Skip to content

Commit 1cc6047

Browse files
authored
GHA: Use workflow_dispatch (#394)
1 parent a08fa77 commit 1cc6047

5 files changed

Lines changed: 54 additions & 146 deletions

File tree

.github/labeler.yml

Lines changed: 0 additions & 8 deletions
This file was deleted.

.github/pull_request_template.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,2 @@
1-
- [ ] Labeled the PR with `patch`, `minor`, or `major` to request a version bump when it's merged.
21
- [ ] Updated the user manual in `docs/`.
32
- [ ] Added integration / regression tests in `tests/`.

.github/workflows/label-prs.yaml

Lines changed: 0 additions & 56 deletions
This file was deleted.

.github/workflows/release.yaml

Lines changed: 30 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,14 @@
11
---
22
# This workflow runs when PRs are merged and tags/builds/publishes a release.
33

4-
# Run when PRs to main are closed.
4+
# Run when PRs to main are closed or when manually triggered.
55
on:
66
pull_request:
77
types:
88
- closed
99
branches:
1010
- main
11+
workflow_dispatch:
1112

1213
name: Build and publish a release
1314

@@ -16,15 +17,17 @@ jobs:
1617
# workflow on merged PRs.
1718
if_merged:
1819
name: Check that PR was merged and not closed
19-
if: github.event.pull_request.merged == true
20-
&& contains(github.event.pull_request.labels.*.name, 'release')
20+
if: github.event_name == 'workflow_dispatch'
21+
|| (github.event.pull_request.merged == true
22+
&& contains(github.event.pull_request.labels.*.name, 'release'))
2123
runs-on: ubuntu-latest
2224
steps:
2325
- run: |
2426
echo "This is a canonical hack to run GitHub Actions on merged PRs"
2527
echo "See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-pull_request-workflow-when-a-pull-request-merges"
2628
2729
- name: Comment on PR with link to this action
30+
if: github.event_name == 'pull_request'
2831
uses: peter-evans/create-or-update-comment@67dcc547d311b736a8e6c5c236542148a47adc3d # v2.1.1
2932
with:
3033
issue-number: ${{ github.event.pull_request.number }}
@@ -66,6 +69,9 @@ jobs:
6669
strategy:
6770
matrix:
6871
os: [ubuntu-latest, macos-latest]
72+
environment: release
73+
permissions:
74+
id-token: write # See: rust-lang/crates-io-auth-action
6975
steps:
7076
- name: Checkout code
7177
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -145,10 +151,13 @@ jobs:
145151
target/ghciwatch-aarch64-linux
146152
target/ghciwatch-user-manual.tar.xz
147153
154+
- uses: rust-lang/crates-io-auth-action@v1
155+
id: auth
156+
148157
- name: Publish to crates.io
149158
if: runner.os == 'Linux'
150159
env:
151-
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
160+
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
152161
run: |
153162
nix run .#cargo -- publish --no-verify
154163
@@ -159,12 +168,24 @@ jobs:
159168
- if_merged
160169
- build
161170
- version
171+
environment: release
172+
permissions:
173+
contents: write
174+
issues: write
175+
pull-requests: write
162176
steps:
177+
# See: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens
178+
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
179+
id: generate_token
180+
with:
181+
app-id: ${{ secrets.APP_ID }}
182+
private-key: ${{ secrets.APP_PRIVATE_KEY }}
183+
163184
- name: Tag the release
164185
uses: mathieudutour/github-tag-action@d745f2e74aaf1ee82e747b181f7a0967978abee0 # v6.0
165186
with:
166-
github_token: ${{ secrets.GITHUB_TOKEN }}
167-
commit_sha: ${{ github.event.pull_request.merge_commit_sha }}
187+
github_token: ${{ steps.generate_token.outputs.token }}
188+
commit_sha: ${{ github.sha }}
168189
custom_tag: ${{ needs.version.outputs.version }}
169190

170191
- name: Download artifacts
@@ -185,9 +206,8 @@ jobs:
185206
- name: Create release
186207
id: create_release
187208
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
188-
env:
189-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
190209
with:
210+
token: ${{ steps.generate_token.outputs.token }}
191211
draft: false
192212
prerelease: false
193213
generate_release_notes: true
@@ -199,8 +219,10 @@ jobs:
199219
linux/ghciwatch-user-manual.tar.xz
200220
201221
- name: Comment on PR with link to the release
222+
if: github.event_name == 'pull_request'
202223
uses: peter-evans/create-or-update-comment@67dcc547d311b736a8e6c5c236542148a47adc3d # v2.1.1
203224
with:
225+
token: ${{ steps.generate_token.outputs.token }}
204226
issue-number: ${{ github.event.pull_request.number }}
205227
body: |
206228
[Release ${{ needs.version.outputs.version }}][release] was built and published successfully!

.github/workflows/version.yaml

Lines changed: 24 additions & 73 deletions
Original file line numberDiff line numberDiff line change
@@ -1,67 +1,34 @@
11
---
2-
# This workflow runs when PRs labeled `major`, `minor`, or `patch` are closed
3-
# and increments version numbers. Then, it opens a PR labeled `release` for the
4-
# changes. When that PR is merged, a release is created (see `release.yaml`).
5-
#
6-
# Are you here because I left Mercury and now my personal access token is
7-
# invalid for workflows, breaking CI? You'll want to go to
8-
# https://github.com/MercuryTechnologies/ghciwatch/settings/secrets/actions
9-
# and update the `REPO_GITHUB_TOKEN` secret to a new, valid token.
10-
2+
# This workflow is triggered manually to increment version numbers and open a
3+
# release PR. When that PR is merged, a release is created (see `release.yaml`).
114
on:
12-
pull_request_target:
13-
types:
14-
- closed
15-
branches:
16-
- main
5+
workflow_dispatch:
6+
inputs:
7+
bump_type:
8+
description: Version bump type
9+
required: true
10+
type: choice
11+
options:
12+
- patch
13+
- minor
14+
- major
15+
default: patch
1716

1817
name: Update versions and create release PR
1918

2019
jobs:
21-
# We make `if_merged` a `needs:` of the other jobs here to only run this
22-
# workflow on merged PRs.
23-
if_merged:
24-
name: Check that PR was merged and not closed
25-
if: github.event.pull_request.merged == true
26-
&& ( contains(github.event.pull_request.labels.*.name, 'major')
27-
|| contains(github.event.pull_request.labels.*.name, 'minor')
28-
|| contains(github.event.pull_request.labels.*.name, 'patch')
29-
)
30-
runs-on: ubuntu-latest
31-
steps:
32-
- run: |
33-
echo "This is a canonical hack to run GitHub Actions on merged PRs"
34-
echo "See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-pull_request-workflow-when-a-pull-request-merges"
35-
36-
bump_type:
37-
name: Determine version bump type
38-
needs: if_merged
39-
runs-on: ubuntu-latest
40-
outputs:
41-
bump_type: ${{ steps.bump_type.outputs.bump_type }}
42-
steps:
43-
- name: Set output
44-
id: bump_type
45-
env:
46-
is_major: ${{ contains(github.event.pull_request.labels.*.name, 'major') }}
47-
is_minor: ${{ contains(github.event.pull_request.labels.*.name, 'minor') }}
48-
is_patch: ${{ contains(github.event.pull_request.labels.*.name, 'patch') }}
49-
run: |
50-
if [[ "$is_major" == "true" ]]; then
51-
echo "bump_type=major" >> "$GITHUB_OUTPUT"
52-
elif [[ "$is_minor" == "true" ]]; then
53-
echo "bump_type=minor" >> "$GITHUB_OUTPUT"
54-
elif [[ "$is_patch" == "true" ]]; then
55-
echo "bump_type=patch" >> "$GITHUB_OUTPUT"
56-
fi
57-
5820
version:
5921
name: Bump version and create release PR
60-
needs:
61-
- if_merged
62-
- bump_type
6322
runs-on: ubuntu-latest
23+
environment: version-bump
6424
steps:
25+
# See: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens
26+
- uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
27+
id: generate_token
28+
with:
29+
app-id: ${{ secrets.APP_ID }}
30+
private-key: ${{ secrets.APP_PRIVATE_KEY }}
31+
6532
- name: Checkout
6633
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
6734
with:
@@ -80,7 +47,7 @@ jobs:
8047
run: echo "version=$(nix run .#get-crate-version)" >> "$GITHUB_OUTPUT"
8148

8249
- name: Increment `Cargo.toml` version
83-
run: nix run .#make-release-commit -- ${{ needs.bump_type.outputs.bump_type }}
50+
run: nix run .#make-release-commit -- ${{ inputs.bump_type }}
8451

8552
- name: Get new version number
8653
id: new_cargo_metadata
@@ -90,17 +57,10 @@ jobs:
9057
id: release_pr
9158
uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # v5.0.3
9259
with:
93-
# We push with the repo-scoped GitHub token to avoid branch
94-
# protections. This token is tied to my account (@9999years) which is
95-
# excluded from branch protection restrictions.
96-
#
97-
# I'd love a better way of implementing this but GitHub doesn't have
98-
# one: https://github.com/github-community/community/discussions/13836
99-
#
100-
# Also, PRs created with the default `secrets.GITHUB_TOKEN` won't
60+
# PRs created with the default `secrets.GITHUB_TOKEN` won't
10161
# trigger `pull_request` workflows, so regular CI won't run either.
10262
# See: https://github.com/orgs/community/discussions/65321
103-
token: ${{ secrets.REPO_GITHUB_TOKEN }}
63+
token: ${{ steps.generate_token.outputs.token }}
10464
branch: release/${{ steps.new_cargo_metadata.outputs.version }}
10565
delete-branch: true
10666
base: main
@@ -109,12 +69,3 @@ jobs:
10969
Update version to ${{ steps.new_cargo_metadata.outputs.version }} with [cargo-release](https://github.com/crate-ci/cargo-release).
11070
Merge this PR to build and publish a new release.
11171
labels: release
112-
113-
- name: Comment on PR with link to release PR
114-
uses: peter-evans/create-or-update-comment@67dcc547d311b736a8e6c5c236542148a47adc3d # v2.1.1
115-
with:
116-
issue-number: ${{ github.event.pull_request.number }}
117-
body: |
118-
[A PR to release these changes has been created, bumping the version from ${{ steps.old_cargo_metadata.outputs.version }} to ${{ steps.new_cargo_metadata.outputs.version }}.][pr]
119-
120-
[pr]: ${{ steps.release_pr.outputs.pull-request-url }}

0 commit comments

Comments
 (0)