Release #71
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| schedule: | |
| - cron: '0 0 * * 1' # every Monday at 00:00 UTC | |
| workflow_dispatch: | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| # https://docs.github.com/en/actions/reference/authentication-in-a-workflow | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Check if any changes since last release | |
| id: check | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| git fetch --tags | |
| TAG=$(git tag --points-at HEAD) | |
| if [ -z "$TAG" ]; then | |
| echo "No tag points at HEAD, so we need a new tag and then a new release." | |
| echo "need_release=yes" >> $GITHUB_OUTPUT | |
| else | |
| RELEASE=$(gh release view "$TAG" --json tagName --jq '.tagName' || echo "none") | |
| if [ "$RELEASE" == "$TAG" ]; then | |
| echo "A release exists for tag $TAG, which has the latest changes, so no need for a new tag or release." | |
| echo "need_release=no" >> $GITHUB_OUTPUT | |
| else | |
| echo "Tag $TAG exists, but no release is associated. Need a new release." | |
| echo "need_release=yes" >> $GITHUB_OUTPUT | |
| echo "existing_tag=$TAG" >> $GITHUB_OUTPUT | |
| fi | |
| fi | |
| - name: Bump version and push tag | |
| id: create_tag | |
| uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 | |
| if: steps.check.outputs.need_release == 'yes' && steps.check.outputs.existing_tag == '' | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| if: steps.check.outputs.need_release == 'yes' | |
| with: | |
| ref: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }} | |
| - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
| if: steps.check.outputs.need_release == 'yes' | |
| with: | |
| go-version-file: './go.mod' | |
| check-latest: true | |
| # Cosign is used by goreleaser to sign release artifacts. | |
| - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| if: steps.check.outputs.need_release == 'yes' | |
| - uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 | |
| if: steps.check.outputs.need_release == 'yes' | |
| with: | |
| version: latest | |
| install-only: true | |
| # Federate to create a token to authenticate with the homebrew-tap repository. | |
| - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 | |
| if: steps.check.outputs.need_release == 'yes' | |
| id: octo-sts | |
| with: | |
| scope: chainguard-dev/homebrew-tap | |
| identity: melange | |
| - name: Release | |
| if: steps.check.outputs.need_release == 'yes' | |
| run: make release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} | |
| TAG: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }} |