- Notifications
You must be signed in to change notification settings - Fork1k
Release#495
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| # GitHub release workflow. | |
| name:Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release_channel: | |
| type:choice | |
| description:Release channel | |
| options: | |
| -mainline | |
| -stable | |
| release_notes: | |
| description:Release notes for the publishing the release. This is required to create a release. | |
| dry_run: | |
| description:Perform a dry-run release (devel). Note that ref must be an annotated tag when run without dry-run. | |
| type:boolean | |
| required:true | |
| default:false | |
| permissions: | |
| contents:read | |
| concurrency:${{ github.workflow }}-${{ github.ref }} | |
| env: | |
| # Use `inputs` (vs `github.event.inputs`) to ensure that booleans are actual | |
| # booleans, not strings. | |
| # https://github.blog/changelog/2022-06-10-github-actions-inputs-unified-across-manual-and-reusable-workflows/ | |
| CODER_RELEASE:${{ !inputs.dry_run }} | |
| CODER_DRY_RUN:${{ inputs.dry_run }} | |
| CODER_RELEASE_CHANNEL:${{ inputs.release_channel }} | |
| CODER_RELEASE_NOTES:${{ inputs.release_notes }} | |
| jobs: | |
| # Only allow maintainers/admins to release. | |
| check-perms: | |
| runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} | |
| steps: | |
| -name:Allow only maintainers/admins | |
| uses:actions/github-script@v7.0.1 | |
| with: | |
| github-token:${{ secrets.GITHUB_TOKEN }} | |
| script:| | |
| const {data} = await github.rest.repos.getCollaboratorPermissionLevel({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| username: context.actor | |
| }); | |
| const role = data.role_name || data.user?.role_name || data.permission; | |
| const perms = data.user?.permissions || {}; | |
| core.info(`Actor ${context.actor} permission=${data.permission}, role_name=${role}`); | |
| const allowed = | |
| role === 'admin' || | |
| role === 'maintain' || | |
| perms.admin === true || | |
| perms.maintain === true; | |
| if (!allowed) core.setFailed('Denied: requires maintain or admin'); | |
| # build-dylib is a separate job to build the dylib on macOS. | |
| build-dylib: | |
| runs-on:${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }} | |
| needs:check-perms | |
| steps: | |
| -name:Fetch git tags | |
| run:echo "Success" | |
| release: | |
| name:Build and publish | |
| needs:[build-dylib, check-perms] | |
| runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} | |
| permissions: | |
| # Required to publish a release | |
| contents:write | |
| # Necessary to push docker images to ghcr.io. | |
| packages:write | |
| # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage) | |
| # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/) | |
| # And for GitHub Actions attestation | |
| id-token:write | |
| # Required for GitHub Actions attestation | |
| attestations:write | |
| env: | |
| # Necessary for Docker manifest | |
| DOCKER_CLI_EXPERIMENTAL:"enabled" | |
| outputs: | |
| version:${{ steps.version.outputs.version }} | |
| steps: | |
| -name:Fetch git tags | |
| run:echo "Success" |