release #33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - lib/hooks/version.rb | |
| permissions: {} | |
| jobs: | |
| build: | |
| if: github.repository == 'github/hooks' | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| outputs: | |
| artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }} | |
| gem_name: ${{ steps.build.outputs.gem_name }} | |
| gem_version: ${{ steps.build.outputs.gem_version }} | |
| gem_path: ${{ steps.build.outputs.gem_path }} | |
| artifact_dir: ${{ steps.build.outputs.artifact_dir }} | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # pin@v1.265.0 | |
| with: | |
| bundler-cache: false | |
| - name: bootstrap | |
| run: script/bootstrap | |
| # IMPORTANT: this step MUST export for the following outputs: | |
| # gem_name: the name of the gem - ex: "my-cool-gem" | |
| # gem_version: the version of the gem - ex: "1.0.0" | |
| # gem_path: the path/filename of the gem - ex: "my-cool-gem-1.0.0.gem" | |
| # artifact_dir: the path to the dir where artifacts are stored - ex: "dist" | |
| - name: build | |
| id: build | |
| run: script/build | |
| - name: upload artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4.6.2 | |
| id: upload-artifact | |
| with: | |
| name: ${{ steps.build.outputs.artifact_dir }} | |
| path: ${{ steps.build.outputs.artifact_dir }} | |
| if-no-files-found: error | |
| release: | |
| needs: build | |
| environment: release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # pin@v5.0.0 | |
| with: | |
| artifact-ids: ${{ needs.build.outputs.artifact-id }} | |
| path: ${{ needs.build.outputs.artifact_dir }} | |
| - name: view artifact | |
| env: | |
| ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }} | |
| run: tree -L 2 -a --dirsfirst -C -F -h -D "${ARTIFACT_PATH}" | |
| - name: Publish to GitHub Packages | |
| env: | |
| OWNER: ${{ github.repository_owner }} | |
| GEM_NAME: ${{ needs.build.outputs.gem_name }} | |
| GEM_VERSION: ${{ needs.build.outputs.gem_version }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }} | |
| run: | | |
| GEM_HOST_API_KEY=${GITHUB_TOKEN} gem push --key github --host https://rubygems.pkg.github.com/${OWNER} $ARTIFACT_PATH/${GEM_NAME}-${GEM_VERSION}.gem | |
| - uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # pin@v1.265.0 | |
| with: | |
| bundler-cache: false | |
| - name: bootstrap | |
| run: script/bootstrap | |
| - name: Configure RubyGems Credentials | |
| uses: rubygems/configure-rubygems-credentials@23d6a54ecc9cbcdfeab01a03a15a7deabe34efc0 # pin@main | |
| - name: sign ruby gem | |
| env: | |
| GEM_NAME: ${{ needs.build.outputs.gem_name }} | |
| GEM_VERSION: ${{ needs.build.outputs.gem_version }} | |
| ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }} | |
| run: bundle exec sigstore-cli sign ${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem --bundle ${GEM_NAME}-${GEM_VERSION}.sigstore.json | |
| - name: Publish to RubyGems | |
| env: | |
| GEM_NAME: ${{ needs.build.outputs.gem_name }} | |
| GEM_VERSION: ${{ needs.build.outputs.gem_version }} | |
| ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }} | |
| run: gem push ${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem --attestation ${GEM_NAME}-${GEM_VERSION}.sigstore.json | |
| - name: await gem | |
| env: | |
| GEM_NAME: ${{ needs.build.outputs.gem_name }} | |
| GEM_VERSION: ${{ needs.build.outputs.gem_version }} | |
| run: bundle exec rubygems-await "${GEM_NAME}:${GEM_VERSION}" --timeout 300 | |
| - name: GitHub Release | |
| env: | |
| GEM_NAME: ${{ needs.build.outputs.gem_name }} | |
| GEM_VERSION: ${{ needs.build.outputs.gem_version }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }} | |
| run: | | |
| gh release create "v${GEM_VERSION}" \ | |
| "${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem" \ | |
| "${GEM_NAME}-${GEM_VERSION}.sigstore.json" \ | |
| --title "v${GEM_VERSION}" \ | |
| --generate-notes | |
| sign: | |
| needs: [build, release] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| contents: read | |
| steps: | |
| - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # pin@v5.0.0 | |
| with: | |
| path: ${{ needs.build.outputs.artifact_dir }} | |
| artifact-ids: ${{ needs.build.outputs.artifact-id }} | |
| - name: attest build provenance | |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # pin@v3.0.0 | |
| with: | |
| subject-path: "${{ needs.build.outputs.artifact_dir }}/${{ needs.build.outputs.gem_path }}" | |
| verify: | |
| permissions: {} | |
| needs: [build, release, sign] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # pin@v5.0.0 | |
| with: | |
| path: ${{ needs.build.outputs.artifact_dir }} | |
| artifact-ids: ${{ needs.build.outputs.artifact-id }} | |
| - name: verify | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| OWNER: ${{ github.repository_owner }} | |
| REPO: ${{ github.event.repository.name }} | |
| ARTIFACT_PATH: "${{ needs.build.outputs.artifact_dir }}/${{ needs.build.outputs.gem_path }}" | |
| run: gh attestation verify "$ARTIFACT_PATH" --repo ${OWNER}/${REPO} --signer-workflow ${OWNER}/${REPO}/.github/workflows/release.yml |