diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml new file mode 100644 index 0000000..5bee1fc --- /dev/null +++ b/.github/workflows/publish.yaml @@ -0,0 +1,34 @@ +# Publish new releases to Bazel Central Registry. +name: Publish +on: + # Run the publish workflow after a successful release + # Will be triggered from the release.yaml workflow + workflow_call: + inputs: + tag_name: + required: true + type: string + secrets: + publish_token: + required: true + # In case of problems, let release engineers retry by manually dispatching + # the workflow from the GitHub UI + workflow_dispatch: + inputs: + tag_name: + required: true + type: string +jobs: + publish: + uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v0.0.4 + with: + tag_name: ${{ inputs.tag_name }} + # GitHub repository which is a fork of the upstream where the Pull Request will be opened. + registry_fork: aspect-build/bazel-central-registry + permissions: + attestations: write + contents: write + id-token: write + secrets: + # Necessary to push to the BCR fork, and to open a pull request against a registry + publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index afabc3a..7ce6195 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,9 +8,22 @@ on: tags: - "v*.*.*" +permissions: + id-token: write + attestations: write + contents: write + jobs: release: - uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@v6 + uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@v7.2.2 with: release_files: toolchains_protoc-*.tar.gz prerelease: false + tag_name: ${{ github.ref_name }} + publish: + needs: release + uses: ./.github/workflows/publish.yaml + with: + tag_name: ${{ github.ref_name }} + secrets: + publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}