Skip to content

Commit 6f36059

Browse files
austinvalleaustinvalle
authored
Update release workflow to work with new branch protections (#269)
1 parent 4d06167 commit 6f36059

File tree

1 file changed

+26
-14
lines changed

1 file changed

+26
-14
lines changed

.github/workflows/release.yml

Lines changed: 26 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -8,16 +8,13 @@ on:
88
type: string
99
required: true
1010

11+
permissions:
12+
contents: read # Changelog commit operations use service account PAT
13+
1114
env:
1215
CI_COMMIT_AUTHOR: hc-github-team-tf-provider-devex
1316
CI_COMMIT_EMAIL: [email protected]
1417

15-
permissions:
16-
# Allow creating GitHub release
17-
contents: write
18-
# Allow closing associated milestone
19-
issues: write
20-
2118
jobs:
2219
changelog-version:
2320
runs-on: ubuntu-latest
@@ -26,6 +23,7 @@ jobs:
2623
steps:
2724
- id: changelog-version
2825
run: echo "version=$(echo "${{ inputs.versionNumber }}" | cut -c 2-)" >> "$GITHUB_OUTPUT"
26+
2927
changelog:
3028
needs: changelog-version
3129
runs-on: ubuntu-latest
@@ -34,27 +32,27 @@ jobs:
3432
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
3533
with:
3634
fetch-depth: 0
35+
# Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations
36+
# More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials
37+
persist-credentials: false
3738
- name: Batch changes
3839
uses: miniscruff/changie-action@b6d52c80deb236a5b548f8774cd5a18b87da9e9a # v1.0.1
3940
with:
4041
version: latest
4142
args: batch ${{ needs.changelog-version.outputs.version }}
42-
env:
43-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4443
- name: Merge changes
4544
uses: miniscruff/changie-action@b6d52c80deb236a5b548f8774cd5a18b87da9e9a # v1.0.1
4645
with:
4746
version: latest
4847
args: merge
49-
env:
50-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
5148
- name: Git push changelog
5249
run: |
5350
git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
5451
git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
5552
git add .
5653
git commit -a -m "Update changelog"
57-
git push
54+
git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
55+
5856
release-tag:
5957
needs: changelog
6058
runs-on: ubuntu-latest
@@ -63,30 +61,44 @@ jobs:
6361
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
6462
with:
6563
fetch-depth: 0
64+
# Default input is the SHA that initially triggered the workflow. As we created a new commit in the previous job,
65+
# to ensure we get the latest commit we use the ref for checkout: 'refs/heads/<branch_name>'
66+
ref: ${{ github.ref }}
67+
# Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations
68+
# More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials
69+
persist-credentials: false
70+
6671
- name: Git push release tag
6772
run: |
6873
git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
6974
git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
70-
git pull
75+
7176
git tag "${{ inputs.versionNumber }}"
72-
git push origin "${{ inputs.versionNumber }}"
77+
git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" "${{ inputs.versionNumber }}"
78+
7379
goreleaser:
7480
needs: [ changelog-version, changelog, release-tag ]
7581
runs-on: ubuntu-latest
82+
permissions:
83+
contents: write # Needed for goreleaser to create GitHub release
84+
issues: write # Needed for goreleaser to close associated milestone
7685
steps:
7786
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
7887
with:
7988
ref: ${{ inputs.versionNumber }}
8089
fetch-depth: 0
90+
8191
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
8292
with:
8393
go-version-file: 'go.mod'
94+
8495
- name: Generate Release Notes
8596
run: |
8697
cd .changes
8798
sed -e "1{/# /d;}" -e "2{/^$/d;}" ${{ needs.changelog-version.outputs.version }}.md > /tmp/release-notes.txt
99+
88100
- uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
89101
env:
90102
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
91103
with:
92-
args: release --release-notes /tmp/release-notes.txt --rm-dist
104+
args: release --release-notes /tmp/release-notes.txt --clean

0 commit comments

Comments
 (0)