release #85
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| publish: | |
| type: boolean | |
| description: Publish Release | |
| default: false | |
| tag: | |
| type: string | |
| description: Tag Name | |
| required: true | |
| previous-tag: | |
| type: string | |
| description: Previous Tag Name | |
| default: '' # GoReleaser will detect the previous tag if not specified | |
| jobs: | |
| goreleaser: | |
| runs-on: ubuntu-latest | |
| concurrency: | |
| group: release-${{ github.ref }} | |
| permissions: | |
| contents: write | |
| env: | |
| flags: '' | |
| tag: ${{ inputs.tag || github.ref_name }} | |
| outputs: | |
| version: ${{ steps.semver.outputs.version }} | |
| steps: | |
| - id: semver | |
| uses: matt-usurp/validate-semver@v1 | |
| with: | |
| version: ${{ env.tag }} | |
| - name: Validate tag prefix (v) | |
| if: ${{ !startsWith(env.tag, 'v') }} | |
| run: | | |
| echo "::error::Tag name must start with 'v' (https://developer.hashicorp.com/terraform/registry/providers/publishing#creating-a-github-release)" | |
| exit 1 | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Enable snapshot mode | |
| if: ${{ github.event_name == 'workflow_dispatch' && !inputs.publish }} | |
| run: echo "flags=--snapshot" >> "$GITHUB_ENV" | |
| - name: Import GPG key | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| id: gpg | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| - name: Create tag | |
| if: ${{ inputs.tag }} | |
| run: git rev-parse --quiet --verify "refs/tags/$tag" || git tag "$tag" | |
| - name: GoReleaser | |
| uses: goreleaser/goreleaser-action@v5 | |
| with: | |
| args: release --clean ${{ env.flags }} | |
| env: | |
| GORELEASER_CURRENT_TAG: ${{ env.tag }} | |
| GORELEASER_PREVIOUS_TAG: ${{ inputs.previous-tag }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GPG_FINGERPRINT: ${{ steps.gpg.outputs.fingerprint }} | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: archives | |
| path: | | |
| dist/*.zip | |
| dist/*.json | |
| dist/*.yaml | |
| dist/*.sig | |
| dist/*_SHA256SUMS | |
| - if: ${{ env.flags == '--snapshot' }} | |
| name: Snapshot warning | |
| run: echo "::warning::Snapshot release, not publishing artifacts (https://goreleaser.com/customization/snapshots/)" | |
| s3: | |
| needs: goreleaser | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| env: | |
| flags: '' | |
| version: ${{ needs.goreleaser.outputs.version }} | |
| upload_dir: ${{ github.workspace }}/upload | |
| steps: | |
| - uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ vars.AWS_ROLE_ARN }} | |
| aws-region: us-west-2 | |
| - id: artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: archives | |
| path: dist | |
| - name: Enable dry run mode | |
| if: ${{ github.event_name == 'workflow_dispatch' && !inputs.publish }} | |
| run: echo "flags=--dryrun" >> "$GITHUB_ENV" | |
| - name: Create upload directory | |
| run: mkdir "$upload_dir" | |
| - id: archives | |
| name: Copy archives | |
| run: | | |
| i=0 | |
| while read -r archive; do | |
| os=$(jq -r '.goos' <<< "$archive") | |
| arch=$(jq -r '.goarch' <<< "$archive") | |
| name=$(jq -r '.name' <<< "$archive") | |
| path=$(jq -r '.path' <<< "$archive") | |
| dir="${upload_dir}/os=${os}/arch=${arch}" | |
| mkdir -p "$dir" | |
| echo "Copying ${name} to ${dir}" | |
| cp "$path" "$dir" | |
| ((i++)) || true | |
| done < <(jq -c '.[] | select(.type == "Archive")' ${{ steps.artifacts.outputs.download-path }}/artifacts.json) | |
| echo "count=${i}" >> "$GITHUB_OUTPUT" | |
| - id: signatures | |
| name: Copy checksum/signature | |
| run: | | |
| i=0 | |
| while read -r path; do | |
| name=$(jq -r '.name' <<< "$path") | |
| path=$(jq -r '.path' <<< "$path") | |
| echo "Copying ${name} to ${upload_dir}" | |
| cp "$path" "$upload_dir" | |
| ((i++)) || true | |
| done < <(jq -c '.[] | select(.type | IN("Checksum", "Signature"))' ${{ steps.artifacts.outputs.download-path }}/artifacts.json) | |
| echo "count=${i}" >> "$GITHUB_OUTPUT" | |
| - name: Validate archives | |
| if: ${{ steps.archives.outputs.count == '0' }} | |
| run: | | |
| echo "::error::No archives found, aborting release" | |
| exit 1 | |
| - name: Validate signatures | |
| if: ${{ steps.signatures.outputs.count != '2' }} | |
| run: | | |
| echo "::error::Expected 2 signatures, got ${{ steps.signatures.outputs.count }}, aborting release" | |
| exit 1 | |
| - name: Print upload tree | |
| if: always() | |
| working-directory: ${{ env.upload_dir }} | |
| run: tree | |
| - name: Copy to S3 | |
| run: | | |
| bucket="${{ vars.AWS_S3_REGISTRY_BUCKET }}" | |
| prefix="${{ vars.AWS_S3_REGISTRY_PREFIX }}/version=${version}/" | |
| s3_uri="s3://${bucket}/${prefix}" | |
| echo "::group::aws s3 cp" | |
| # shellcheck disable=SC2086 | |
| aws s3 cp $flags --recursive "$upload_dir" "$s3_uri" | |
| echo "::endgroup::" | |
| cd "$(mktemp -d)" | |
| mkdir -p "$s3_uri" | |
| cd "s3:" | |
| cp --recursive "$upload_dir/"* "${bucket}/${prefix}" | |
| { | |
| echo "## S3 Registry Uploads" | |
| if [[ "$flags" == "--dryrun" ]]; then | |
| echo '⚠️ _Dry run mode was enabled, no files were actually uploaded to S3._' | |
| fi | |
| echo '* **Archives:** ${{ steps.archives.outputs.count }}' | |
| echo '* **Signatures:** ${{ steps.signatures.outputs.count }}' | |
| echo '```' | |
| tree --noreport "$bucket" | |
| echo '```' | |
| } >> "$GITHUB_STEP_SUMMARY" |