Merge remote-tracking branch 'origin/main' into quenting/optional-email

Author: sandhose

.github/release.yml

@@ -0,0 +1,40 @@
+changelog:
+  categories:
+    - title: Bug Fixes
+      labels:
+        - T-Defect
+
+    - title: New Features
+      labels:
+        - T-Enhancement
+      exclude:
+        labels:
+          - A-Admin-API
+          - A-Documentation
+
+    - title: Changes to the admin API
+      labels:
+        - A-Admin-API
+
+    - title: Documentation
+      labels:
+        - A-Documentation
+
+    - title: Translations
+      labels:
+        - A-I18n
+
+    - title: Internal Changes
+      labels:
+        - T-Task
+
+    - title: Other Changes
+      labels:
+        - "*"
+      exclude:
+        labels:
+          - A-Dependencies
+
+    - title: Dependency Updates
+      labels:
+        - A-Dependencies

.github/workflows/build.yaml

@@ -115,7 +115,7 @@ jobs:
           done
 
       - name: Upload the artifacts
-        uses: actions/upload-artifact@v4.5.0
+        uses: actions/upload-artifact@v4.6.0
         with:
           name: binaries
           path: |
@@ -135,9 +135,6 @@ jobs:
       id-token: write
 
     steps:
-      - name: Checkout the code
-        uses: actions/[email protected]
-
       - name: Docker meta
         id: meta
         uses: docker/[email protected]
@@ -205,32 +202,28 @@ jobs:
       # For pull-requests, only read from the cache, do not try to push to the
       # cache or the image itself
       - name: Build
-        uses: docker/bake-action@v5.11.0
+        uses: docker/bake-action@v6.2.0
         if: github.event_name == 'pull_request'
         with:
           files: |
-            docker-bake.hcl
-            ${{ steps.meta.outputs.bake-file }}
-            ${{ steps.meta-debug.outputs.bake-file }}
-            ${{ steps.meta-syn2mas.outputs.bake-file }}
+            ./docker-bake.hcl
+            cwd://${{ steps.meta.outputs.bake-file }}
+            cwd://${{ steps.meta-debug.outputs.bake-file }}
+            cwd://${{ steps.meta-syn2mas.outputs.bake-file }}
           set: |
-            base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
-            syn2mas.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}:tools/syn2mas/
             base.cache-from=type=registry,ref=${{ env.BUILDCACHE }}:buildcache
 
       - name: Build and push
         id: bake
-        uses: docker/bake-action@v5.11.0
+        uses: docker/bake-action@v6.2.0
         if: github.event_name != 'pull_request'
         with:
           files: |
-            docker-bake.hcl
-            ${{ steps.meta.outputs.bake-file }}
-            ${{ steps.meta-debug.outputs.bake-file }}
-            ${{ steps.meta-syn2mas.outputs.bake-file }}
+            ./docker-bake.hcl
+            cwd://${{ steps.meta.outputs.bake-file }}
+            cwd://${{ steps.meta-debug.outputs.bake-file }}
+            cwd://${{ steps.meta-syn2mas.outputs.bake-file }}
           set: |
-            base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
-            syn2mas.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}:tools/syn2mas/
             base.output=type=image,push=true
             base.cache-from=type=registry,ref=${{ env.BUILDCACHE }}:buildcache
             base.cache-to=type=registry,ref=${{ env.BUILDCACHE }}:buildcache,mode=max
@@ -251,11 +244,16 @@ jobs:
           github.event_name != 'pull_request'
           && (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')
 
+        env:
+          REGULAR_DIGEST: ${{ steps.output.outputs.metadata && fromJSON(steps.output.outputs.metadata).regular.digest }}
+          DEBUG_DIGEST: ${{ steps.output.outputs.metadata && fromJSON(steps.output.outputs.metadata).debug.digest }}
+          SYN2MAS_DIGEST: ${{ steps.output.outputs.metadata && fromJSON(steps.output.outputs.metadata).syn2mas.digest }}
+
         run: |-
           cosign sign --yes \
-            "${{ env.IMAGE }}@${{ fromJSON(steps.output.outputs.metadata).regular.digest }}" \
-            "${{ env.IMAGE }}@${{ fromJSON(steps.output.outputs.metadata).debug.digest }}" \
-            "${{ env.IMAGE_SYN2MAS }}@${{ fromJSON(steps.output.outputs.metadata).syn2mas.digest }}"
+            "$IMAGE@$REGULAR_DIGEST" \
+            "$IMAGE@$DEBUG_DIGEST" \
+            "$IMAGE_SYN2MAS@$SYN2MAS_DIGEST"
 
   syn2mas:
     name: Release syn2mas on NPM
@@ -303,6 +301,7 @@ jobs:
       - name: Prepare a release
         uses: softprops/action-gh-release@v2
         with:
+          generate_release_notes: true
           body: |
             ### Docker image
 
@@ -346,3 +345,82 @@ jobs:
             artifacts/mas-cli-aarch64-linux.tar.gz
             artifacts/mas-cli-x86_64-linux.tar.gz
           draft: true
+
+  unstable:
+    name: Update the unstable release
+    runs-on: ubuntu-24.04
+    needs:
+      - build-binaries
+      - build-image
+    if: github.ref == 'refs/heads/main'
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download the artifacts from the previous job
+        uses: actions/download-artifact@v4
+        with:
+          name: binaries
+          path: artifacts
+
+      - name: Update unstable git tag
+        uses: actions/[email protected]
+        with:
+          script: |
+            const [owner, repo] = process.env.GITHUB_REPOSITORY.split("/");
+            const sha = process.env.GITHUB_SHA;
+
+            const tag = await github.rest.git.updateRef({
+              owner,
+              repo,
+              force: true,
+              ref: 'tags/unstable',
+              sha,
+            });
+            console.log("Updated tag ref:", tag.data.url);
+
+      - name: Update unstable release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: 'Unstable build'
+          tag_name: unstable
+          body: |
+            This is an automatically updated unstable release containing the latest builds from the main branch.
+
+            **⚠️ Warning: These are development builds and may be unstable.**
+
+            Last updated: ${{ github.event.head_commit.timestamp }}
+            Commit: ${{ github.sha }}
+
+            ### Docker image
+
+            Regular image:
+
+              - Digest:
+                ```
+                ${{ env.IMAGE }}@${{ fromJSON(needs.build-image.outputs.metadata).regular.digest }}
+                ```
+              - Tags:
+                ```
+                ${{ join(fromJSON(needs.build-image.outputs.metadata).regular.tags, '
+                ') }}
+                ```
+
+            Debug variant:
+
+              - Digest:
+                ```
+                ${{ env.IMAGE }}@${{ fromJSON(needs.build-image.outputs.metadata).debug.digest }}
+                ```
+              - Tags:
+                ```
+                ${{ join(fromJSON(needs.build-image.outputs.metadata).debug.tags, '
+                ') }}
+                ```
+
+          files: |
+            artifacts/mas-cli-aarch64-linux.tar.gz
+            artifacts/mas-cli-x86_64-linux.tar.gz
+          prerelease: true
+          make_latest: false

.github/workflows/ci.yaml

@@ -225,8 +225,8 @@ jobs:
 
       - name: Install toolchain
         run: |
-          rustup toolchain install 1.83.0
-          rustup default 1.83.0
+          rustup toolchain install 1.84.0
+          rustup default 1.84.0
           rustup component add clippy
 
       - name: Setup OPA
@@ -276,7 +276,7 @@ jobs:
           SQLX_OFFLINE: '1'
 
       - name: Upload archive to workflow
-        uses: actions/upload-artifact@v4.5.0
+        uses: actions/upload-artifact@v4.6.0
         with:
           name: nextest-archive
           path: nextest-archive.tar.zst

.github/workflows/coverage.yaml

@@ -36,7 +36,7 @@ jobs:
         run: make coverage
 
       - name: Upload to codecov.io
-        uses: codecov/[email protected].1
+        uses: codecov/[email protected].2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: policies/coverage.json
@@ -74,7 +74,7 @@ jobs:
         run: npm run coverage
 
       - name: Upload to codecov.io
-        uses: codecov/[email protected].1
+        uses: codecov/[email protected].2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           directory: frontend/coverage/
@@ -161,7 +161,7 @@ jobs:
           grcov . --binary-path ./target/debug/deps/ -s . -t lcov --branch --ignore-not-existing --ignore '../*' --ignore "/*" -o target/coverage/tests.lcov
 
       - name: Upload to codecov.io
-        uses: codecov/[email protected].1
+        uses: codecov/[email protected].2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: target/coverage/*.lcov

.github/workflows/release-branch.yaml

@@ -0,0 +1,104 @@
+name: Create a new release branch
+on:
+  workflow_dispatch:
+
+jobs:
+  compute-version:
+    name: Compute the next minor RC version
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+
+    outputs:
+      full: ${{ steps.next.outputs.version }}
+      short: ${{ steps.next.outputs.short }}
+
+    steps:
+      - name: Fail the workflow if this is not the main branch
+        if: ${{ github.ref_name != 'main' }}
+        run: exit 1
+
+      - name: Checkout the code
+        uses: actions/[email protected]
+
+      - name: Install Rust toolchain
+        run: |
+          rustup toolchain install stable
+          rustup default stable
+
+      - name: Compute the new minor RC
+        id: next
+        run: |
+          CURRENT_VERSION="$(cargo metadata --format-version 1 | jq -r '.packages[] | select(.name == "mas-cli") | .version')"
+          NEXT_VERSION="$(npx --yes [email protected] -i preminor --preid rc "${CURRENT_VERSION}")"
+          # compute the short minor version, e.g. 0.1.0-rc.1 -> 0.1
+          SHORT_VERSION="$(echo "${NEXT_VERSION}" | cut -d. -f1-2)"
+          echo "full=${NEXT_VERSION}" >> "$GITHUB_OUTPUT"
+          echo "short=${SHORT_VERSION}" >> "$GITHUB_OUTPUT"
+
+  localazy:
+    name: Create a new branch in Localazy
+    runs-on: ubuntu-22.04
+    needs: [compute-version]
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout the code
+        uses: actions/[email protected]
+
+      - name: Install Node
+        uses: actions/[email protected]
+        with:
+          node-version: 20
+
+      - name: Install Localazy CLI
+        run: npm install -g @localazy/cli
+
+      - name: Create a new branch in Localazy
+        run: localazy branch -w "$LOCALAZY_WRITE_KEY" create main "$BRANCH"
+        env:
+          LOCALAZY_WRITE_KEY: ${{ secrets.LOCALAZY_WRITE_KEY }}
+          # Localazy doesn't like slashes in branch names, so we just use the short version
+          # For example, a 0.13.0 release will create a localazy branch named "v0.13" and a git branch named "release/v0.13"
+          BRANCH: v${{ needs.compute-version.outputs.short }}
+
+  tag:
+    uses: ./.github/workflows/tag.yaml
+    needs: [compute-version]
+    with:
+      version: ${{ needs.compute-version.outputs.full }}
+    secrets:
+      BOT_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+
+  branch:
+    name: Create a new release branch
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: write
+
+    needs: [tag, compute-version, localazy]
+    steps:
+      - name: Create a new release branch
+        uses: actions/[email protected]
+        env:
+          BRANCH: release/v${{ needs.compute-version.outputs.short }}
+          SHA: ${{ needs.tag.outputs.sha }}
+        with:
+          github-token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          script: |
+            const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
+            const branch = process.env.BRANCH;
+            const sha = process.env.SHA;
+            const ref = `heads/${branch}`;
+
+            await github.rest.git.createRef({
+              owner,
+              repo,
+              ref,
+              sha,
+            });
+            console.log(`Created branch ${branch} from ${sha}`);