Release #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: "The version to release (e.g., '20250414')." | |
| type: string | |
| sha: | |
| description: "The full SHA of the commit to be released (e.g., 'd09ff921d92d6da8d8a608eaa850dc8c0f638194')." | |
| type: string | |
| dry-run: | |
| description: "Dry run? Tests the release process without publishing." | |
| default: false | |
| required: false | |
| type: boolean | |
| env: | |
| FORCE_COLOR: 1 | |
| permissions: | |
| contents: write | |
| packages: write | |
| # Permissions used for actions/attest-build-provenance | |
| id-token: write | |
| attestations: write | |
| jobs: | |
| release: | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2 | |
| # Perform a release in dry-run mode. | |
| - run: just release-dry-run ${{ secrets.GITHUB_TOKEN }} ${{ github.event.inputs.sha }} ${{ github.event.inputs.tag }} | |
| if: ${{ github.event.inputs.dry-run == 'true' }} | |
| # Set our identity for git operations (on the latest-release branch). | |
| - name: Configure Git identity | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| run: | | |
| git config --global user.name "$GITHUB_ACTOR" | |
| git config --global user.email "[email protected]" | |
| # Fetch the commit so that it exists locally. | |
| - name: Fetch commit | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| run: git fetch origin ${{ github.event.inputs.sha }} | |
| # Associate the commit with the tag. | |
| - name: Create tag | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| run: git tag ${{ github.event.inputs.tag }} ${{ github.event.inputs.sha }} | |
| # Push the tag to GitHub. | |
| - name: Push tag | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| run: git push origin ${{ github.event.inputs.tag }} | |
| # Create a GitHub release. | |
| - name: Create GitHub Release | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| run: just release-create ${{ github.event.inputs.tag }} | |
| # Uploading the relevant artifact to the GitHub release. | |
| - run: just release-run ${{ secrets.GITHUB_TOKEN }} ${{ github.event.inputs.sha }} ${{ github.event.inputs.tag }} | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| # We filter by *.tar.@(zst|gz) since actions/attest-build-provenance only supports up to 1024 subjects | |
| - name: Generate attestations | |
| uses: actions/attest-build-provenance@v2 | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| with: | |
| subject-path: | | |
| dist/*.tar.gz | |
| dist/*.tar.zst |