fix: expand per-conversation secrets in plugin source/ref before fetch #427
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Create GitHub Release | |
| # Automatically create a GitHub release when a release PR is merged into main. | |
| # This bridges the gap between merging the release PR and the pypi-release | |
| # workflow (which triggers on release published). | |
| on: | |
| pull_request: | |
| types: [closed] | |
| branches: [main] | |
| jobs: | |
| create-release: | |
| # Only run when a release PR is merged (not just closed) | |
| if: > | |
| github.event.pull_request.merged == true && | |
| startsWith(github.event.pull_request.head.ref, 'rel-') | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| actions: write | |
| contents: write | |
| pull-requests: read | |
| steps: | |
| - name: Extract version from branch name | |
| id: version | |
| env: | |
| PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} | |
| run: | | |
| BRANCH="$PR_HEAD_REF" | |
| VERSION="${BRANCH#rel-}" | |
| if ! [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "❌ Could not extract valid version from branch: $BRANCH" | |
| exit 1 | |
| fi | |
| echo "version=$VERSION" >> "$GITHUB_OUTPUT" | |
| echo "📦 Version: $VERSION" | |
| - name: Check release does not already exist | |
| id: check | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| if gh release view "v${VERSION}" --repo "${{ github.repository }}" > /dev/null 2>&1; then | |
| echo "⚠️ Release v${VERSION} already exists, skipping" | |
| echo "exists=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "exists=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Find previous release tag | |
| if: steps.check.outputs.exists == 'false' | |
| id: prev_tag | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| PREV_TAG=$(gh release list --repo "${{ github.repository }}" \ | |
| --exclude-drafts --exclude-pre-releases --limit 1 \ | |
| --json tagName --jq '.[0].tagName') | |
| echo "prev_tag=${PREV_TAG}" >> "$GITHUB_OUTPUT" | |
| echo "📌 Previous release tag: ${PREV_TAG:-<none>}" | |
| - name: Build release-note-required preamble | |
| if: steps.check.outputs.exists == 'false' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PREAMBLE_PATH: release-note-preamble.md | |
| PREV_TAG: ${{ steps.prev_tag.outputs.prev_tag }} | |
| run: | | |
| python3 <<'PY' | |
| import json | |
| import os | |
| import subprocess | |
| from pathlib import Path | |
| repo = os.environ['GITHUB_REPOSITORY'] | |
| prev_tag = os.environ.get('PREV_TAG', '').strip() | |
| preamble_path = Path(os.environ['PREAMBLE_PATH']) | |
| args = [ | |
| 'gh', | |
| 'search', | |
| 'prs', | |
| '--repo', | |
| repo, | |
| '--state', | |
| 'closed', | |
| '--merged', | |
| '--label', | |
| 'release-note-required', | |
| '--limit', | |
| '200', | |
| '--json', | |
| 'number,title,url,author', | |
| ] | |
| if prev_tag: | |
| published_at = subprocess.check_output( | |
| [ | |
| 'gh', | |
| 'release', | |
| 'view', | |
| prev_tag, | |
| '--repo', | |
| repo, | |
| '--json', | |
| 'publishedAt', | |
| '--jq', | |
| '.publishedAt', | |
| ], | |
| text=True, | |
| ).strip() | |
| if published_at: | |
| args.extend(['--merged-at', f'>={published_at}']) | |
| prs = json.loads(subprocess.check_output(args, text=True) or '[]') | |
| prs.sort(key=lambda pr: pr['number']) | |
| if not prs: | |
| preamble_path.write_text('') | |
| raise SystemExit(0) | |
| lines = [ | |
| '## Behavioral compatibility notes', | |
| '', | |
| 'The following merged PRs were labeled `release-note-required` and are called out explicitly in this release:', | |
| '', | |
| ] | |
| for pr in prs: | |
| author = (pr.get('author') or {}).get('login') | |
| attribution = f' (@{author})' if author else '' | |
| lines.append( | |
| f"- [#{pr['number']}]({pr['url']}) {pr['title']}{attribution}" | |
| ) | |
| lines.append('') | |
| preamble_path.write_text('\n'.join(lines)) | |
| PY | |
| - name: Create GitHub Release | |
| if: steps.check.outputs.exists == 'false' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PREAMBLE_PATH: release-note-preamble.md | |
| VERSION: ${{ steps.version.outputs.version }} | |
| PREV_TAG: ${{ steps.prev_tag.outputs.prev_tag }} | |
| run: | | |
| NOTES_START_FLAG=() | |
| if [ -n "$PREV_TAG" ]; then | |
| NOTES_START_FLAG=(--notes-start-tag "$PREV_TAG") | |
| fi | |
| PREAMBLE_FLAG=() | |
| if [ -s "$PREAMBLE_PATH" ]; then | |
| PREAMBLE_FLAG=(--notes "$(cat "$PREAMBLE_PATH")") | |
| fi | |
| gh release create "v${VERSION}" \ | |
| --repo "${{ github.repository }}" \ | |
| --target "${{ github.event.pull_request.merge_commit_sha }}" \ | |
| --title "v${VERSION}" \ | |
| --generate-notes \ | |
| "${PREAMBLE_FLAG[@]}" \ | |
| "${NOTES_START_FLAG[@]}" | |
| echo "✅ Release v${VERSION} created!" | |
| echo "🔗 https://github.com/${{ github.repository }}/releases/tag/v${VERSION}" | |
| - name: Dispatch PyPI release workflow | |
| if: steps.check.outputs.exists == 'false' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| gh workflow run pypi-release.yml \ | |
| --repo "${{ github.repository }}" \ | |
| --ref "v${VERSION}" | |
| echo "🚀 Dispatched pypi-release.yml for v${VERSION}" | |
| - name: Dispatch Agent Server image build | |
| # server.yml builds versioned Docker images (e.g. 1.21.0-python) when | |
| # triggered on a tag ref. Tags created by GITHUB_TOKEN don't trigger | |
| # workflow runs automatically, so we dispatch it explicitly here. | |
| if: steps.check.outputs.exists == 'false' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| gh workflow run server.yml \ | |
| --repo "${{ github.repository }}" \ | |
| --ref "v${VERSION}" | |
| echo "🐳 Dispatched server.yml image build for v${VERSION}" | |
| - name: Dispatch release binaries workflow | |
| # Same GITHUB_TOKEN limitation applies to release-binaries.yml | |
| # which triggers on release:published events. | |
| if: steps.check.outputs.exists == 'false' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| gh workflow run release-binaries.yml \ | |
| --repo "${{ github.repository }}" \ | |
| --ref "v${VERSION}" \ | |
| -f release_tag="v${VERSION}" | |
| echo "📦 Dispatched release-binaries.yml for v${VERSION}" | |
| - name: Summary | |
| env: | |
| VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| echo "## ✅ Release v${VERSION} Created" >> "$GITHUB_STEP_SUMMARY" | |
| echo "" >> "$GITHUB_STEP_SUMMARY" | |
| echo "- **Tag**: v${VERSION}" >> "$GITHUB_STEP_SUMMARY" | |
| echo "- **Release**: https://github.com/${{ github.repository }}/releases/tag/v${VERSION}" >> "$GITHUB_STEP_SUMMARY" | |
| echo "" >> "$GITHUB_STEP_SUMMARY" | |
| echo "The \`pypi-release.yml\` workflow was dispatched to publish packages to PyPI." >> "$GITHUB_STEP_SUMMARY" | |
| echo "The \`server.yml\` workflow was dispatched to build versioned Docker images." >> "$GITHUB_STEP_SUMMARY" | |
| echo "The \`release-binaries.yml\` workflow was dispatched to build and attach release binaries." >> "$GITHUB_STEP_SUMMARY" |