Skip to content

Commit 0da7858

Browse files
ckyrouacckyrouac
committed
ci: Refactor release action to use app and create-pull-request
This uses the token generated in the GitHub app that has a limited scope. Also refactors the commit/push steps to use the create-pull-request action rather than manually committing and pushing. This simplifies the token usage when committing/pushing. Signed-off-by: ckyrouac <[email protected]>
1 parent 3758da2 commit 0da7858

File tree

2 files changed

+65
-85
lines changed

2 files changed

+65
-85
lines changed

.github/workflows/release.yml

Lines changed: 31 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -11,40 +11,46 @@ jobs:
1111
release:
1212
name: Create Release
1313
if: |
14-
(github.event_name == 'pull_request' &&
14+
(github.event_name == 'pull_request' &&
1515
github.event.pull_request.merged == true &&
1616
contains(github.event.pull_request.labels.*.name, 'release'))
1717
runs-on: ubuntu-latest
1818
container: quay.io/coreos-assembler/fcos-buildroot:testing-devel
1919
steps:
20+
- uses: actions/create-github-app-token@v2
21+
id: app-token
22+
with:
23+
app-id: ${{ secrets.APP_ID }}
24+
private-key: ${{ secrets.APP_PRIVATE_KEY }}
25+
2026
- name: Checkout repository
2127
uses: actions/checkout@v4
2228
with:
2329
fetch-depth: 0
24-
token: ${{ secrets.GITHUB_TOKEN }}
25-
30+
token: ${{ steps.app-token.outputs.token }}
31+
2632
- name: Extract version
2733
id: extract_version
2834
run: |
2935
# Extract version from crates/lib/Cargo.toml
3036
VERSION=$(cargo read-manifest --manifest-path crates/lib/Cargo.toml | jq -r '.version')
31-
37+
3238
# Validate version format
3339
if ! echo "$VERSION" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' >/dev/null; then
3440
echo "Error: Invalid version format in Cargo.toml: $VERSION"
3541
exit 1
3642
fi
37-
43+
3844
echo "Extracted version: $VERSION"
3945
echo "version=$VERSION" >> $GITHUB_OUTPUT
4046
echo "TAG_NAME=v$VERSION" >> $GITHUB_OUTPUT
41-
47+
4248
- name: Install deps
4349
run: ./ci/installdeps.sh
44-
50+
4551
- name: Mark git checkout as safe
4652
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
47-
53+
4854
- name: Import GPG key
4955
if: github.event_name != 'push'
5056
uses: crazy-max/ghaction-import-gpg@v6
@@ -54,72 +60,72 @@ jobs:
5460
git_user_signingkey: true
5561
git_commit_gpgsign: true
5662
git_tag_gpgsign: true
57-
63+
5864
- name: Create and push tag
5965
if: github.event_name != 'push'
6066
run: |
6167
VERSION="${{ steps.extract_version.outputs.version }}"
6268
TAG_NAME="v$VERSION"
63-
69+
6470
if git rev-parse "$TAG_NAME" >/dev/null 2>&1; then
6571
echo "Tag $TAG_NAME already exists"
6672
exit 0
6773
fi
6874
6975
git tag -s -m "Release $VERSION" "$TAG_NAME"
7076
git push origin "$TAG_NAME"
71-
77+
7278
echo "Successfully created and pushed tag $TAG_NAME"
73-
79+
7480
git checkout "$TAG_NAME"
75-
81+
7682
- name: Install vendor tool
7783
run: cargo install cargo-vendor-filterer
78-
84+
7985
- name: Cache Dependencies
8086
uses: Swatinem/rust-cache@v2
8187
with:
8288
key: "release"
83-
89+
8490
- name: Run cargo xtask package
8591
run: cargo xtask package
86-
92+
8793
- name: Create Release
8894
id: create_release
8995
uses: actions/create-release@v1
9096
env:
91-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
97+
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
9298
with:
9399
tag_name: ${{ steps.extract_version.outputs.TAG_NAME }}
94100
release_name: Release ${{ steps.extract_version.outputs.TAG_NAME }}
95101
draft: true
96102
prerelease: false
97103
body: |
98104
## bootc ${{ steps.extract_version.outputs.version }}
99-
105+
100106
### Changes
101-
107+
102108
Auto-generated release notes will be populated here.
103-
109+
104110
### Assets
105-
111+
106112
- `bootc-${{ steps.extract_version.outputs.version }}-vendor.tar.zstd` - Vendored dependencies archive
107113
- `bootc-${{ steps.extract_version.outputs.version }}.tar.zstd` - Source archive
108-
114+
109115
- name: Upload vendor archive
110116
uses: actions/upload-release-asset@v1
111117
env:
112-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
118+
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
113119
with:
114120
upload_url: ${{ steps.create_release.outputs.upload_url }}
115121
asset_path: ./target/bootc-${{ steps.extract_version.outputs.version }}-vendor.tar.zstd
116122
asset_name: bootc-${{ steps.extract_version.outputs.version }}-vendor.tar.zstd
117123
asset_content_type: application/zstd
118-
124+
119125
- name: Upload source archive
120126
uses: actions/upload-release-asset@v1
121127
env:
122-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
128+
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
123129
with:
124130
upload_url: ${{ steps.create_release.outputs.upload_url }}
125131
asset_path: ./target/bootc-${{ steps.extract_version.outputs.version }}.tar.zstd

.github/workflows/scheduled-release.yml

Lines changed: 34 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -22,15 +22,22 @@ jobs:
2222
runs-on: ubuntu-latest
2323
container: quay.io/coreos-assembler/fcos-buildroot:testing-devel
2424
steps:
25+
- uses: actions/create-github-app-token@v2
26+
id: app-token
27+
with:
28+
app-id: ${{ secrets.APP_ID }}
29+
private-key: ${{ secrets.APP_PRIVATE_KEY }}
30+
2531
- name: Checkout repository
2632
uses: actions/checkout@v4
2733
with:
2834
fetch-depth: 0
29-
token: ${{ secrets.GITHUB_TOKEN }}
30-
35+
token: ${{ steps.app-token.outputs.token }}
36+
persist-credentials: false
37+
3138
- name: Mark git checkout as safe
3239
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
33-
40+
3441
- name: Check if it's time for a release
3542
id: check_schedule
3643
run: |
@@ -39,29 +46,29 @@ jobs:
3946
echo "should_release=true" >> $GITHUB_OUTPUT
4047
exit 0
4148
fi
42-
49+
4350
START_DATE="2025-08-04" # start of a 3 week sprint
4451
START_TIMESTAMP=$(date -d "$START_DATE" +%s)
4552
CURRENT_TIMESTAMP=$(date +%s)
4653
# Add 12 hour buffer (43200 seconds) to account for scheduling delays
4754
ADJUSTED_TIMESTAMP=$((CURRENT_TIMESTAMP + 43200))
4855
DAYS_SINCE_START=$(( (ADJUSTED_TIMESTAMP - START_TIMESTAMP) / 86400 ))
4956
WEEKS_SINCE_START=$(( DAYS_SINCE_START / 7 ))
50-
57+
5158
echo "Days since start date ($START_DATE): $DAYS_SINCE_START"
5259
echo "Weeks since start date: $WEEKS_SINCE_START"
53-
60+
5461
# Release every 3 weeks
5562
if [ $WEEKS_SINCE_START -gt 0 ] && [ $((WEEKS_SINCE_START % 3)) -eq 0 ]; then
5663
echo "should_release=true" >> $GITHUB_OUTPUT
5764
else
5865
echo "should_release=false" >> $GITHUB_OUTPUT
5966
fi
60-
67+
6168
- name: Install deps
6269
if: steps.check_schedule.outputs.should_release == 'true'
6370
run: ./ci/installdeps.sh
64-
71+
6572
- name: Import GPG key
6673
if: steps.check_schedule.outputs.should_release == 'true'
6774
uses: crazy-max/ghaction-import-gpg@v6
@@ -71,8 +78,8 @@ jobs:
7178
git_user_signingkey: true
7279
git_commit_gpgsign: true
7380
git_tag_gpgsign: true
74-
75-
- name: Create release commit
81+
82+
- name: Generate release changes
7683
id: create_commit
7784
if: steps.check_schedule.outputs.should_release == 'true'
7885
env:
@@ -98,64 +105,31 @@ jobs:
98105
99106
cargo update --workspace
100107
cargo xtask update-generated
101-
git commit -am "Release $VERSION"
102108
echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
103-
104-
- name: Create release branch
105-
if: steps.check_schedule.outputs.should_release == 'true'
106-
id: create_branch
107-
env:
108-
VERSION: ${{ steps.create_commit.outputs.VERSION }}
109-
run: |
110-
BRANCH_NAME="release-${VERSION}"
111-
git checkout -b "$BRANCH_NAME"
112-
echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
113-
114-
- name: Push branch
115-
if: steps.check_schedule.outputs.should_release == 'true'
116-
env:
117-
BRANCH_NAME: ${{ steps.create_branch.outputs.branch_name }}
118-
run: |
119-
git push origin "${BRANCH_NAME}"
120-
109+
121110
- name: Create Pull Request
122-
if: steps.check_schedule.outputs.should_release == 'true'
123-
uses: actions/github-script@v7
111+
uses: peter-evans/create-pull-request@v7
124112
env:
125113
VERSION: ${{ steps.create_commit.outputs.VERSION }}
126-
BRANCH_NAME: ${{ steps.create_branch.outputs.branch_name }}
127114
with:
128-
script: |
129-
const version = process.env.VERSION;
130-
const branchName = process.env.BRANCH_NAME;
131-
132-
const { data: pr } = await github.rest.pulls.create({
133-
owner: context.repo.owner,
134-
repo: context.repo.repo,
135-
title: `Release ${version}`,
136-
body: `## Release ${version}
137-
115+
token: ${{ steps.app-token.outputs.token }}
116+
signoff: true
117+
sign-commits: true
118+
title: "Release ${{ env.VERSION }}"
119+
commit-message: "Release ${{ env.VERSION }}"
120+
branch: "release-${{ env.VERSION }}"
121+
delete-branch: true
122+
labels: release
123+
body: |
124+
## Release ${{ env.VERSION }}
125+
138126
This is an automated release PR created by the scheduled release workflow.
139-
127+
140128
### Release Process
141-
129+
142130
1. Review the changes in this PR
143131
2. Ensure all tests pass
144132
3. Merge the PR
145133
4. The release tag will be automatically created and signed when this PR is merged
146-
147-
The release workflow will automatically trigger when the tag is pushed.`,
148-
head: branchName,
149-
base: 'main',
150-
draft: false
151-
});
152-
153-
// Add the release label
154-
await github.rest.issues.addLabels({
155-
owner: context.repo.owner,
156-
repo: context.repo.repo,
157-
issue_number: pr.number,
158-
labels: ['release']
159-
});
160-
161-
console.log(`Created PR #${pr.number}: ${pr.html_url}`);
134+
135+
The release workflow will automatically trigger when the tag is pushed.

0 commit comments

Comments
 (0)