Merge pull request #582 from asgrim/1-4-composer-update #42
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Publish a draft release with assets attached" | |
| on: | |
| push: | |
| tags: | |
| - '*' | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-assets: | |
| # See build-assets.yml for a list of the permissions and why they are needed | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| uses: ./.github/workflows/build-assets.yml | |
| create-draft-release: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-assets | |
| permissions: | |
| # contents:write is required to create the draft release | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-tags: 'true' | |
| ref: ${{ github.ref }} | |
| # The changelog is generated locally using jwage/changelog-generator and | |
| # that forms the signed tag body. The `--notes-from-tag` option below | |
| # will copy the release notes from the tag so it will contain the changelog | |
| # Note we must create a *draft* release first, to allow attaching assets | |
| # before the release is finalised when using immutable releases. | |
| - name: Create draft release from tag | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh release create "${{ github.ref_name }}" --title "${{ github.ref_name }}" --draft --notes-from-tag | |
| attach-release-assets: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - create-draft-release | |
| permissions: | |
| # contents:write is required to upload the binaries to the release. | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Fetch built PHAR from artifacts | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: pie-${{ github.sha }}.phar | |
| - name: Fetch the executable PIEs from artifacts | |
| uses: actions/download-artifact@v8 | |
| with: | |
| path: executable-pie-binaries | |
| pattern: pie-${{ github.sha }}-*.bin | |
| merge-multiple: true | |
| - name: Verify the PHAR and binaries | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh attestation verify pie.phar --repo ${{ github.repository }} ; | |
| find executable-pie-binaries -type f -exec gh attestation verify {} --repo ${{ github.repository }} \; | |
| # Once the PHAR and binaries have been attached to the release, it is | |
| # ready for review before publishing it. Note that if immutable releases | |
| # are enabled, the tag, pre-release/latest release flag, and all assets | |
| # become immutable, so checking this over is a manual exercise. | |
| # More info: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases | |
| - name: Attach the assets to the draft release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh release upload "${{ github.ref_name }}" "pie.phar" --clobber ; | |
| find executable-pie-binaries -type f -exec gh release upload "${{ github.ref_name }}" {} --clobber \; | |
| build-and-push-docker-image: | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| needs: | |
| - build-assets | |
| # See build-and-push-docker-image.yml for a list of the permissions and why they are needed | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| packages: write | |
| uses: ./.github/workflows/build-and-push-docker-image.yml | |
| with: | |
| # @TODO v1.0 Consider introducing more granular tags (major and major.minor) | |
| # @see https://github.com/php/pie/pull/122#pullrequestreview-2477496308 | |
| # @see https://github.com/php/pie/pull/122#discussion_r1867331273 | |
| tags: | | |
| ${{ ((!contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc')) && 'type=raw,value=bin') || '' }} | |
| type=semver,pattern={{version}},suffix=-bin |