-
-
Notifications
You must be signed in to change notification settings - Fork 0
214 lines (191 loc) · 7.3 KB
/
release-pipeline.yml
File metadata and controls
214 lines (191 loc) · 7.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
# One-click release pipeline: dev -> main -> version bump -> tag -> release build.
#
# Replaces the manual 13-step process:
# 1. Merges dev into main (fast-forward or merge commit)
# 2. Bumps version on main
# 3. Pushes annotated tag vX.Y.Z (triggers release.yml)
#
# After release.yml completes, its sync-dev job auto-merges main back to dev.
#
# Prerequisites:
# - Secret: RELEASE_AUTOMATION_PAT (fine-grained PAT: Contents + Pull requests RW)
# - Secret: TAURI_SIGNING_PRIVATE_KEY (for release.yml)
# - Optional var: RELEASE_ALLOWED_ACTORS (comma-separated usernames)
#
# The existing release-bump.yml and release-tag.yml still work as manual fallbacks.
name: Release — one-click pipeline
on:
workflow_dispatch:
inputs:
release_type:
description: "Semver bump type (see https://semver.org)"
type: choice
required: true
default: patch
options:
- patch
- minor
- major
dry_run:
description: "Dry run — show what would happen without pushing"
type: boolean
default: false
permissions:
contents: write
pull-requests: write
concurrency:
group: release-pipeline
cancel-in-progress: false
jobs:
release-pipeline:
runs-on: ubuntu-latest
steps:
- name: Verify release permission
env:
ACTOR: ${{ github.actor }}
REPO_OWNER: ${{ github.repository_owner }}
ALLOWED_ACTORS: ${{ vars.RELEASE_ALLOWED_ACTORS }}
run: |
set -euo pipefail
python3 << 'PY'
import os
actor = os.environ["ACTOR"]
owner = os.environ["REPO_OWNER"]
raw = os.environ.get("ALLOWED_ACTORS", "").strip()
if raw:
allowed = [x.strip() for x in raw.split(",") if x.strip()]
else:
allowed = [owner]
if actor not in allowed:
print(f"::error::User '{actor}' is not allowed to run releases. "
f"Allowed: {allowed}. Set repository variable RELEASE_ALLOWED_ACTORS.")
raise SystemExit(1)
print(f"OK: {actor} is authorized to release.")
PY
- name: Require automation PAT
env:
RELEASE_AUTOMATION_PAT: ${{ secrets.RELEASE_AUTOMATION_PAT }}
run: |
if [ -z "${RELEASE_AUTOMATION_PAT:-}" ]; then
echo "::error::RELEASE_AUTOMATION_PAT secret is required."
exit 1
fi
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.RELEASE_AUTOMATION_PAT }}
- name: Configure git
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Merge dev into main
run: |
set -euo pipefail
git fetch origin main dev
# Check that dev is ahead of main
BEHIND=$(git rev-list --count origin/main..origin/dev)
if [ "$BEHIND" = "0" ]; then
echo "::warning::dev has no new commits over main. Continuing with version bump only."
fi
git checkout main
git reset --hard origin/main
# Merge dev into main (non-interactive)
echo "Merging origin/dev into main..."
git merge origin/dev --no-edit -m "Merge branch 'dev' into main for release"
if [ "${{ inputs.dry_run }}" = "true" ]; then
echo "::notice::DRY RUN — would merge dev into main"
echo "Commits from dev:"
git log origin/main..HEAD --oneline
else
git push origin main
echo "Pushed merged main."
fi
- name: Install Rust (for Cargo.lock refresh)
uses: dtolnay/rust-toolchain@stable
- name: Bump version
id: ver
env:
RELEASE_TYPE: ${{ inputs.release_type }}
run: |
set -euo pipefail
CURRENT=$(python3 -c "import json; print(json.load(open('apps/desktop/src-tauri/tauri.conf.json'))['version'])")
export CURRENT
NEW=$(python3 - <<'PY'
import os
cur = os.environ["CURRENT"]
rt = os.environ["RELEASE_TYPE"]
major, minor, patch = map(int, cur.split("."))
if rt == "patch":
print(f"{major}.{minor}.{patch + 1}")
elif rt == "minor":
print(f"{major}.{minor + 1}.0")
elif rt == "major":
print(f"{major + 1}.0.0")
else:
raise SystemExit(1)
PY
)
echo "current=$CURRENT" >> "$GITHUB_OUTPUT"
echo "new=$NEW" >> "$GITHUB_OUTPUT"
echo "Bumping $CURRENT -> $NEW ($RELEASE_TYPE)"
python3 scripts/bump-version.py "$NEW"
- name: Refresh Cargo.lock
run: cargo generate-lockfile
- name: Commit version bump
env:
NEW: ${{ steps.ver.outputs.new }}
run: |
set -euo pipefail
git add apps/desktop/src-tauri/tauri.conf.json \
apps/desktop/src-tauri/Cargo.toml \
apps/desktop/src/components/settings/Settings.tsx \
Cargo.lock
git commit -m "chore: bump version to $NEW"
if [ "${{ inputs.dry_run }}" = "true" ]; then
echo "::notice::DRY RUN — would commit and push version bump"
else
git push origin main
echo "Pushed version bump to main."
fi
- name: Create and push tag
id: tag
env:
NEW: ${{ steps.ver.outputs.new }}
run: |
set -euo pipefail
TAG="v${NEW}"
# Check tag doesn't already exist
if git ls-remote --tags origin "refs/tags/$TAG" | grep -q .; then
echo "::error::Tag $TAG already exists on remote. Delete it first or use a different version."
exit 1
fi
git tag -a "$TAG" -m "Release $TAG"
if [ "${{ inputs.dry_run }}" = "true" ]; then
echo "::notice::DRY RUN — would push tag $TAG (triggers release.yml)"
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
else
git push origin "$TAG"
echo "Pushed tag $TAG — release.yml will now build and publish."
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
fi
- name: Summary
env:
NEW: ${{ steps.ver.outputs.new }}
CURRENT: ${{ steps.ver.outputs.current }}
TAG: ${{ steps.tag.outputs.tag }}
DRY_RUN: ${{ inputs.dry_run }}
run: |
if [ "$DRY_RUN" = "true" ]; then
echo "### Dry run complete" >> "$GITHUB_STEP_SUMMARY"
echo "Would have:" >> "$GITHUB_STEP_SUMMARY"
else
echo "### Release pipeline complete" >> "$GITHUB_STEP_SUMMARY"
fi
echo "- Merged \`dev\` into \`main\`" >> "$GITHUB_STEP_SUMMARY"
echo "- Bumped version: \`$CURRENT\` -> \`$NEW\`" >> "$GITHUB_STEP_SUMMARY"
echo "- Pushed tag: \`$TAG\`" >> "$GITHUB_STEP_SUMMARY"
if [ "$DRY_RUN" != "true" ]; then
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "**Next:** [release.yml](${{ github.server_url }}/${{ github.repository }}/actions/workflows/release.yml) builds and publishes the release, then auto-syncs \`main\` back to \`dev\`." >> "$GITHUB_STEP_SUMMARY"
fi