fix release to wait ci, removed secrets #6
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Terraform Provider | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: write | |
| jobs: | |
| wait_ci: | |
| name: Wait for CI success on tag | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Determine tag and SHA | |
| id: ref | |
| shell: bash | |
| run: | | |
| TAG="${{ github.ref_type == 'tag' && github.ref_name || '' }}" | |
| if [[ -z "$TAG" ]]; then | |
| echo "Error: no tag in event" >&2 | |
| exit 1 | |
| fi | |
| SHA="${{ github.sha }}" | |
| echo "tag=$TAG" >> $GITHUB_OUTPUT | |
| echo "sha=$SHA" >> $GITHUB_OUTPUT | |
| - name: Install jq | |
| run: sudo apt-get update && sudo apt-get install -y jq | |
| - name: Wait for CI workflow | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| shell: bash | |
| run: | | |
| SHA="${{ steps.ref.outputs.sha }}" | |
| echo "Waiting for CI to succeed for $SHA ..." | |
| ATTEMPTS=120 | |
| SLEEP=10 | |
| for i in $(seq 1 $ATTEMPTS); do | |
| RESP=$(curl -s -H "Authorization: Bearer $GH_TOKEN" -H "Accept: application/vnd.github+json" \ | |
| "https://api.github.com/repos/${{ github.repository }}/actions/runs?per_page=50&head_sha=$SHA") | |
| STATUS=$(echo "$RESP" | jq -r '.workflow_runs[] | select(.name=="CI") | .status' | head -n1) | |
| CONCLUSION=$(echo "$RESP" | jq -r '.workflow_runs[] | select(.name=="CI") | .conclusion' | head -n1) | |
| if [[ "$STATUS" == "completed" ]]; then | |
| if [[ "$CONCLUSION" == "success" ]]; then | |
| echo "CI succeeded." | |
| exit 0 | |
| else | |
| echo "CI completed with conclusion: $CONCLUSION" | |
| exit 1 | |
| fi | |
| fi | |
| echo "CI status: ${STATUS:-not found}; waiting... ($i/$ATTEMPTS)" | |
| sleep $SLEEP | |
| done | |
| echo "Timed out waiting for CI to complete." | |
| exit 1 | |
| release: | |
| runs-on: ubuntu-latest | |
| needs: wait_ci | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.22' | |
| - name: Import GPG private key (for checksum signing) | |
| env: | |
| GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | |
| GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| run: | | |
| if [ -z "${GPG_PRIVATE_KEY:-}" ]; then | |
| echo "No GPG_PRIVATE_KEY secret set; skipping key import." | |
| exit 0 | |
| fi | |
| mkdir -p ~/.gnupg | |
| chmod 700 ~/.gnupg | |
| echo "Importing GPG key" | |
| echo "$GPG_PRIVATE_KEY" | gpg --batch --import | |
| if [ -n "${GPG_PASSPHRASE:-}" ]; then | |
| echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf | |
| echo 'allow-loopback-pinentry' >> ~/.gnupg/gpg-agent.conf | |
| gpg-connect-agent reloadagent /bye | |
| fi | |
| gpg --list-secret-keys --keyid-format LONG || true | |
| - name: Build | |
| run: go build ./... | |
| - name: GoReleaser | |
| uses: goreleaser/goreleaser-action@v5 | |
| with: | |
| version: latest | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GPG_TTY: ${{ runner.env.SSH_AUTH_SOCK }} |