-
Notifications
You must be signed in to change notification settings - Fork 635
204 lines (172 loc) · 8.54 KB
/
release.yml
File metadata and controls
204 lines (172 loc) · 8.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
name: Release
on:
push:
branches:
- master
- release/*
permissions:
contents: write
pull-requests: write
packages: write
id-token: write
jobs:
release_please:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
id-token: write
outputs:
MAIN_RELEASE_VERSION: ${{ steps.versions.outputs.MAIN_RELEASE_VERSION }}
RELEASE_VERSION: ${{ steps.versions.outputs.RELEASE_VERSION }}
RELEASE_CANDIDATE: ${{ steps.versions.outputs.RELEASE_CANDIDATE }}
RELEASE_NAME: ${{ steps.versions.outputs.RELEASE_NAME }}
steps:
- uses: googleapis/release-please-action@v4
id: release
with:
release-type: go
target-branch: ${{ github.ref_name }}
- uses: actions/checkout@v4
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
with:
fetch-depth: 0
- if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
id: versions
run: |
set -ex
RELEASE_CANDIDATE=true
NOT_RELEASE_CANDIDATE='${{ steps.release.outputs.release_created }}'
if [ "$NOT_RELEASE_CANDIDATE" == "true" ]
then
RELEASE_CANDIDATE=false
fi
MAIN_RELEASE_VERSION=x
RELEASE_VERSION=y
if [ "$RELEASE_CANDIDATE" == "true" ]
then
# Release please doesn't tell you the candidate version when it
# creates the PR, so we have to take it from the title.
MAIN_RELEASE_VERSION=$(node -e "console.log('${{ steps.release.outputs.pr && fromJSON(steps.release.outputs.pr).title }}'.split(' ').reverse().find(x => x.match(/[0-9]+[.][0-9]+[.][0-9]+/)))")
# Use git describe tags to identify the number of commits the branch
# is ahead of the most recent non-release-candidate tag, which is
# part of the rc.<commits> value.
RELEASE_VERSION=$MAIN_RELEASE_VERSION-rc.$(node -e "console.log('$(git describe --tags --exclude rc*)'.split('-')[1])")
# release-please only ignores releases that have a form like [A-Z0-9]<version>, so prefixing with rc<version>
RELEASE_NAME="rc$RELEASE_VERSION"
else
MAIN_RELEASE_VERSION=${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }}
RELEASE_VERSION="$MAIN_RELEASE_VERSION"
RELEASE_NAME="v$RELEASE_VERSION"
fi
echo "MAIN_RELEASE_VERSION=${MAIN_RELEASE_VERSION}" >> "${GITHUB_ENV}"
echo "RELEASE_VERSION=${RELEASE_VERSION}" >> "${GITHUB_ENV}"
echo "RELEASE_CANDIDATE=${RELEASE_CANDIDATE}" >> "${GITHUB_ENV}"
echo "RELEASE_NAME=${RELEASE_NAME}" >> "${GITHUB_ENV}"
echo "MAIN_RELEASE_VERSION=${MAIN_RELEASE_VERSION}" >> "${GITHUB_OUTPUT}"
echo "RELEASE_VERSION=${RELEASE_VERSION}" >> "${GITHUB_OUTPUT}"
echo "RELEASE_CANDIDATE=${RELEASE_CANDIDATE}" >> "${GITHUB_OUTPUT}"
echo "RELEASE_NAME=${RELEASE_NAME}" >> "${GITHUB_OUTPUT}"
- uses: actions/setup-go@v5
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
with:
go-version-file: go.mod
- name: Build release artifacts
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
run: |
set -ex
RELEASE_VERSION=$RELEASE_VERSION make deps
RELEASE_VERSION=$RELEASE_VERSION make all build-strip
ln -s auth gotrue
tar -czvf auth-v$RELEASE_VERSION-x86.tar.gz auth gotrue migrations/
mv auth-arm64 auth
tar -czvf auth-v$RELEASE_VERSION-arm64.tar.gz auth gotrue migrations/
mv auth-arm64-strip auth
tar -cf - auth gotrue migrations/ | xz -T0 -9e -C crc64 > auth-v$RELEASE_VERSION-arm64.tar.xz
- name: Generate checksums
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
run: |
set -ex
# Function to generate checksums for a specific hash type
generate_checksums() {
local hash_type=$1
local hash_cmd=$2
echo "### ${hash_type}" >> checksums.txt
for file in auth-v$RELEASE_VERSION*.tar.{gz,xz}; do
echo "\`$file\`:" >> checksums.txt
echo "\`\`\`" >> checksums.txt
$hash_cmd "$file" | awk '{print $1}' >> checksums.txt
echo "\`\`\`" >> checksums.txt
echo "" >> checksums.txt
done
}
# Generate the checksum file to be appended to the release notes later
echo "## Checksums" > checksums.txt
generate_checksums "SHA1" "sha1sum"
generate_checksums "SHA256" "sha256sum"
- name: GitHub OIDC Auth
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
uses: aws-actions/configure-aws-credentials@v4.1.0
with:
aws-region: ap-southeast-1
role-to-assume: arn:aws:iam::${{ secrets.SHARED_SERVICES_AWS_ACCOUNT_ID }}:role/supabase-github-oidc-role
role-session-name: shared-services-jump
- name: Assume destination role
uses: aws-actions/configure-aws-credentials@v4.1.0
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
with:
aws-region: ap-southeast-1
role-to-assume: arn:aws:iam::${{ secrets.SHARED_SERVICES_AWS_ACCOUNT_ID }}:role/supabase-auth-artifacts-role-7656c95
role-skip-session-tagging: true
role-session-name: upload-assets
role-chaining: true
- name: Upload release artifacts
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
run: |
set -ex
if [ "$RELEASE_CANDIDATE" == "true" ]
then
PR_NUMBER='${{ steps.release.outputs.pr && fromJSON(steps.release.outputs.pr).number }}'
CHECKSUM_CONTENT=$(cat checksums.txt)
RELEASE_NOTES=$(printf "This is a release candidate. See release-please PR #%s for context.\n\n%s\n" "$PR_NUMBER" "$CHECKSUM_CONTENT")
GH_TOKEN='${{ github.token }}' gh release \
create $RELEASE_NAME \
--title "v$RELEASE_VERSION" \
--prerelease \
-n "$RELEASE_NOTES"
GH_TOKEN='${{ github.token }}' gh pr comment "$PR_NUMBER" \
-b "Release candidate [v$RELEASE_VERSION](https://github.com/supabase/gotrue/releases/tag/$RELEASE_NAME) published."
else
if [ "$GITHUB_REF" == "refs/heads/main" ] || [ "$GITHUB_REF" == "refs/heads/master" ]
then
IS_PATCH_ZERO=$(node -e "console.log('$RELEASE_VERSION'.endsWith('.0'))")
if [ "$IS_PATCH_ZERO" == "true" ]
then
# Only create release branch if patch version is 0, as this
# means that the release can be patched in the future.
GH_TOKEN='${{ github.token }}' gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/supabase/gotrue/git/refs \
-f "ref=refs/heads/release/${RELEASE_VERSION}" \
-f "sha=$GITHUB_SHA"
fi
fi
fi
# Append checksums to existing release notes
EXISTING_NOTES=$(GH_TOKEN='${{ github.token }}' gh release view $RELEASE_NAME --json body -q .body)
CHECKSUM_CONTENT=$(cat checksums.txt)
FULL_NOTES=$(printf "%s\n\n%s\n" "$EXISTING_NOTES" "$CHECKSUM_CONTENT")
GH_TOKEN='${{ github.token }}' gh release edit $RELEASE_NAME -n "$FULL_NOTES"
GH_TOKEN='${{ github.token }}' gh release upload $RELEASE_NAME ./auth-v$RELEASE_VERSION-x86.tar.gz ./auth-v$RELEASE_VERSION-arm64.tar.gz ./auth-v$RELEASE_VERSION-arm64.tar.xz
# Upload to Supabase internal bucket
aws s3 cp ./auth-v$RELEASE_VERSION-arm64.tar.xz s3://supabase-internal-artifacts/auth/$RELEASE_VERSION/
publish:
needs:
- release_please
if: ${{ success() && needs.release_please.outputs.RELEASE_VERSION }}
uses: ./.github/workflows/publish.yml
secrets: inherit
with:
version: ${{ needs.release_please.outputs.RELEASE_VERSION }}