ci: Update workflow permissions (#1462) #82
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2023 Google LLC | |
# | |
# Use of this source code is governed by a BSD-style | |
# license that can be found in the LICENSE file or at | |
# https://developers.google.com/open-source/licenses/bsd | |
name: Release | |
on: | |
push: | |
branches: | |
- main | |
- v[0-9]* | |
jobs: | |
settings: | |
name: Settings | |
uses: ./.github/workflows/settings.yaml | |
release: | |
runs-on: ubuntu-latest | |
needs: settings | |
outputs: | |
release_created: ${{ steps.release.outputs.release_created }} | |
tag_name: ${{ steps.release.outputs.tag_name }} | |
steps: | |
# Create/update release PR | |
- uses: google-github-actions/release-please-action@v4 | |
id: release | |
with: | |
# Make sure we create the PR against the correct branch. | |
target-branch: ${{ github.ref_name }} | |
# Use a special shaka-bot access token for releases. | |
token: ${{ secrets.RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }} | |
# See also settings in these files: | |
manifest-file: .release-please-manifest.json | |
config-file: .release-please-config.json | |
# The jobs below are all conditional on a release having been created by | |
# someone merging the release PR. | |
# Several actions either only run on the latest release or run with different | |
# options on the latest release. Here we compute if this is the highest | |
# version number (what we are calling "latest" for NPM, Docker, and the | |
# docs). You can have a more recent release from an older branch, but this | |
# would not qualify as "latest" here. | |
compute: | |
name: Compute latest release flag | |
runs-on: ubuntu-latest | |
needs: release | |
if: needs.release.outputs.release_created | |
outputs: | |
latest: ${{ steps.compute.outputs.latest }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-tags: true | |
- name: Compute latest | |
id: compute | |
run: | | |
GIT_TAG_NAME=${{ needs.release.outputs.tag_name }} | |
RELEASE_TAGS=$(git tag | grep ^v[0-9]) | |
LATEST_RELEASE=$(echo "$RELEASE_TAGS" | sort --version-sort | tail -1) | |
if [[ "$GIT_TAG_NAME" == "$LATEST_RELEASE" ]]; then | |
LATEST=true | |
else | |
LATEST=false | |
fi | |
echo latest=$LATEST >> $GITHUB_OUTPUT | |
# Debug the decisions made here. | |
echo "This release: $GIT_TAG_NAME" | |
echo "Latest release: $LATEST_RELEASE" | |
echo "This release is latest: $LATEST" | |
# Publish docs to GitHub Pages | |
docs: | |
name: Update docs | |
needs: [release, compute] | |
# Only if this is the latest release | |
if: needs.release.outputs.release_created && needs.compute.outputs.latest | |
uses: ./.github/workflows/publish-docs.yaml | |
with: | |
ref: refs/tags/${{ needs.release.outputs.tag_name }} | |
# Required permissions to deploy to GitHub Pages: | |
permissions: | |
pages: write | |
id-token: write | |
# Publish official docker image | |
docker: | |
name: Update docker image | |
needs: [release, compute] | |
if: needs.release.outputs.release_created | |
uses: ./.github/workflows/publish-docker.yaml | |
with: | |
tag: ${{ needs.release.outputs.tag_name }} | |
latest: ${{ needs.compute.outputs.latest == 'true' }} | |
secrets: | |
DOCKERHUB_CI_USERNAME: ${{ secrets.DOCKERHUB_CI_USERNAME }} | |
DOCKERHUB_CI_TOKEN: ${{ secrets.DOCKERHUB_CI_TOKEN }} | |
DOCKERHUB_PACKAGE_NAME: ${{ secrets.DOCKERHUB_PACKAGE_NAME }} | |
# Do a complete build | |
build: | |
name: Build | |
needs: [settings, release] | |
if: needs.release.outputs.release_created | |
uses: ./.github/workflows/build.yaml | |
with: | |
ref: refs/tags/${{ needs.release.outputs.tag_name }} | |
self_hosted: ${{ needs.settings.outputs.self_hosted != '' }} | |
debug: ${{ needs.settings.outputs.debug != '' }} | |
# Attach build artifacts to the release | |
artifacts: | |
name: Artifacts | |
runs-on: ubuntu-latest | |
needs: [release, build] | |
if: needs.release.outputs.release_created | |
steps: | |
- uses: actions/download-artifact@v4 | |
with: | |
path: artifacts | |
merge-multiple: true | |
- name: Debug | |
run: find -ls | |
- name: Attach packager to release | |
env: | |
GITHUB_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }} | |
run: | | |
gh -R ${{ github.repository }} release upload \ | |
${{ needs.release.outputs.tag_name }} artifacts/* \ | |
--clobber | |
# Surprisingly, Shaka Packager binaries can be installed via npm. | |
# Publish NPM package updates. | |
npm: | |
name: Update NPM | |
needs: [release, compute, artifacts] | |
if: needs.release.outputs.release_created | |
uses: ./.github/workflows/publish-npm.yaml | |
with: | |
tag: ${{ needs.release.outputs.tag_name }} | |
latest: ${{ needs.compute.outputs.latest == 'true' }} | |
secrets: | |
NPM_CI_TOKEN: ${{ secrets.NPM_CI_TOKEN }} | |
NPM_PACKAGE_NAME: ${{ secrets.NPM_PACKAGE_NAME }} |