abcxyz
diff --git a/‎.github/actions/create-release/action.yml
+158 b/‎.github/actions/create-release/action.yml
+158
diff --git a/‎.github/actions/increment-version/action.yml
+99 b/‎.github/actions/increment-version/action.yml
+99
@@ -0,0 +1,158 @@
+# Copyright 2024 The Authors (see AUTHORS file)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# This GitHub Action creates a Git tag and associated GitHub Release at the current SHA.
+#
+# It includes two outputs: the "current_version" and the "next_version".
+#
+# Example usage:
+#
+#     jobs:
+#       release:
+#         runs-on: 'ubuntu-latest'
+#
+#         # The following line is super super super important! This ensures the
+#         # job only runs when the commit matches the expected message. There
+#         # are additional checks in the action itself, including commit
+#         # signature verification, but adding this line prevents the workflow
+#         # from running at all, saving your previous GitHub Actions usage
+#         #minutes.
+#         if: '${{ startsWith(github.event.head_commit.message, ''Release: v'')
+#
+#         steps:
+#           - name: 'Create release'
+#             id: 'create-release'
+#             uses: 'abcxyz/pkg/.github/actions/create-release@main'
+#             with:
+#               github_token: '${{ secrets.GITHUB_TOKEN }}' # Or an organization PAT
+#               expected_email: '[email protected]'
+#
+#           # Example using go-releaser
+#           - uses: 'actions/checkout@v4'
+#             with:
+#               fetch-depth: 0
+#
+#           - uses: 'actions/setup-go@v5'
+#             with:
+#               go-version: '1.21'
+#
+#           - uses: 'goreleaser/goreleaser-action@v5'
+#             with:
+#               args: 'release --clean'
+#             env:
+#               GORELEASER_CURRENT_TAG: 'v${{ steps.create-release.outputs.release_version }}'
+#               GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' # Or an organization PAT
+#
+
+name: 'create-release'
+
+inputs:
+  github_token:
+    description: |-
+      GitHub PAT or App Token to use for authentication.
+    type: 'string'
+    required: true
+
+  expected_email:
+    description: |-
+      Email address expected for the commit.
+    type: 'string'
+    required: true
+
+  draft:
+    description: |-
+      Create the release as a draft.
+    type: 'boolean'
+    required: false
+    default: false
+
+outputs:
+  release_version:
+    description: |-
+      Version that is being released, without a leading "v".
+    value: '${{ steps.create-release.outputs.release_version }}'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Create release'
+      id: 'create-release'
+      env:
+        DRAFT: '${{ inputs.draft }}'
+        EXPECTED_EMAIL: '${{ inputs.expected_email }}'
+      uses: 'actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea' # ratchet:actions/github-script@v7
+      with:
+        github-token: '${{ inputs.github_token }}'
+        script: |-
+          // Ensure the commit is signed.
+          const commitResult = await github.rest.repos.getCommit({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            ref: context.payload.head_commit.id,
+          })
+          if (!commitResult.data.commit.verification.verified) {
+            core.setFailed(`Commit is not signed`)
+            return;
+          }
+
+          const expectedEmail = process.env.EXPECTED_EMAIL;
+          if (commitResult.data.commit.author.email !== expectedEmail) {
+            core.setFailed(`Commit author is not ${expectedEmail}, got ${commitResult.data.commit.author.email}`);
+            return;
+          }
+          if (commitResult.data.commit.committer.email !== expectedEmail) {
+            core.setFailed(`Commiter is not ${expectedEmail}, got ${commitResult.data.commit.committer.email}`);
+            return;
+          }
+
+          // Ensure the commit message matches the expected regular
+          // expression. Part of this is guarded by the conditional
+          // entrypoint.
+          const matches = context.payload.head_commit.message.match(/Release: v(?<version>[^\ ]+)/i);
+          if (!matches || !matches.groups) {
+            core.setFailed(`Commit message does not contain a version`)
+            return;
+          }
+          let releaseVersion = matches.groups.version;
+          while(releaseVersion.charAt(0).toLowerCase() === 'v') {
+            releaseVersion = releaseVersion.substr(1);
+          }
+
+          // Compute variables.
+          const tag = `v${releaseVersion}`;
+          const draft = JSON.parse(process.env.DRAFT);
+          const prerelease = ['-', 'pre', 'alpha', 'beta', 'preview'].some((v) => tag.includes(v));
+
+          try {
+            const createReleaseRequest = {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              tag_name: tag,
+              target_commitish: context.sha,
+              name: tag,
+              generate_release_notes: true,
+              prerelease: prerelease,
+              draft: draft,
+            };
+
+            const response = await github.rest.repos.createRelease(createReleaseRequest);
+
+            core.setOutput('release_version', releaseVersion);
+            core.info(
+              `Created release ${response.data.name} at ${response.data.html_url}`
+            );
+          } catch (err) {
+            core.setFailed(`Failed to create release: ${err}`);
+          }
@@ -0,0 +1,99 @@
+# Copyright 2024 The Authors (see AUTHORS file)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# This GitHub Action increments a VERSION file at the root of the repository by
+# the given semver strategy. If no VERSION file exists, it uses "0.0.0". It does
+# not commit the resulting file.
+#
+# It includes two outputs: the "current_version" and the "next_version".
+#
+# Example usage:
+#
+#     jobs:
+#       draft-release:
+#         runs-on: 'ubuntu-latest'
+#         steps:
+#           - name: 'Increment version'
+#             id: 'increment-version'
+#             uses: 'abcxyz/pkg/.github/actions/increment-version@main'
+#             with:
+#               version_strategy: 'patch' # Likely from "workflow_call" input
+#
+#           - name: 'Update npm version'
+#             env:
+#               NEXT_VERSION: '${{ steps.increment-version.outputs.next_version }}'
+#             run: |-
+#               npm version ${NEXT_VERSION} --no-git-tag-version
+#
+
+name: 'increment-version'
+
+inputs:
+  version_strategy:
+    description: |-
+      Strategy to update the version based on semantic versioning.
+    default: 'patch'
+    type: 'string'
+    required: true
+
+  prerelease_identifier:
+    description: |-
+      String to use to identify pre-releases.
+    type: 'string'
+    default: 'alpha'
+    required: false
+
+outputs:
+  current_version:
+    description: |-
+      Existing version prior to incrementing, without any leading "v" prefixes.
+    value: '${{ steps.increment-version.outputs.current_version }}'
+
+  next_version:
+    description: |-
+      Incremented version, without any leading "v" prefixes.
+    value: '${{ steps.increment-version.outputs.next_version }}'
+
+runs:
+  using: 'composite'
+  steps:
+    - uses: 'actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11' # ratchet:actions/checkout@v4
+
+    - name: 'Increment version'
+      id: 'increment-version'
+      env:
+        PRERELEASE_IDENTIFIER: '${{ inputs.prerelease_identifier }}'
+        VERSION_STRATEGY: '${{ inputs.version_strategy }}'
+      shell: 'bash'
+      run: |-
+        npm install -g --silent --quiet --no-progress [email protected]
+
+        CURRENT_VERSION="0.0.0"
+        if [ -f "${GITHUB_WORKSPACE}/VERSION" ]; then
+          CURRENT_VERSION="$(< "${GITHUB_WORKSPACE}/VERSION")"
+        fi
+        echo "CURRENT_VERSION: ${CURRENT_VERSION}"
+        echo "current_version=${CURRENT_VERSION}" >> "${GITHUB_OUTPUT}"
+        echo "CURRENT_VERSION=${CURRENT_VERSION}" >> "${GITHUB_ENV}"
+
+        NEXT_VERSION="$(semver "${CURRENT_VERSION}" \
+          --increment "${VERSION_STRATEGY}" \
+          --preid "${PRERELEASE_IDENTIFIER}" \
+          -n 1)"
+        echo "NEXT_VERSION: ${NEXT_VERSION}"
+
+        echo "next_version=${NEXT_VERSION}" >> "${GITHUB_OUTPUT}"
+        echo "NEXT_VERSION=${NEXT_VERSION}" >> "${GITHUB_ENV}"
+        echo "${NEXT_VERSION}" > "${GITHUB_WORKSPACE}/VERSION"