👷 CI: 修复 Release 权限错误 (#2381)

yanyongyu · web-flow · commit f77dc523e65a · 2023-10-01T15:15:32.000+08:00
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -59,6 +59,9 @@ jobs:
   release:
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - name: Generate token
         id: generate-token
@@ -78,39 +81,53 @@ jobs:
       - name: Build API Doc
         uses: ./.github/actions/build-api-doc
 
-      - run: |
-          echo "TAG_NAME=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+      - name: Get Version
+        id: version
+        run: |
+          echo "VERSION=$(poetry version -s)" >> $GITHUB_OUTPUT
+          echo "TAG_VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+          echo "TAG_NAME=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Check Version
+        if: steps.version.outputs.VERSION != steps.version.outputs.TAG_VERSION
+        run: exit 1
 
       - uses: release-drafter/release-drafter@v5
         with:
-          name: Release ${{ env.TAG_NAME }} 🌈
-          tag: ${{ env.TAG_NAME }}
+          name: Release ${{ steps.version.outputs.TAG_NAME }} 🌈
+          tag: ${{ steps.version.outputs.TAG_NAME }}
           publish: true
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
 
-      - name: Build and Publish Package
+      - name: Build Package
         run: |
           poetry build
-          gh release upload --clobber ${{ env.TAG_NAME }} dist/*.tar.gz dist/*.whl
-        env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
 
       - name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
 
+      - name: Publish package to GitHub
+        run: |
+          gh release upload --clobber ${{ steps.version.outputs.TAG_NAME }} dist/*.tar.gz dist/*.whl
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+
       - name: Build and Publish Doc Package
         run: |
           yarn build:plugin --out-dir ../packages/nonebot-plugin-docs/nonebot_plugin_docs/dist
-          export NONEBOT_VERSION=`poetry version -s`
           cd packages/nonebot-plugin-docs/
-          poetry version $NONEBOT_VERSION
+          poetry version ${{ steps.version.outputs.VERSION }}
           poetry build
-          gh release upload --clobber ${{ env.TAG_NAME }} dist/*.tar.gz dist/*.whl
-        env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
 
       - name: Publish Doc Package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: packages/nonebot-plugin-docs/
+
+      - name: Publish Doc Package to GitHub
+        run: |
+          cd packages/nonebot-plugin-docs/
+          gh release upload --clobber ${{ steps.version.outputs.TAG_NAME }} dist/*.tar.gz dist/*.whl
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
