Release v0.19.4 #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Release Process | |
| on: | |
| push: | |
| branches: | |
| - start-release | |
| - check-release | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| check-release-branch: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| filter: blob:none | |
| fetch-depth: 0 | |
| - name: Check Release Branch | |
| id: check-release | |
| run: | | |
| set -x | |
| release_version="$(cargo metadata --no-deps --format-version=1 | jq -r '.packages[0].version')" | |
| release_branch="${GITHUB_REF#refs/heads/}" | |
| release_tag="v${release_version}" | |
| commit_title="$(git show --pretty=format:%s --no-patch)" | |
| if [[ ! $release_version =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "$release_version is not a release version" | |
| exit 1 | |
| elif [[ $commit_title != "Release $release_tag" ]]; then | |
| echo "'$commit_title' is not a release commit title" | |
| exit 1 | |
| fi | |
| git checkout main | |
| git merge --no-commit --ff-only "$release_branch" | |
| echo "release_version=$release_version" >> "$GITHUB_OUTPUT" | |
| echo "release_branch=$release_branch" >> "$GITHUB_OUTPUT" | |
| echo "release_tag=$release_tag" >> "$GITHUB_OUTPUT" | |
| outputs: | |
| release_version: ${{ steps.check-release.outputs.release_version }} | |
| release_branch: ${{ steps.check-release.outputs.release_branch }} | |
| release_tag: ${{ steps.check-release.outputs.release_tag }} | |
| run-deep-tests: | |
| needs: check-release-branch | |
| uses: ./.github/workflows/deep-tests.yml | |
| build-archives: | |
| needs: check-release-branch | |
| uses: ./.github/workflows/build-release-archives.yml | |
| permissions: | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| merge-release: | |
| needs: | |
| - check-release-branch | |
| - run-deep-tests | |
| - build-archives | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: write | |
| env: | |
| RELEASE_BRANCH: ${{ needs.check-release-branch.outputs.release_branch }} | |
| RELEASE_TAG: ${{ needs.check-release-branch.outputs.release_tag }} | |
| GPG_KEY_ID: ${{ vars.GPG_KEY_ID }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| filter: blob:none | |
| fetch-depth: 0 | |
| - name: Import Signing Key | |
| run: gpg --batch --import <<< "$GPG_PRIVATE_KEY" | |
| env: | |
| GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | |
| - name: Merge Release | |
| run: | | |
| set -x | |
| git config --global user.name "github-actions[bot]" | |
| git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git tag -asu "$GPG_KEY_ID" -m "$RELEASE_TAG" "$RELEASE_TAG" | |
| git checkout main | |
| git merge --ff-only "$RELEASE_BRANCH" | |
| # So far, none of the intermediate state of the release should be exposed | |
| # outside of the GitHub workflow. | |
| # | |
| # THIS STEP IS THE POINT OF NO RETURN. | |
| # IT IS THE ATOMIC MOMENT AT WHICH THE RELEASE OCCURS, | |
| # AFTER WHICH IT CANNOT BE REVOKED. | |
| # | |
| # Any failures after this point MUST be possible to recover from manually. | |
| # For example, the GitHub release can be cut by hand using archives uploaded | |
| # to the workflow run, and the crate can be published from a local checkout | |
| # of the tag. | |
| - name: Push Release | |
| if: ${{ github.ref == 'refs/heads/start-release' }} | |
| run: git push --atomic origin main "$RELEASE_TAG" :"$RELEASE_BRANCH" | |
| create-github-release: | |
| if: ${{ github.ref == 'refs/heads/start-release' }} | |
| needs: | |
| - check-release-branch | |
| - build-archives | |
| - merge-release | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Download Artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: release | |
| - name: List Artifacts | |
| run: ls -lR | |
| - name: Create Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ needs.check-release-branch.outputs.release_tag }} | |
| files: | | |
| xt-*.tar.gz | |
| SHA256SUMS | |
| body: >- | |
| **[See the xt CHANGELOG][changelog] for release information.** | |
| Binary releases of xt are available for Linux and macOS as | |
| attachments to this GitHub Release. They are statically linked (on | |
| Linux), or link only to the platform's standard libraries (on macOS). | |
| Before using them, review the [Installation][install] section of the | |
| xt README. Your platform may support a more robust installation | |
| mechanism. | |
| [changelog]: https://github.com/ahamlinman/xt/blob/main/CHANGELOG.md | |
| [install]: https://github.com/ahamlinman/xt?tab=readme-ov-file#installation | |
| publish-crate: | |
| if: ${{ github.ref == 'refs/heads/start-release' }} | |
| needs: merge-release | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Download Toolchain | |
| run: | | |
| rustup set profile minimal | |
| rustup toolchain install stable | |
| rustup default stable | |
| rustc --version | |
| - name: Publish | |
| run: cargo publish | |
| env: | |
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} |