diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 19888a49..6f73ea5b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,16 +8,13 @@ on: type: string required: true +permissions: + contents: read # Changelog commit operations use service account PAT + env: CI_COMMIT_AUTHOR: hc-github-team-tf-provider-devex CI_COMMIT_EMAIL: github-team-tf-provider-devex@hashicorp.com -permissions: - # Allow creating GitHub release - contents: write - # Allow closing associated milestone - issues: write - jobs: changelog-version: runs-on: ubuntu-latest @@ -26,6 +23,7 @@ jobs: steps: - id: changelog-version run: echo "version=$(echo "${{ inputs.versionNumber }}" | cut -c 2-)" >> "$GITHUB_OUTPUT" + changelog: needs: changelog-version runs-on: ubuntu-latest @@ -34,27 +32,27 @@ jobs: uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: fetch-depth: 0 + # Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations + # More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials + persist-credentials: false - name: Batch changes uses: miniscruff/changie-action@b6d52c80deb236a5b548f8774cd5a18b87da9e9a # v1.0.1 with: version: latest args: batch ${{ needs.changelog-version.outputs.version }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Merge changes uses: miniscruff/changie-action@b6d52c80deb236a5b548f8774cd5a18b87da9e9a # v1.0.1 with: version: latest args: merge - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Git push changelog run: | git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}" git config --global user.email "${{ env.CI_COMMIT_EMAIL }}" git add . git commit -a -m "Update changelog" - git push + git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" + release-tag: needs: changelog runs-on: ubuntu-latest @@ -63,30 +61,44 @@ jobs: uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: fetch-depth: 0 + # Default input is the SHA that initially triggered the workflow. As we created a new commit in the previous job, + # to ensure we get the latest commit we use the ref for checkout: 'refs/heads/' + ref: ${{ github.ref }} + # Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations + # More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials + persist-credentials: false + - name: Git push release tag run: | git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}" git config --global user.email "${{ env.CI_COMMIT_EMAIL }}" - git pull + git tag "${{ inputs.versionNumber }}" - git push origin "${{ inputs.versionNumber }}" + git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" "${{ inputs.versionNumber }}" + goreleaser: needs: [ changelog-version, changelog, release-tag ] runs-on: ubuntu-latest + permissions: + contents: write # Needed for goreleaser to create GitHub release + issues: write # Needed for goreleaser to close associated milestone steps: - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ inputs.versionNumber }} fetch-depth: 0 + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version-file: 'go.mod' + - name: Generate Release Notes run: | cd .changes sed -e "1{/# /d;}" -e "2{/^$/d;}" ${{ needs.changelog-version.outputs.version }}.md > /tmp/release-notes.txt + - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - args: release --release-notes /tmp/release-notes.txt --rm-dist + args: release --release-notes /tmp/release-notes.txt --clean