-
Notifications
You must be signed in to change notification settings - Fork 47
ci: extract prepare-release workflow to release-tools #2499
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -23,126 +23,13 @@ concurrency: | |
| group: prepare-release-${{ github.ref_name }} | ||
| cancel-in-progress: true | ||
|
|
||
| env: | ||
| CARGO_TERM_COLOR: always | ||
|
|
||
| jobs: | ||
| prepare: | ||
| if: github.repository_owner == 'guacsec' | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Check permissions | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| PERMISSION=$(gh api "repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission" --jq '.permission') | ||
| if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "maintain" ]]; then | ||
| echo "::error::Only maintainers can trigger this workflow. Your permission level: $PERMISSION" | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Validate bump type for release branches | ||
| run: | | ||
| REF="${{ github.ref_name }}" | ||
| BUMP="${{ inputs.bump }}" | ||
| OVERRIDE="${{ inputs.version-override }}" | ||
|
|
||
| if [[ "$REF" != release/* ]]; then | ||
| exit 0 | ||
| fi | ||
|
|
||
| if [[ -z "$OVERRIDE" && "$BUMP" == "minor" ]]; then | ||
| echo "::error::Cannot use 'minor' bump on a release branch. Only alpha, beta, rc, and patch are allowed." | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [[ -n "$OVERRIDE" ]]; then | ||
| CURRENT_VERSION=$(grep -m1 '^version = ' Cargo.toml | sed 's/version = "\(.*\)"/\1/') | ||
| CURRENT_MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2) | ||
| OVERRIDE_MINOR=$(echo "$OVERRIDE" | cut -d. -f2) | ||
| if [[ "$CURRENT_MINOR" != "$OVERRIDE_MINOR" ]]; then | ||
| echo "::error::Version override changes minor version ($CURRENT_MINOR -> $OVERRIDE_MINOR), which is not allowed on release branches." | ||
| exit 1 | ||
| fi | ||
| fi | ||
|
|
||
| - name: Generate GitHub App token | ||
| id: app-token | ||
| uses: actions/create-github-app-token@v2 | ||
| with: | ||
| app-id: ${{ vars.TRUSTIFICATION_BOT_ID }} | ||
| private-key: ${{ secrets.TRUSTIFICATION_BOT_KEY }} | ||
|
|
||
| - uses: Swatinem/rust-cache@v2 | ||
|
|
||
| - name: Install cargo-binstall | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| uses: taiki-e/install-action@v2 | ||
| with: | ||
| tool: cargo-binstall | ||
|
|
||
| - name: Install cargo-release | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: cargo binstall -y cargo-release | ||
|
|
||
| - name: Bump version | ||
| run: | | ||
| VERSION_ARG="${{ inputs.version-override || inputs.bump }}" | ||
| echo "Bumping version with: $VERSION_ARG" | ||
| cargo release version "${VERSION_ARG}" -x | ||
|
|
||
| - name: Determine new version | ||
| id: version | ||
| run: | | ||
| VERSION=$(grep -m1 '^version = ' Cargo.toml | sed 's/version = "\(.*\)"/\1/') | ||
| echo "version=${VERSION}" >> "$GITHUB_OUTPUT" | ||
| echo "New version: ${VERSION}" | ||
|
|
||
| - name: Update dependencies | ||
| run: cargo update | ||
|
|
||
| - name: Regenerate schemas | ||
| run: cargo xtask generate-schemas | ||
|
|
||
| - name: Regenerate OpenAPI spec | ||
| run: cargo xtask openapi | ||
|
|
||
| - name: Create branch, commit, and push | ||
| env: | ||
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| run: | | ||
| VERSION="${{ steps.version.outputs.version }}" | ||
|
|
||
| git config user.name "trustification-ci-bot[bot]" | ||
| git config user.email "199085543+trustification-ci-bot[bot]@users.noreply.github.com" | ||
| git checkout -b "prepare/${VERSION}" | ||
| git add -A | ||
| git commit -m "chore: prepare release ${VERSION}" | ||
| git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" | ||
| git push origin "prepare/${VERSION}" | ||
|
|
||
| - name: Create pull request | ||
| env: | ||
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| run: | | ||
| VERSION="${{ steps.version.outputs.version }}" | ||
| BASE="${{ github.ref_name }}" | ||
|
|
||
| gh pr create \ | ||
| --title "chore: prepare release ${VERSION}" \ | ||
| --body "Automated release preparation: | ||
|
|
||
| - Bumped workspace version to \`${VERSION}\` | ||
| - Updated dependencies (\`cargo update\`) | ||
| - Regenerated schemas and OpenAPI spec | ||
|
|
||
| After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \ | ||
| --base "${BASE}" | ||
| secrets: inherit | ||
| uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🚨 suggestion (security): Referencing the reusable workflow at Relying on Suggested implementation: Replace |
||
| with: | ||
| bump: ${{ inputs.bump }} | ||
| version-override: ${{ inputs.version-override }} | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚨 suggestion (security): Using
secrets: inheritfor an external reusable workflow may broaden secret exposure unnecessarily.This setup exposes every secret available to this workflow to
guacsec/trustify-release-tools. If that workflow doesn’t require all of them, restrict exposure by explicitly listing only the needed secrets in the caller and/or the reusable workflow to align with least-privilege principles.Suggested implementation:
guacsec/trustify-release-toolsactually needs (e.g.GITHUB_TOKEN,RELEASE_BOT_PAT, etc.) and remove any unused entries from thesecrets:mapping above.${{ secrets.* }}values from this repository.