diff --git a/.github/workflows/plan-release.yml b/.github/workflows/plan-release.yml index 6bf0b95a..28a33feb 100644 --- a/.github/workflows/plan-release.yml +++ b/.github/workflows/plan-release.yml @@ -3,7 +3,6 @@ on: push: branches: - main - - master pull_request_target: # This workflow has permissions on the repo, do NOT run code from PRs in this workflow. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ types: - labeled @@ -14,8 +13,8 @@ concurrency: cancel-in-progress: true jobs: - check-plan: - name: "Check Release Plan" + is-this-a-release: + name: "Is this a release?" runs-on: ubuntu-latest outputs: command: ${{ steps.check-release.outputs.command }} @@ -23,27 +22,25 @@ jobs: steps: - uses: actions/checkout@v4 with: - fetch-depth: 0 - ref: "main" - # This will only cause the `check-plan` job to have a "command" of `release` + fetch-depth: 2 + ref: 'main' + # This will only cause the `is-this-a-release` job to have a "command" of `release` # when the .release-plan.json file was changed on the last commit. - id: check-release run: if git diff --name-only HEAD HEAD~1 | grep -w -q ".release-plan.json"; then echo "command=release"; fi >> $GITHUB_OUTPUT - prepare_release_notes: - name: Prepare Release Notes + create-prepare-release-pr: + name: Create Prepare Release PR runs-on: ubuntu-latest timeout-minutes: 5 - needs: check-plan + needs: is-this-a-release permissions: contents: write issues: read pull-requests: write - outputs: - explanation: ${{ steps.explanation.outputs.text }} - # only run on push event if plan wasn't updated (don't create a release plan when we're releasing) + # only run on push event or workflow dispatch if plan wasn't updated (don't create a release plan when we're releasing) # only run on labeled event if the PR has already been merged - if: (github.event_name == 'push' && needs.check-plan.outputs.command != 'release') || (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true) + if: ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && needs.is-this-a-release.outputs.command != 'release') || (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true) steps: - uses: actions/checkout@v4 @@ -51,7 +48,7 @@ jobs: # github-changelog can discover what's changed since the last release with: fetch-depth: 0 - ref: "main" + ref: 'main' - name: Setup uses: ./.github/actions/setup - name: "Generate Explanation and Prep Changelogs" @@ -61,24 +58,29 @@ jobs: pnpm release-plan prepare 2> >(tee -a release-plan-stderr.txt >&2) if [ $? -ne 0 ]; then - echo 'text<> $GITHUB_OUTPUT - cat release-plan-stderr.txt >> $GITHUB_OUTPUT - echo 'EOF' >> $GITHUB_OUTPUT + release_plan_output=$(cat release-plan-stderr.txt) else - echo 'text<> $GITHUB_OUTPUT - jq .description .release-plan.json -r >> $GITHUB_OUTPUT - echo 'EOF' >> $GITHUB_OUTPUT + release_plan_output=$(jq .description .release-plan.json -r) rm release-plan-stderr.txt + + if [ $(jq '.solution | length' .release-plan.json) -eq 1 ]; then + new_version=$(jq -r '.solution[].newVersion' .release-plan.json) + echo "new_version=v$new_version" >> $GITHUB_OUTPUT + fi fi + echo 'text<> $GITHUB_OUTPUT + echo "$release_plan_output" >> $GITHUB_OUTPUT + echo 'EOF' >> $GITHUB_OUTPUT env: GITHUB_AUTH: ${{ secrets.GITHUB_TOKEN }} - uses: peter-evans/create-pull-request@v7 with: - commit-message: "Prepare Release using 'release-plan'" + commit-message: "Prepare Release ${{ steps.explanation.outputs.new_version}} using 'release-plan'" labels: "internal" + sign-commits: true branch: release-preview - title: Prepare Release + title: Prepare Release ${{ steps.explanation.outputs.new_version }} body: | This PR is a preview of the release that [release-plan](https://github.com/embroider-build/release-plan) has prepared. To release you should just merge this PR 👍 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 743954dc..1010dfd9 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,6 +1,5 @@ -# For every push to the master branch, this checks if the release-plan was -# updated and if it was it will publish stable npm packages based on the -# release plan +# For every push to the primary branch with .release-plan.json modified, +# runs release-plan. name: Publish Stable @@ -9,45 +8,29 @@ on: push: branches: - main - - master + paths: + - '.release-plan.json' concurrency: group: publish-${{ github.head_ref || github.ref }} cancel-in-progress: true jobs: - check-plan: - name: "Check Release Plan" - runs-on: ubuntu-latest - outputs: - command: ${{ steps.check-release.outputs.command }} - - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - ref: "main" - # This will only cause the `check-plan` job to have a result of `success` - # when the .release-plan.json file was changed on the last commit. This - # plus the fact that this action only runs on main will be enough of a guard - - id: check-release - run: if git diff --name-only HEAD HEAD~1 | grep -w -q ".release-plan.json"; then echo "command=release"; fi >> $GITHUB_OUTPUT - publish: - name: "NPM Publish" + name: NPM Publish runs-on: ubuntu-latest - needs: check-plan - if: needs.check-plan.outputs.command == 'release' permissions: contents: write pull-requests: write + id-token: write + attestations: write steps: - uses: actions/checkout@v4 - name: Setup uses: ./.github/actions/setup - - name: npm publish - run: pnpm release-plan publish + - name: Publish to NPM + run: NPM_CONFIG_PROVENANCE=true pnpm release-plan publish env: GITHUB_AUTH: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}