: ${{ steps.app-token.outputs.token }} | |
| # Set this for the bot user who will make the release commit. | |
| - name: Set bot user | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| - name: Install Cocogitto | |
| uses: cocogitto/cocogitto-action@9a9fe03b31c47444290c0d7f9b1ee1b44ee13f20 # v4.1.0 | |
| with: | |
| command: check | |
| # Install uv to use git-cliff and rumdl | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 | |
| with: | |
| enable-cache: true | |
| - name: Check if there are releasable changes | |
| continue-on-error: true | |
| id: check_changes | |
| run: | | |
| if cog check --from-latest-tag; then | |
| echo "has_changes=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_changes=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Create tag and update changelog | |
| if: steps.check_changes.outputs.has_changes == 'true' | |
| run: | | |
| cog bump --auto | |
| - name: Create GitHub release | |
| if: steps.check_changes.outputs.has_changes == 'true' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| version=$(cog get-version) | |
| uvx git-cliff --latest --output RELEASE_NOTES.md --strip all | |
| gh release create "${version}" \ | |
| --title "Release ${version}" \ | |
| --notes-file RELEASE_NOTES.md |