Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 5 additions & 118 deletions .github/workflows/prepare-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,126 +23,13 @@ concurrency:
group: prepare-release-${{ github.ref_name }}
cancel-in-progress: true

env:
CARGO_TERM_COLOR: always

jobs:
prepare:
if: github.repository_owner == 'guacsec'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write

steps:
- uses: actions/checkout@v4

- name: Check permissions
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
PERMISSION=$(gh api "repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission" --jq '.permission')
if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "maintain" ]]; then
echo "::error::Only maintainers can trigger this workflow. Your permission level: $PERMISSION"
exit 1
fi

- name: Validate bump type for release branches
run: |
REF="${{ github.ref_name }}"
BUMP="${{ inputs.bump }}"
OVERRIDE="${{ inputs.version-override }}"

if [[ "$REF" != release/* ]]; then
exit 0
fi

if [[ -z "$OVERRIDE" && "$BUMP" == "minor" ]]; then
echo "::error::Cannot use 'minor' bump on a release branch. Only alpha, beta, rc, and patch are allowed."
exit 1
fi

if [[ -n "$OVERRIDE" ]]; then
CURRENT_VERSION=$(grep -m1 '^version = ' Cargo.toml | sed 's/version = "\(.*\)"/\1/')
CURRENT_MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
OVERRIDE_MINOR=$(echo "$OVERRIDE" | cut -d. -f2)
if [[ "$CURRENT_MINOR" != "$OVERRIDE_MINOR" ]]; then
echo "::error::Version override changes minor version ($CURRENT_MINOR -> $OVERRIDE_MINOR), which is not allowed on release branches."
exit 1
fi
fi

- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ vars.TRUSTIFICATION_BOT_ID }}
private-key: ${{ secrets.TRUSTIFICATION_BOT_KEY }}

- uses: Swatinem/rust-cache@v2

- name: Install cargo-binstall
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
uses: taiki-e/install-action@v2
with:
tool: cargo-binstall

- name: Install cargo-release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: cargo binstall -y cargo-release

- name: Bump version
run: |
VERSION_ARG="${{ inputs.version-override || inputs.bump }}"
echo "Bumping version with: $VERSION_ARG"
cargo release version "${VERSION_ARG}" -x

- name: Determine new version
id: version
run: |
VERSION=$(grep -m1 '^version = ' Cargo.toml | sed 's/version = "\(.*\)"/\1/')
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "New version: ${VERSION}"

- name: Update dependencies
run: cargo update

- name: Regenerate schemas
run: cargo xtask generate-schemas

- name: Regenerate OpenAPI spec
run: cargo xtask openapi

- name: Create branch, commit, and push
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
VERSION="${{ steps.version.outputs.version }}"

git config user.name "trustification-ci-bot[bot]"
git config user.email "199085543+trustification-ci-bot[bot]@users.noreply.github.com"
git checkout -b "prepare/${VERSION}"
git add -A
git commit -m "chore: prepare release ${VERSION}"
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
git push origin "prepare/${VERSION}"

- name: Create pull request
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
VERSION="${{ steps.version.outputs.version }}"
BASE="${{ github.ref_name }}"

gh pr create \
--title "chore: prepare release ${VERSION}" \
--body "Automated release preparation:

- Bumped workspace version to \`${VERSION}\`
- Updated dependencies (\`cargo update\`)
- Regenerated schemas and OpenAPI spec

After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
--base "${BASE}"
secrets: inherit

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Using secrets: inherit for an external reusable workflow may broaden secret exposure unnecessarily.

This setup exposes every secret available to this workflow to guacsec/trustify-release-tools. If that workflow doesn’t require all of them, restrict exposure by explicitly listing only the needed secrets in the caller and/or the reusable workflow to align with least-privilege principles.

Suggested implementation:

    uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
    secrets:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # Add other explicitly required secrets below, e.g.:
      # RELEASE_BOT_PAT: ${{ secrets.RELEASE_BOT_PAT }}
    with:

  1. Confirm which secrets the reusable workflow in guacsec/trustify-release-tools actually needs (e.g. GITHUB_TOKEN, RELEASE_BOT_PAT, etc.) and remove any unused entries from the secrets: mapping above.
  2. If the reusable workflow expects secrets under different names, adjust the keys (left side) to match those expected input names and map them to the appropriate ${{ secrets.* }} values from this repository.

uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Referencing the reusable workflow at @main can introduce instability and security risk vs pinning to a specific ref.

Relying on @main allows upstream changes in guacsec/trustify-release-tools to silently change this workflow’s behavior. To keep releases reproducible and improve supply-chain security, please pin this to a specific tag or commit SHA (e.g., @vX.Y.Z or @<sha>) and update only when you intentionally adopt changes.

Suggested implementation:

    # Pin to a specific ref (tag or commit SHA) for reproducibility and supply-chain security.
    # Update this ref intentionally when adopting changes from guacsec/trustify-release-tools.
    uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@vX.Y.Z

Replace @vX.Y.Z with the actual tag or commit SHA you want to pin to in guacsec/trustify-release-tools.
If your project has a release policy or existing pinned refs elsewhere, align this value with that policy (for example, use the latest stable release tag from that repository).

with:
bump: ${{ inputs.bump }}
version-override: ${{ inputs.version-override }}
Loading