Skip to content

Refactor release workflow with verification step #862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dgraf-gh merged 1 commit into from
Apr 1, 2026
+37 −32
Merged

Refactor release workflow with verification step #862

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 37 additions & 32 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,15 @@ permissions:
issues: write

jobs:
tagged-release:
name: "Build Release"
runs-on: "ubuntu-latest"
environment: release-gate
prepare-verification:
name: "Create Verification Checklist"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Auto-create verification issue
- name: Create release verification issue
run: |
cat > /tmp/release-checklist.md << 'CHECKLIST_EOF'
cat > /tmp/checklist.md << 'CHECKLIST_END'
## Manual Verification Checklist
Run the application locally or on a test instance against the `main` branch at commit `${{ github.sha }}`.
Run the application locally or on a test instance against the `main` branch at commit ${{ github.sha }}.

- [ ] Auth: Local login (admin:admin) + session persistence
- [ ] Auth: OIDC login, profile sync, logout callback
Expand All @@ -35,76 +33,83 @@ jobs:
- [ ] i18n/Units: Language & Metric/Imperial switches work
- [ ] CI: All PR tests green, no flaky failures in main

## Notes & Observations
<!-- Add any edge cases, performance notes, or known limitations here -->

## Next Steps
1. Complete verification against the ${{ github.ref_name }} build
2. Check all boxes above
3. Approve the paused workflow run: Actions -> Select run -> Review deployments -> Approve
3. Approve the paused workflow run in Actions
4. This issue will auto-close upon successful release
CHECKLIST_EOF
CHECKLIST_END

EXISTS=$(gh issue list --label "release-verification" --state open --limit 1 --json number -q '.[0].number // empty')
if [ -z "$EXISTS" ]; then
gh issue create \
--title "Verify ${{ github.ref_name }}" \
--label "release-verification" \
--body-file /tmp/release-checklist.md \
--body-file /tmp/checklist.md \
--assignee "$GITHUB_ACTOR"
fi
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

tagged-release:
name: "Build Release"
runs-on: ubuntu-latest
needs: prepare-verification
environment: release-gate

steps:
- uses: actions/checkout@v4

- name: Set up JDK 25
uses: actions/setup-java@v4
with:
java-version: '25'
distribution: 'temurin'
cache: maven

- name: Install dependencies for acknowledgments script
run: |
sudo apt-get update
sudo apt-get install -y jq curl

- name: Generate acknowledgments data
run: |
chmod +x scripts/generate-acknowledgments.sh
./scripts/generate-acknowledgments.sh
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Build
run: mvn verify -DskipTests

- name: Create bundle
run: mkdir staging && cp target/*.jar staging

- name: Upload packages
uses: actions/upload-artifact@v4
with:
name: Package
path: staging

- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Docker meta for reitti
id: meta
uses: docker/metadata-action@v5
Expand All @@ -117,7 +122,7 @@ jobs:
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}},enable=${{ !contains(github.ref, '-beta') }}
type=semver,pattern={{major}},enable=${{ !contains(github.ref, '-beta') }}

- name: Build and push reitti image
uses: docker/build-push-action@v6
with:
Expand All @@ -126,7 +131,7 @@ jobs:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

- name: Docker meta for tile-cache
id: meta-tile-cache
uses: docker/metadata-action@v5
Expand All @@ -139,7 +144,7 @@ jobs:
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}},enable=${{ !contains(github.ref, '-beta') }}
type=semver,pattern={{major}},enable=${{ !contains(github.ref, '-beta') }}

- name: Build and push tile-cache image
uses: docker/build-push-action@v6
with:
Expand All @@ -148,15 +153,15 @@ jobs:
push: true
tags: ${{ steps.meta-tile-cache.outputs.tags }}
labels: ${{ steps.meta-tile-cache.outputs.labels }}

- name: Close verification issue on success
if: success()
run: |
ISSUE=$(gh issue list --label "release-verification" --state open --limit 1 --json number -q '.[0].number')
[ -n "$ISSUE" ] && gh issue close "$ISSUE" --comment "Released via workflow run #${{ github.run_id }}"
[ -n "$ISSUE" ] && gh issue close "$ISSUE" --comment "Released via workflow run #${{ github.run_id }}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Release
uses: softprops/action-gh-release@v2
if: github.ref_type == 'tag'
Expand All @@ -167,6 +172,6 @@ jobs:
files: |
staging/*.jar
LICENSE

- name: Update dependency graph
uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6
uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6
Loading