release #34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - lib/hooks/version.rb | |
| permissions: {} | |
| jobs: | |
| build: | |
| if: github.repository == 'github/hooks' | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| outputs: | |
| artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }} | |
| gem_name: ${{ steps.build.outputs.gem_name }} | |
| gem_version: ${{ steps.build.outputs.gem_version }} | |
| gem_path: ${{ steps.build.outputs.gem_path }} | |
| artifact_dir: ${{ steps.build.outputs.artifact_dir }} | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # [email protected] | |
| with: | |
| persist-credentials: false | |
| - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # [email protected] | |
| with: | |
| bundler-cache: false | |
| - name: bootstrap | |
| run: script/bootstrap | |
| # IMPORTANT: this step MUST export for the following outputs: | |
| # gem_name: the name of the gem - ex: "my-cool-gem" | |
| # gem_version: the version of the gem - ex: "1.0.0" | |
| # gem_path: the path/filename of the gem - ex: "my-cool-gem-1.0.0.gem" | |
| # artifact_dir: the path to the dir where artifacts are stored - ex: "dist" | |
| - name: build | |
| id: build | |
| run: script/build | |
| - name: upload artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # [email protected] | |
| id: upload-artifact | |
| with: | |
| name: ${{ steps.build.outputs.artifact_dir }} | |
| path: ${{ steps.build.outputs.artifact_dir }} | |
| if-no-files-found: error | |
| release: | |
| needs: build | |
| environment: release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # [email protected] | |
| with: | |
| persist-credentials: false | |
| - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # [email protected] | |
| with: | |
| artifact-ids: ${{ needs.build.outputs.artifact-id }} | |
| path: ${{ needs.build.outputs.artifact_dir }} | |
| - name: view artifact | |
| env: | |
| ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }} | |
| run: tree -L 2 -a --dirsfirst -C -F -h -D "${ARTIFACT_PATH}" | |
| - name: Publish to GitHub Packages | |
| env: | |
| OWNER: ${{ github.repository_owner }} | |
| GEM_NAME: ${{ needs.build.outputs.gem_name }} | |
| GEM_VERSION: ${{ needs.build.outputs.gem_version }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }} | |
| run: | | |
| GEM_HOST_API_KEY=${GITHUB_TOKEN} gem push --key github --host https://rubygems.pkg.github.com/${OWNER} $ARTIFACT_PATH/${GEM_NAME}-${GEM_VERSION}.gem | |
| - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # [email protected] | |
| with: | |
| bundler-cache: false | |
| - name: bootstrap | |
| run: script/bootstrap | |
| - name: Configure RubyGems Credentials | |
| uses: rubygems/configure-rubygems-credentials@23d6a54ecc9cbcdfeab01a03a15a7deabe34efc0 # pin@main | |
| - name: sign ruby gem | |
| env: | |
| GEM_NAME: ${{ needs.build.outputs.gem_name }} | |
| GEM_VERSION: ${{ needs.build.outputs.gem_version }} | |
| ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }} | |
| run: bundle exec sigstore-cli sign ${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem --bundle ${GEM_NAME}-${GEM_VERSION}.sigstore.json | |
| - name: Publish to RubyGems | |
| env: | |
| GEM_NAME: ${{ needs.build.outputs.gem_name }} | |
| GEM_VERSION: ${{ needs.build.outputs.gem_version }} | |
| ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }} | |
| run: gem push ${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem --attestation ${GEM_NAME}-${GEM_VERSION}.sigstore.json | |
| - name: await gem | |
| env: | |
| GEM_NAME: ${{ needs.build.outputs.gem_name }} | |
| GEM_VERSION: ${{ needs.build.outputs.gem_version }} | |
| run: bundle exec rubygems-await "${GEM_NAME}:${GEM_VERSION}" --timeout 300 | |
| - name: GitHub Release | |
| env: | |
| GEM_NAME: ${{ needs.build.outputs.gem_name }} | |
| GEM_VERSION: ${{ needs.build.outputs.gem_version }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }} | |
| run: | | |
| gh release create "v${GEM_VERSION}" \ | |
| "${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem" \ | |
| "${GEM_NAME}-${GEM_VERSION}.sigstore.json" \ | |
| --title "v${GEM_VERSION}" \ | |
| --generate-notes | |
| sign: | |
| needs: [build, release] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| contents: read | |
| steps: | |
| - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # [email protected] | |
| with: | |
| path: ${{ needs.build.outputs.artifact_dir }} | |
| artifact-ids: ${{ needs.build.outputs.artifact-id }} | |
| - name: attest build provenance | |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # [email protected] | |
| with: | |
| subject-path: "${{ needs.build.outputs.artifact_dir }}/${{ needs.build.outputs.gem_path }}" | |
| verify: | |
| permissions: {} | |
| needs: [build, release, sign] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # [email protected] | |
| with: | |
| path: ${{ needs.build.outputs.artifact_dir }} | |
| artifact-ids: ${{ needs.build.outputs.artifact-id }} | |
| - name: verify | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| OWNER: ${{ github.repository_owner }} | |
| REPO: ${{ github.event.repository.name }} | |
| ARTIFACT_PATH: "${{ needs.build.outputs.artifact_dir }}/${{ needs.build.outputs.gem_path }}" | |
| run: gh attestation verify "$ARTIFACT_PATH" --repo ${OWNER}/${REPO} --signer-workflow ${OWNER}/${REPO}/.github/workflows/release.yml |