88 type : string
99 required : true
1010
11+ permissions :
12+ contents : read # Changelog commit operations use service account PAT
13+
1114env :
1215 CI_COMMIT_AUTHOR : hc-github-team-tf-provider-devex
1316 CI_COMMIT_EMAIL :
[email protected] 1417
15- permissions :
16- contents : write
17-
1818jobs :
1919 changelog-version :
2020 runs-on : ubuntu-latest
2323 steps :
2424 - id : changelog-version
2525 run : echo "version=$(echo "${{ inputs.versionNumber }}" | cut -c 2-)" >> "$GITHUB_OUTPUT"
26+
2627 changelog :
2728 needs : changelog-version
2829 runs-on : ubuntu-latest
@@ -31,27 +32,30 @@ jobs:
3132 uses : actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
3233 with :
3334 fetch-depth : 0
35+ # Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations
36+ # More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials
37+ persist-credentials : false
38+
3439 - name : Batch changes
3540 uses : miniscruff/changie-action@b6d52c80deb236a5b548f8774cd5a18b87da9e9a # v1.0.1
3641 with :
3742 version : latest
3843 args : batch ${{ needs.changelog-version.outputs.version }}
39- env :
40- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
44+
4145 - name : Merge changes
4246 uses : miniscruff/changie-action@b6d52c80deb236a5b548f8774cd5a18b87da9e9a # v1.0.1
4347 with :
4448 version : latest
4549 args : merge
46- env :
47- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
50+
4851 - name : Git push changelog
4952 run : |
5053 git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
5154 git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
5255 git add .
5356 git commit -a -m "Update changelog"
54- git push
57+ git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
58+
5559release-tag :
5660 needs : changelog
5761 runs-on : ubuntu-latest
@@ -60,13 +64,21 @@ jobs:
6064 uses : actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
6165 with :
6266 fetch-depth : 0
67+ # Default input is the SHA that initially triggered the workflow. As we created a new commit in the previous job,
68+ # to ensure we get the latest commit we use the ref for checkout: 'refs/heads/<branch_name>'
69+ ref : ${{ github.ref }}
70+ # Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations
71+ # More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials
72+ persist-credentials : false
73+
6374 - name : Git push release tag
6475 run : |
6576 git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
6677 git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
67- git pull
78+
6879 git tag "${{ inputs.versionNumber }}"
69- git push origin "${{ inputs.versionNumber }}"
80+ git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" "${{ inputs.versionNumber }}"
81+
7082release-notes :
7183 needs : [ changelog-version, changelog, release-tag ]
7284 runs-on : ubuntu-latest
@@ -75,18 +87,23 @@ jobs:
7587 with :
7688 ref : ${{ inputs.versionNumber }}
7789 fetch-depth : 0
90+
7891 - name : Generate Release Notes
7992 run : |
8093 cd .changes
8194 sed -e "1{/# /d;}" -e "2{/^$/d;}" ${{ needs.changelog-version.outputs.version }}.md > release-notes.txt
95+
8296uses : actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
8397 with :
8498 name : release-notes
8599 path : ./.changes/release-notes.txt
86100 retention-days : 1
101+
87102 terraform-provider-release :
88103 name : ' Terraform Provider Release'
89104 needs : [ release-notes ]
105+ permissions :
106+ contents : write # Needed for goreleaser to create GitHub release
90107 uses : hashicorp/ghaction-terraform-provider-release/.github/workflows/hashicorp.yml@01981baad5d35ce2342924e60ae91cf69fe31fd0 # v2.3.0
91108 secrets :
92109 hc-releases-key-prod : ' ${{ secrets.HC_RELEASES_KEY_PROD }}'
0 commit comments