diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml new file mode 100644 index 0000000000..0712e52a50 --- /dev/null +++ b/.github/workflows/publish.yaml @@ -0,0 +1,33 @@ +on: + # Run the publish workflow after a successful release + # Will be triggered from the release.yaml workflow + workflow_call: + inputs: + tag_name: + required: true + type: string + secrets: + publish_token: + required: true + # In case of problems, let release engineers retry by manually dispatching + # the workflow from the GitHub UI + workflow_dispatch: + inputs: + tag_name: + required: true + type: string + +jobs: + publish: + uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v0.0.4 + with: + tag_name: ${{ inputs.tag_name }} + # GitHub repository which is a fork of the upstream where the Pull Request will be opened. + registry_fork: bazel-contrib/bazel-central-registry + permissions: + attestations: write + contents: write + id-token: write + secrets: + # Necessary to push to the BCR fork, and to open a pull request against a registry + publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7f1c2ed0ce..7741979ac2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,8 +15,19 @@ permissions: contents: write jobs: release: - uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@0b644c3ee5c7cd9a7657f7e782b26a599d9b6d5c # 2025-01-23 + uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@v7.2.0 with: prerelease: false release_files: rules_nodejs-*.tar.gz - tag_name: ${{ inputs.tag_name }} + tag_name: ${{ inputs.tag_name || github.ref_name }} + publish: + needs: release + uses: ./.github/workflows/publish.yaml + with: + tag_name: ${{ inputs.tag_name || github.ref_name }} + permissions: + id-token: write + attestations: write + contents: write + secrets: + publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}