-
Notifications
You must be signed in to change notification settings - Fork 0
160 lines (140 loc) · 5.63 KB
/
release.yml
File metadata and controls
160 lines (140 loc) · 5.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: Release
on:
push:
branches:
- main
workflow_dispatch:
inputs:
recovery_reason:
description: "Recovery-only note for rerunning the trusted release lane"
required: true
type: string
recovery_ref:
description: "Commit SHA or tag for the exact revision being recovered"
required: true
type: string
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: read
jobs:
release-please:
name: Release Please
runs-on: ubuntu-latest
permissions:
contents: write
issues: write
pull-requests: write
outputs:
release_created: ${{ steps.release.outputs.release_created || steps.manual_dispatch.outputs.release_created || 'false' }}
steps:
- name: Check out repository for Release Please
if: ${{ github.event_name != 'workflow_dispatch' }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Confirm manual dispatch stays recovery-only
id: manual_dispatch
if: ${{ github.event_name == 'workflow_dispatch' }}
shell: bash
run: |
echo "release_created=false" >> "$GITHUB_OUTPUT"
echo "workflow_dispatch bypasses Release Please and exists only to recover the trusted publish lane for an exact immutable ref."
- name: Record review-only Release Please PR posture
if: ${{ github.event_name != 'workflow_dispatch' }}
run: |
echo "Release Please generated PRs are review-only. Trusted proof starts only after merge in the protected hex-publish environment."
- name: Run Release Please
id: release
if: ${{ github.event_name != 'workflow_dispatch' }}
uses: ./.github/actions/release-please
with:
config-file: release-please-config.json
manifest-file: .release-please-manifest.json
recovery-validation:
name: Validate Recovery Ref
if: ${{ github.event_name == 'workflow_dispatch' }}
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
checkout_ref: ${{ steps.validate.outputs.checkout_ref }}
steps:
- name: Check out repository for recovery validation
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
- name: Validate recovery-only inputs and lock to an immutable ref
id: validate
shell: bash
run: |
set -euo pipefail
test -n "${{ inputs.recovery_reason }}"
recovery_ref="${{ inputs.recovery_ref }}"
test -n "$recovery_ref"
if [[ "$recovery_ref" =~ ^[0-9a-f]{40}$ ]]; then
git cat-file -e "${recovery_ref}^{commit}"
echo "checkout_ref=$recovery_ref" >> "$GITHUB_OUTPUT"
elif git show-ref --verify --quiet "refs/tags/$recovery_ref"; then
echo "checkout_ref=$recovery_ref" >> "$GITHUB_OUTPUT"
else
echo "workflow_dispatch is recovery-only and recovery_ref must be an exact 40-character commit SHA or an existing tag."
exit 1
fi
echo "workflow_dispatch is recovery-only. Recovery publishes the exact immutable ref selected in recovery_ref, and normal publish intent starts from a merged Release Please PR and the protected hex-publish environment."
publish:
name: Publish to Hex
runs-on: ubuntu-latest
needs:
- release-please
- recovery-validation
if: ${{ always() && ((github.event_name == 'workflow_dispatch' && needs.recovery-validation.result == 'success') || (github.event_name != 'workflow_dispatch' && needs.release-please.outputs.release_created == 'true')) }}
environment: hex-publish
permissions:
contents: read
steps:
- name: Check out repository for the merged release commit
if: ${{ github.event_name != 'workflow_dispatch' }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Check out repository for recovery validation
if: ${{ github.event_name == 'workflow_dispatch' }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
ref: ${{ needs.recovery-validation.outputs.checkout_ref }}
- name: Confirm recovery checkout is detached to the validated immutable ref
if: ${{ github.event_name == 'workflow_dispatch' }}
shell: bash
run: |
set -euo pipefail
git checkout --detach HEAD
echo "Recovered immutable ref: ${{ needs.recovery-validation.outputs.checkout_ref }}"
- name: Set up Elixir and Erlang
uses: erlef/setup-beam@fc68ffb90438ef2936bbb3251622353b3dcb2f93 # v1.24.0
with:
elixir-version: "1.19.5"
otp-version: "28"
- name: Install Hex and Rebar
run: |
mix local.hex --force
mix local.rebar --force
- name: Restore Mix cache
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
deps
_build
key: ${{ runner.os }}-mix-release-${{ hashFiles('mix.lock') }}
restore-keys: |
${{ runner.os }}-mix-release-
- name: Install dependencies
run: mix deps.get
- name: Run trusted release preflight inside protected environment
env:
HEX_API_KEY: ${{ secrets.HEX_API_KEY }}
run: mix release.preflight
- name: Publish package from the trusted lane
env:
HEX_API_KEY: ${{ secrets.HEX_API_KEY }}
run: mix hex.publish --yes