Merge pull request #497 from asgrim/491-filter-draft-releases-when-fe… #34
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Publish a draft release with PHAR attached" | |
| on: | |
| push: | |
| tags: | |
| - '*' | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-phar: | |
| # See build-phar.yml for a list of the permissions and why they are needed | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| uses: ./.github/workflows/build-phar.yml | |
| create-draft-release: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-phar | |
| permissions: | |
| # contents:write is required to create the draft release | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-tags: 'true' | |
| ref: ${{ github.ref }} | |
| # The changelog is generated locally using jwage/changelog-generator and | |
| # that forms the signed tag body. The `--notes-from-tag` option below | |
| # will copy the release notes from the tag so it will contain the changelog | |
| # Note we must create a *draft* release first, to allow attaching assets | |
| # before the release is finalised when using immutable releases. | |
| - name: Create draft release from tag | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh release create "${{ github.ref_name }}" --title "${{ github.ref_name }}" --draft --notes-from-tag | |
| release-phar: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - create-draft-release | |
| permissions: | |
| # contents:write is required to upload the binaries to the release. | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Fetch built PHAR from artifacts | |
| uses: actions/download-artifact@v6 | |
| with: | |
| name: pie-${{ github.sha }}.phar | |
| - name: Verify the PHAR | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh attestation verify pie.phar --repo ${{ github.repository }} | |
| # Once the PHAR has been attached to the release, it is ready for review | |
| # before publishing it. Note that if immutable releases are enabled, | |
| # the tag, pre-release/latest release flag, and all assets become | |
| # immutable, so checking this over is a manual exercise. | |
| # More info: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases | |
| - name: Attach an asset to the draft release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh release upload "${{ github.ref_name }}" "pie.phar" --clobber | |
| build-and-push-docker-image: | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| needs: build-phar | |
| # See build-and-push-docker-image.yml for a list of the permissions and why they are needed | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| packages: write | |
| uses: ./.github/workflows/build-and-push-docker-image.yml | |
| with: | |
| # @TODO v1.0 Consider introducing more granular tags (major and major.minor) | |
| # @see https://github.com/php/pie/pull/122#pullrequestreview-2477496308 | |
| # @see https://github.com/php/pie/pull/122#discussion_r1867331273 | |
| tags: | | |
| ${{ ((!contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc')) && 'type=raw,value=bin') || '' }} | |
| type=semver,pattern={{version}}-bin |