template-python-package/.github/workflows/release.yml at main · seedcase-project/template-python-package · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
name: Release

on:
  push:
    branches:
      - main

# Limit token permissions for security
permissions: read-all

jobs:
  release:
    if: "!startsWith(github.event.head_commit.message, 'build: 🔖 update version')"
    runs-on: ubuntu-latest
    # To generate releases, this job needs write access to the repository contents.
    permissions:
      contents: write
    # Can only release one version at a time, so need to stop any other jobs that
    # are also trying to release, to prevent conflicts.
    concurrency:
      group: release-group
      cancel-in-progress: true
    steps:
      # This is a useful security step to check for unexpected outbound calls from the runner,
      # which could indicate a compromised token or runner.
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      # Using this security pattern for GitHub Apps is recommended by GitHub and ensures that
      # the token is only available for a short time and has limited permissions. Check out
      # <https://guidebook.seedcase-project.org/operations/security> for more details.
      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        id: app-token
        with:
          client-id: ${{ vars.UPDATE_VERSION_APP_ID }}
          private-key: ${{ secrets.UPDATE_VERSION_TOKEN }}

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # Only need the last commit from the repo.
          fetch-depth: 0
          # Requires the token in order to push changes to the repo for the release.
          token: ${{ steps.app-token.outputs.token }}

      # Set this for the bot user who will make the release commit.
      - name: Set bot user
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

      - name: Install Cocogitto
        uses: cocogitto/cocogitto-action@9a9fe03b31c47444290c0d7f9b1ee1b44ee13f20 # v4.1.0
        with:
          command: check

      # Install uv to use git-cliff and rumdl
      - name: Set up uv
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true

      - name: Check if there are releasable changes
        continue-on-error: true
        id: check_changes
        run: |
          # Determine if a bump is possible.
          if [[ $(cog bump --auto --dry-run) != No* ]]; then
            echo "has_changes=true" >> $GITHUB_OUTPUT
          else
            echo "has_changes=false" >> $GITHUB_OUTPUT
          fi

      - name: Create tag and update changelog
        if: steps.check_changes.outputs.has_changes == 'true'
        run: |
          cog bump --auto

      - name: Create GitHub release
        if: steps.check_changes.outputs.has_changes == 'true'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          version=$(cog get-version)
          # Remove logging from git-cliff.
          RUST_LOG='none' uvx git-cliff --latest --output RELEASE_NOTES.md --strip all
          gh release create "${version}" \
            --title "Release ${version}" \
            --notes-file RELEASE_NOTES.md