@@ -58,28 +58,23 @@ jobs:
5858 config-file : release-please-config.json
5959 manifest-file : .release-please-manifest.json
6060
61- publish :
62- name : Publish to Hex
61+ recovery-validation :
62+ name : Validate Recovery Ref
63+ if : ${{ github.event_name == 'workflow_dispatch' }}
6364 runs-on : ubuntu-latest
64- needs : release-please
65- if : ${{ github.event_name == 'workflow_dispatch' || needs.release-please.outputs.release_created == 'true' }}
66- environment : hex-publish
6765 permissions :
6866 contents : read
67+ outputs :
68+ checkout_ref : ${{ steps.validate.outputs.checkout_ref }}
6969 steps :
70- - name : Check out repository for the merged release commit
71- if : ${{ github.event_name != 'workflow_dispatch' }}
72- uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
73-
7470 - name : Check out repository for recovery validation
75- if : ${{ github.event_name == 'workflow_dispatch' }}
7671 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7772 with :
7873 fetch-depth : 0
7974 fetch-tags : true
8075
8176 - name : Validate recovery-only inputs and lock to an immutable ref
82- if : ${{ github.event_name == 'workflow_dispatch' }}
77+ id : validate
8378 shell : bash
8479 run : |
8580 set -euo pipefail
@@ -89,16 +84,47 @@ jobs:
8984
9085 if [[ "$recovery_ref" =~ ^[0-9a-f]{40}$ ]]; then
9186 git cat-file -e "${recovery_ref}^{commit}"
92- git checkout --detach "$recovery_ref "
87+ echo "checkout_ref=$recovery_ref" >> "$GITHUB_OUTPUT "
9388 elif git show-ref --verify --quiet "refs/tags/$recovery_ref"; then
94- git checkout --detach "refs/tags/$recovery_ref "
89+ echo "checkout_ref=$recovery_ref" >> "$GITHUB_OUTPUT "
9590 else
9691 echo "workflow_dispatch is recovery-only and recovery_ref must be an exact 40-character commit SHA or an existing tag."
9792 exit 1
9893 fi
9994
10095 echo "workflow_dispatch is recovery-only. Recovery publishes the exact immutable ref selected in recovery_ref, and normal publish intent starts from a merged Release Please PR and the protected hex-publish environment."
10196
97+ publish :
98+ name : Publish to Hex
99+ runs-on : ubuntu-latest
100+ needs :
101+ - release-please
102+ - recovery-validation
103+ if : ${{ always() && ((github.event_name == 'workflow_dispatch' && needs.recovery-validation.result == 'success') || (github.event_name != 'workflow_dispatch' && needs.release-please.outputs.release_created == 'true')) }}
104+ environment : hex-publish
105+ permissions :
106+ contents : read
107+ steps :
108+ - name : Check out repository for the merged release commit
109+ if : ${{ github.event_name != 'workflow_dispatch' }}
110+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
111+
112+ - name : Check out repository for recovery validation
113+ if : ${{ github.event_name == 'workflow_dispatch' }}
114+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
115+ with :
116+ fetch-depth : 0
117+ fetch-tags : true
118+ ref : ${{ needs.recovery-validation.outputs.checkout_ref }}
119+
120+ - name : Confirm recovery checkout is detached to the validated immutable ref
121+ if : ${{ github.event_name == 'workflow_dispatch' }}
122+ shell : bash
123+ run : |
124+ set -euo pipefail
125+ git checkout --detach HEAD
126+ echo "Recovered immutable ref: ${{ needs.recovery-validation.outputs.checkout_ref }}"
127+
102128name : Set up Elixir and Erlang
103129 uses : erlef/setup-beam@fc68ffb90438ef2936bbb3251622353b3dcb2f93 # v1.24.0
104130 with :
0 commit comments