Skip to content

Commit

Permalink
ci: Restructure release workflow
Browse files Browse the repository at this point in the history
This isolates elevated permissions to the release publication job only, and simplifies a more complex sequence of creating a draft release, then building and attaching binaries, then compiling release notes, then publishing the release.  Now we simply build, compile notes, then publish a full release with notes and binaries at once.
  • Loading branch information
joeyparrish committed Dec 17, 2024
1 parent 7f593bd commit f48ab11
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 86 deletions.
25 changes: 0 additions & 25 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,17 +22,9 @@ on:
# workflows.
workflow_call:
inputs:
release_id:
required: false
type: string
ref:
required: true
type: string
secrets:
# The GITHUB_TOKEN name is reserved, but not passed through implicitly.
# So we call our secret parameter simply TOKEN.
TOKEN:
required: false

# Runs on manual trigger.
workflow_dispatch:
Expand Down Expand Up @@ -214,23 +206,6 @@ jobs:
- name: Check that executables are static
run: ./repo-src/build-scripts/99-check-static.sh

- name: Attach assets to release
if: inputs.release_id != ''
env:
GITHUB_TOKEN: ${{ secrets.TOKEN }}
run: |
set -e
set -x
# Attach the build outputs to the draft release. Each machine will
# do this separately and in parallel. Later, another job will take
# over to collect them all and use their MD5 sums to create the
# release notes (the "body" of the release).
release_id="${{ inputs.release_id }}"
(cd ./repo-src/api-client && npm ci)
node ./repo-src/api-client/main.js \
upload-all-assets "$release_id" assets/
- name: Debug
uses: mxschmitt/[email protected]
with:
Expand Down
82 changes: 21 additions & 61 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,54 +30,32 @@ on:
# will have to opt in after setting up their own self-hosted runners.

jobs:
# On a single Linux host, draft a release. Later, different hosts will build
# for each OS/CPU in parallel, and then attach the resulting binaries to this
# draft.
draft_release:
name: Draft release
runs-on: ubuntu-latest
outputs:
release_id: ${{ steps.draft_release.outputs.release_id }}
steps:
- uses: actions/checkout@v4
with:
path: repo-src
ref: ${{ github.ref }}

- name: Draft release
id: draft_release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
set -x
# Create a draft release associated with the tag that triggered this
# workflow.
tag="${{ github.ref }}"
(cd repo-src/api-client && npm ci)
release_id=$(node ./repo-src/api-client/main.js draft-release "$tag")
echo "::set-output name=release_id::$release_id"
build:
needs: draft_release
uses: ./.github/workflows/build.yaml
with:
release_id: ${{ needs.draft_release.outputs.release_id }}
ref: ${{ github.ref }}
secrets:
TOKEN: ${{ secrets.GITHUB_TOKEN }}

publish_release:
name: Publish release
needs: [draft_release, build]
needs: [build]
runs-on: ubuntu-latest
permissions:
# "Write" to contents is necessary to create a release.
contents: write
steps:
- uses: actions/checkout@v4
with:
path: repo-src
ref: ${{ github.ref }}

- uses: actions/download-artifact@v4

# FIXME: Remove this after verifying the asset paths
- name: Debug
uses: mxschmitt/[email protected]
with:
limit-access-to-actor: true

- name: Publish release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -94,40 +72,22 @@ jobs:
echo "" >> body.txt
echo "$GITHUB_REPOSITORY version:" >> body.txt
echo " - $repo_tag" >> body.txt
echo " - ${{ github.ref }}" >> body.txt
echo "" >> body.txt
echo "Software versions:" >> body.txt
cat repo-src/versions.txt | \
sed -e 's/^/ - /' >> body.txt
echo "" >> body.txt
# Update the release notes with this preliminary version. This is
# what gets emailed out when we publish the release below.
release_id="${{ needs.draft_release.outputs.release_id }}"
(cd repo-src/api-client && npm ci)
node ./repo-src/api-client/main.js \
update-release-body "$release_id" "$(cat body.txt)"
# Now we have to take the release out of draft mode. Until we do, we
# can't get download URLs for the assets.
node ./repo-src/api-client/main.js \
publish-release "$release_id"
# The downloads are sometimes a bit flaky (responding with 404) if we
# don't put some delay between publication and download. This number
# is arbitrary, but experimentally, it seems to solve the issue.
sleep 30
# Next, download the assets.
node ./repo-src/api-client/main.js \
download-all-assets "$release_id" assets/
# Now add the MD5 sums to the release notes.
# Add the MD5 sums to the release notes.
echo "MD5 sums:" >> body.txt
(cd assets; md5sum * | sed -e 's/^/ - /') >> body.txt
# Now update the release notes one last time, with the MD5 sums
# appended.
node ./repo-src/api-client/main.js \
update-release-body "$release_id" "$(cat body.txt)"
# Publish the release, including release notes and assets.
gh release create \
--verify-tag \
--notes-file body.txt \
--title "${{ github.ref }}" \
"${{ github.ref }}" \
assets/*

0 comments on commit f48ab11

Please sign in to comment.