-
Notifications
You must be signed in to change notification settings - Fork 1
195 lines (190 loc) · 7.49 KB
/
Copy pathrelease.yml
File metadata and controls
195 lines (190 loc) · 7.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
name: Release
on:
issue_comment:
types: [created, deleted]
push:
branches:
- main
concurrency:
group: release-${{ github.ref_name }}
cancel-in-progress: false
permissions: {}
env:
ARCHGATE_TELEMETRY: "0"
# Opt into Node.js 24 for all actions — TrigenSoftware/simple-release-action
# still declares `using: node20` and GitHub will force Node 24 on June 16, 2026.
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
jobs:
check:
runs-on: ubuntu-latest
timeout-minutes: 10
name: Context check
permissions:
contents: read
outputs:
continue: ${{ steps.check.outputs.continue }}
workflow: ${{ steps.check.outputs.workflow }}
steps:
- name: Generate token
id: generate_token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
with:
client-id: ${{ secrets.GH_APP_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
token: ${{ steps.generate_token.outputs.token }}
- uses: moonrepo/setup-toolchain@261c62cb5b0f580c7be7c8cd0f023a2e96756095 # v0
with:
auto-install: true
cache: true
cache-base: main
- name: Restore Bun Package Cache
id: restore-bun-cache
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: /home/runner/.bun/install/cache
key: bun-packages-${{ runner.os }}-v1-${{ hashFiles('bun.lock') }}
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Context check
id: check
uses: TrigenSoftware/simple-release-action@e7293dad843693d8692d443c3f21b78338048f13 # v1.1.8
with:
workflow: check
github-token: ${{ steps.generate_token.outputs.token }}
branch: release
pull-request:
runs-on: ubuntu-latest
timeout-minutes: 10
name: Pull request
permissions:
contents: read
needs: check
if: needs.check.outputs.workflow == 'pull-request'
steps:
# Use a GitHub App installation token (not GITHUB_TOKEN) so the push to the
# release branch triggers downstream `pull_request` events on the release PR.
# GITHUB_TOKEN-authored pushes are intentionally muted by GitHub to prevent
# workflow recursion — that mute is what causes release PRs to land without
# the required `Validate Code` / `Lint, Test & Check` / `DCO Sign-off Check`
# status checks attached to the PR ref. With an App token, the synchronize
# event fires naturally and code-pull-request.yml + dco.yml run against
# refs/pull/N/head, producing checks that branch protection accepts.
- name: Generate token
id: generate_token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
with:
client-id: ${{ secrets.GH_APP_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
token: ${{ steps.generate_token.outputs.token }}
- uses: moonrepo/setup-toolchain@261c62cb5b0f580c7be7c8cd0f023a2e96756095 # v0
with:
auto-install: true
cache: true
cache-base: main
- name: Restore Bun Package Cache
id: restore-bun-cache
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: /home/runner/.bun/install/cache
key: bun-packages-${{ runner.os }}-v1-${{ hashFiles('bun.lock') }}
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Install DCO sign-off hook
run: |
mkdir -p .git/hooks
cat > .git/hooks/prepare-commit-msg << 'HOOK'
#!/bin/sh
# Append DCO Signed-off-by trailer to release commits
if ! grep -qi "^Signed-off-by:" "$1"; then
name=$(git config user.name)
email=$(git config user.email)
echo "" >> "$1"
echo "Signed-off-by: $name <$email>" >> "$1"
fi
HOOK
chmod +x .git/hooks/prepare-commit-msg
- name: Create or update pull request
uses: TrigenSoftware/simple-release-action@e7293dad843693d8692d443c3f21b78338048f13 # v1.1.8
with:
workflow: pull-request
github-token: ${{ steps.generate_token.outputs.token }}
branch: release
release:
runs-on: ubuntu-latest
timeout-minutes: 10
name: Release
permissions:
contents: write
id-token: write
needs: check
if: needs.check.outputs.workflow == 'release'
steps:
- name: Generate token
id: generate_token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
with:
client-id: ${{ secrets.GH_APP_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
token: ${{ steps.generate_token.outputs.token }}
- uses: moonrepo/setup-toolchain@261c62cb5b0f580c7be7c8cd0f023a2e96756095 # v0
with:
auto-install: true
cache: true
cache-base: main
- name: Restore Bun Package Cache
id: restore-bun-cache
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: /home/runner/.bun/install/cache
key: bun-packages-${{ runner.os }}-v1-${{ hashFiles('bun.lock') }}
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Validate
id: validate
run: bun run validate
- name: Release
uses: TrigenSoftware/simple-release-action@e7293dad843693d8692d443c3f21b78338048f13 # v1.1.8
with:
workflow: release
github-token: ${{ steps.generate_token.outputs.token }}
branch: release
env:
NPM_CONFIG_PROVENANCE: "true"
- name: Annotate release in PostHog
if: success()
continue-on-error: true
env:
POSTHOG_PERSONAL_API_KEY: ${{ secrets.POSTHOG_PERSONAL_API_KEY }}
POSTHOG_PROJECT_ID: ${{ vars.POSTHOG_PROJECT_ID }}
run: |
set -euo pipefail
if [ -z "${POSTHOG_PERSONAL_API_KEY:-}" ] || [ -z "${POSTHOG_PROJECT_ID:-}" ]; then
echo "::notice::Skipping PostHog annotation — POSTHOG_PERSONAL_API_KEY or POSTHOG_PROJECT_ID not configured"
exit 0
fi
version=$(jq -r .version package.json)
curl -fsS -X POST "https://eu.posthog.com/api/projects/${POSTHOG_PROJECT_ID}/annotations/" \
-H "Authorization: Bearer ${POSTHOG_PERSONAL_API_KEY}" \
-H "Content-Type: application/json" \
-d "{
\"content\": \"v${version}\",
\"date_marker\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",
\"scope\": \"project\",
\"creation_type\": \"GIT\"
}"
echo "::notice::PostHog annotation created for v${version}"
- name: Save Bun Cache
uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
if: steps.validate.outcome == 'success' && steps.restore-bun-cache.outputs.cache-hit != 'true'
with:
path: /home/runner/.bun/install/cache
key: ${{ steps.restore-bun-cache.outputs.cache-primary-key }}