google-github-actions · sethvargo · Dec 14, 2021 · Dec 14, 2021
@@ -0,0 +1,58 @@
+name: 'tag'
+
+on:
+  push:
+    tags:
+    # match vx.y and v x.y.z.w... but not vx
+    - 'v[0-9]+.*'
+
+jobs:
+  # pointer parses the incoming tag value and updates the "vX" pointer to the
+  # same SHA as this tag.
+  pointer:
+    name: 'pointer'
+    runs-on: 'ubuntu-latest'
+    steps:
+    - uses: 'actions/github-script@v5'
+      with:
+        script: |-
+          const tag = process.env.GITHUB_REF_NAME;
+          if(!tag) {
+            core.setFailed(`Missing tag!`)
+            return
+          }
+          core.info(`Using tag "${tag}"`)
+
+          const matches = tag.match(/(v[0-9]+).*/)
+          if(!matches || matches.length < 2) {
+            core.setFailed(`Invalid tag "${tag}"`)
+            return
+          }
+          const major = matches[1];
+          core.info(`Matched to major tag "${major}"`)
+
+          // Try to update the ref first. If that fails, it probably does not
+          // exist yet, and we should create it.
+          try {
+            await github.rest.git.updateRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: `tags/${major}`,
+              sha: context.sha,
+              force: true,
+            })
+
+            core.info(`Updated "${major}" to "${tag}" (${context.sha})`)
+          } catch {
+            core.warning(`Failed to update "${major}" tag (it may not `+
+              `exist). Trying to create "${major}" now.`)
+
+            await github.rest.git.createRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: `refs/tags/${major}`,
+              sha: context.sha,
+            })
+
+            core.info(`Created "${major}" at "${tag}" (${context.sha})`)
+          }
@@ -37,23 +37,30 @@ later steps.
 ## Usage
 
 ```yaml
-steps:
-- id: auth
-  uses: google-github-actions/auth@v0.4.0
-  with:
-    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
-    service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
-- id: secrets
-  uses: google-github-actions/get-secretmanager-secrets@v0.2.2
-  with:
-    secrets: |-
-      token:my-project/docker-registry-token
-
-# Example of using the output
-- id: publish
-  uses: foo/bar@master
-  env:
-    TOKEN: ${{ steps.secrets.outputs.token }}
+jobs:
+  job_id:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v0'
+      with:
+        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
+
+    - id: 'secrets'
+      uses: 'google-github-actions/get-secretmanager-secrets@v0'
+      with:
+        secrets: |-
+          token:my-project/docker-registry-token
+
+    # Example of using the output
+    - id: 'publish'
+      uses: 'foo/bar@master'
+      env:
+        TOKEN: '${{ steps.secrets.outputs.token }}'
 ```
 
 
@@ -99,21 +106,24 @@ will be available at that output in future build steps.
 For example:
 
 ```yaml
-steps:
-- id: secrets
-  uses: google-github-actions/get-secretmanager-secrets@main
-  with:
-    secrets: |-
-      token:my-project/docker-registry-token
+jobs:
+  job_id:
+    steps:
+    - id: 'secrets'
+      uses: 'google-github-actions/get-secretmanager-secrets@v0'
+      with:
+        secrets: |-
+          token:my-project/docker-registry-token
 ```
 
 will be available in future steps as the output "token":
 
 ```yaml
-- id: publish
-  uses: foo/bar@master
+# other step
+- id: 'publish'
+  uses: 'foo/bar@master'
   env:
-    TOKEN: ${{ steps.secrets.outputs.token }}
+    TOKEN: '${{ steps.secrets.outputs.token }}'
 ```
 
 
@@ -132,32 +142,46 @@ See [usage](https://github.com/google-github-actions/auth#usage) for more detail
 #### Authenticating via Workload Identity Federation
 
 ```yaml
-- uses: actions/checkout@v2
-- id: auth
-  uses: google-github-actions/auth@v0.4.0
-  with:
-    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
-    service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
-- id: secrets
-  uses: google-github-actions/get-secretmanager-secrets@v0.2.2
-  with:
-    secrets: |-
-      token:my-project/docker-registry-token
+jobs:
+  job_id:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+    - uses: 'actions/checkout@v2'
+
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v0'
+      with:
+        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
+
+    - id: 'secrets'
+      uses: 'google-github-actions/get-secretmanager-secrets@v0'
+      with:
+        secrets: |-
+          token:my-project/docker-registry-token
 ```
 
 #### Authenticating via Service Account Key JSON
 
 ```yaml
-- uses: actions/checkout@v2
-- id: auth
-  uses: google-github-actions/auth@v0.4.0
-  with:
-    credentials_json: ${{ secrets.gcp_credentials }}
-- id: secrets
-  uses: google-github-actions/get-secretmanager-secrets@v0.2.2
-  with:
-    secrets: |-
-      token:my-project/docker-registry-token
+jobs:
+  job_id:
+    steps:
+    - uses: 'actions/checkout@v2'
+
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v0'
+      with:
+        credentials_json: '${{ secrets.gcp_credentials }}'
+
+    - id: 'secrets'
+      uses: 'google-github-actions/get-secretmanager-secrets@v0'
+      with:
+        secrets: |-
+          token:my-project/docker-registry-token
 ```
 
 ### Via Application Default Credentials
@@ -168,8 +192,11 @@ authenticate requests as the service account attached to the instance. **This
 only works using a custom runner hosted on GCP.**
 
 ```yaml
-- id: secrets
-  uses: google-github-actions/get-secretmanager-secrets@main
+jobs:
+  job_id:
+    steps:
+    - id: 'secrets'
+      uses: 'google-github-actions/get-secretmanager-secrets@v0'
 ```
 
 The action will automatically detect and use the Application Default