Update release workflow to work with new branch protections (#229)

hashicorp · Mar 2, 2023 · add1581 · add1581
1 parent 79a603e
commit add1581
Showing 1 changed file with 26 additions and 14 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,16 +8,13 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: read # Changelog commit operations use service account PAT
+
 env:
   CI_COMMIT_AUTHOR: hc-github-team-tf-provider-devex
   CI_COMMIT_EMAIL: github-team-tf-provider-devex@hashicorp.com
 
-permissions:
-  # Allow creating GitHub release
-  contents: write
-  # Allow closing associated milestone
-  issues: write
-
 jobs:
   changelog-version:
     runs-on: ubuntu-latest
@@ -26,6 +23,7 @@ jobs:
     steps:
       - id: changelog-version
         run: echo "version=$(echo "${{ inputs.versionNumber }}" | cut -c 2-)" >> "$GITHUB_OUTPUT"
+
   changelog:
     needs: changelog-version
     runs-on: ubuntu-latest
@@ -34,27 +32,27 @@ jobs:
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           fetch-depth: 0
+          # Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations
+          # More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials
+          persist-credentials: false
       - name: Batch changes
         uses: miniscruff/changie-action@b6d52c80deb236a5b548f8774cd5a18b87da9e9a # v1.0.1
         with:
           version: latest
           args: batch ${{ needs.changelog-version.outputs.version }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Merge changes
         uses: miniscruff/changie-action@b6d52c80deb236a5b548f8774cd5a18b87da9e9a # v1.0.1
         with:
           version: latest
           args: merge
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Git push changelog
         run: |
           git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
           git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
           git add .
           git commit -a -m "Update changelog"
-          git push
+          git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
+
   release-tag:
     needs: changelog
     runs-on: ubuntu-latest
@@ -63,30 +61,44 @@ jobs:
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           fetch-depth: 0
+          # Default input is the SHA that initially triggered the workflow. As we created a new commit in the previous job,
+          # to ensure we get the latest commit we use the ref for checkout: 'refs/heads/<branch_name>'
+          ref: ${{ github.ref }}
+          # Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations
+          # More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials
+          persist-credentials: false
+
       - name: Git push release tag
         run: |
           git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
           git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
-          git pull
+          
           git tag "${{ inputs.versionNumber }}"
-          git push origin "${{ inputs.versionNumber }}"
+          git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" "${{ inputs.versionNumber }}"
+
   goreleaser:
     needs: [ changelog-version, changelog, release-tag ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Needed for goreleaser to create GitHub release
+      issues: write # Needed for goreleaser to close associated milestone
     steps:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           ref: ${{ inputs.versionNumber }}
           fetch-depth: 0
+
       - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version-file: 'go.mod'
+
       - name: Generate Release Notes
         run: |
           cd .changes
           sed -e "1{/# /d;}" -e "2{/^$/d;}" ${{ needs.changelog-version.outputs.version }}.md > /tmp/release-notes.txt
+
       - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          args: release --release-notes /tmp/release-notes.txt --rm-dist
+          args: release --release-notes /tmp/release-notes.txt --clean