forked from shaka-project/static-ffmpeg-binaries
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This isolates elevated permissions to the release publication job only, and simplifies a more complex sequence of creating a draft release, then building and attaching binaries, then compiling release notes, then publishing the release. Now we simply build, compile notes, then publish a full release with notes and binaries at once. This also removes the need for our own "api client" in JavaScript. Now we perform these actions with GitHub's own tools: "gh" command line to create the release and "actions/" official actions to upload and download build artifacts.
- Loading branch information
1 parent
7f593bd
commit 6f5810e
Showing
6 changed files
with
24 additions
and
484 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -22,17 +22,9 @@ on: | |
# workflows. | ||
workflow_call: | ||
inputs: | ||
release_id: | ||
required: false | ||
type: string | ||
ref: | ||
required: true | ||
type: string | ||
secrets: | ||
# The GITHUB_TOKEN name is reserved, but not passed through implicitly. | ||
# So we call our secret parameter simply TOKEN. | ||
TOKEN: | ||
required: false | ||
|
||
# Runs on manual trigger. | ||
workflow_dispatch: | ||
|
@@ -214,23 +206,6 @@ jobs: | |
- name: Check that executables are static | ||
run: ./repo-src/build-scripts/99-check-static.sh | ||
|
||
- name: Attach assets to release | ||
if: inputs.release_id != '' | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.TOKEN }} | ||
run: | | ||
set -e | ||
set -x | ||
# Attach the build outputs to the draft release. Each machine will | ||
# do this separately and in parallel. Later, another job will take | ||
# over to collect them all and use their MD5 sums to create the | ||
# release notes (the "body" of the release). | ||
release_id="${{ inputs.release_id }}" | ||
(cd ./repo-src/api-client && npm ci) | ||
node ./repo-src/api-client/main.js \ | ||
upload-all-assets "$release_id" assets/ | ||
- name: Debug | ||
uses: mxschmitt/[email protected] | ||
with: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -30,54 +30,35 @@ on: | |
# will have to opt in after setting up their own self-hosted runners. | ||
|
||
jobs: | ||
# On a single Linux host, draft a release. Later, different hosts will build | ||
# for each OS/CPU in parallel, and then attach the resulting binaries to this | ||
# draft. | ||
draft_release: | ||
name: Draft release | ||
runs-on: ubuntu-latest | ||
outputs: | ||
release_id: ${{ steps.draft_release.outputs.release_id }} | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
path: repo-src | ||
ref: ${{ github.ref }} | ||
|
||
- name: Draft release | ||
id: draft_release | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
run: | | ||
set -e | ||
set -x | ||
# Create a draft release associated with the tag that triggered this | ||
# workflow. | ||
tag="${{ github.ref }}" | ||
(cd repo-src/api-client && npm ci) | ||
release_id=$(node ./repo-src/api-client/main.js draft-release "$tag") | ||
echo "::set-output name=release_id::$release_id" | ||
build: | ||
needs: draft_release | ||
uses: ./.github/workflows/build.yaml | ||
with: | ||
release_id: ${{ needs.draft_release.outputs.release_id }} | ||
ref: ${{ github.ref }} | ||
secrets: | ||
TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
publish_release: | ||
name: Publish release | ||
needs: [draft_release, build] | ||
needs: [build] | ||
runs-on: ubuntu-latest | ||
permissions: | ||
# "Write" to contents is necessary to create a release. | ||
contents: write | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
path: repo-src | ||
ref: ${{ github.ref }} | ||
|
||
- uses: actions/download-artifact@v4 | ||
with: | ||
path: assets | ||
merge-multiple: true | ||
|
||
# FIXME: Remove this after verifying the asset paths | ||
- name: Debug | ||
uses: mxschmitt/[email protected] | ||
with: | ||
limit-access-to-actor: true | ||
|
||
- name: Publish release | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
@@ -94,40 +75,22 @@ jobs: | |
echo "" >> body.txt | ||
echo "$GITHUB_REPOSITORY version:" >> body.txt | ||
echo " - $repo_tag" >> body.txt | ||
echo " - ${{ github.ref }}" >> body.txt | ||
echo "" >> body.txt | ||
echo "Software versions:" >> body.txt | ||
cat repo-src/versions.txt | \ | ||
sed -e 's/^/ - /' >> body.txt | ||
echo "" >> body.txt | ||
# Update the release notes with this preliminary version. This is | ||
# what gets emailed out when we publish the release below. | ||
release_id="${{ needs.draft_release.outputs.release_id }}" | ||
(cd repo-src/api-client && npm ci) | ||
node ./repo-src/api-client/main.js \ | ||
update-release-body "$release_id" "$(cat body.txt)" | ||
# Now we have to take the release out of draft mode. Until we do, we | ||
# can't get download URLs for the assets. | ||
node ./repo-src/api-client/main.js \ | ||
publish-release "$release_id" | ||
# The downloads are sometimes a bit flaky (responding with 404) if we | ||
# don't put some delay between publication and download. This number | ||
# is arbitrary, but experimentally, it seems to solve the issue. | ||
sleep 30 | ||
# Next, download the assets. | ||
node ./repo-src/api-client/main.js \ | ||
download-all-assets "$release_id" assets/ | ||
# Now add the MD5 sums to the release notes. | ||
# Add the MD5 sums to the release notes. | ||
echo "MD5 sums:" >> body.txt | ||
(cd assets; md5sum * | sed -e 's/^/ - /') >> body.txt | ||
# Now update the release notes one last time, with the MD5 sums | ||
# appended. | ||
node ./repo-src/api-client/main.js \ | ||
update-release-body "$release_id" "$(cat body.txt)" | ||
# Publish the release, including release notes and assets. | ||
gh release create \ | ||
--verify-tag \ | ||
--notes-file body.txt \ | ||
--title "${{ github.ref }}" \ | ||
"${{ github.ref }}" \ | ||
assets/* |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.