Semantic Release #1904
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Semantic Release | |
| on: | |
| workflow_run: | |
| workflows: ["TestPyPI Publishing"] | |
| types: [completed] | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| commit: | |
| description: 'Commit hash (for historical releases)' | |
| required: false | |
| type: string | |
| version: | |
| description: 'Version (for historical releases)' | |
| required: false | |
| type: string | |
| force_level: | |
| description: 'Force a specific bump level (auto = commit analysis)' | |
| required: false | |
| default: 'auto' | |
| type: choice | |
| options: | |
| - auto | |
| - major | |
| - minor | |
| - patch | |
| - prerelease | |
| permissions: | |
| contents: write | |
| packages: write | |
| concurrency: | |
| group: "semantic-release" | |
| cancel-in-progress: false | |
| jobs: | |
| preview: | |
| name: Preview next version | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write | |
| # Only release from main: guard workflow_dispatch against feature-branch runs. | |
| # No release: commit-message filter — python-semantic-release does not emit | |
| # such commits, so the gate would be dead; the release-approval environment | |
| # on the release job is the human gate. | |
| if: | | |
| (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') || | |
| (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup UV | |
| uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 | |
| - name: Install dependencies | |
| run: uv sync | |
| - name: Compute next version (dry run) | |
| id: next_version | |
| run: | | |
| FORCE_FLAG=${{ (inputs.force_level != '' && inputs.force_level != 'auto') && format('--{0}', inputs.force_level) || '' }} | |
| NEXT=$(uv run semantic-release version --print $FORCE_FLAG 2>/dev/null || echo "no-release") | |
| echo "next_version=$NEXT" >> "$GITHUB_OUTPUT" | |
| { | |
| echo "## Semantic Release Preview" | |
| echo "" | |
| echo "Next version: **$NEXT**" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| release: | |
| name: Semantic Release | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| needs: [preview] | |
| environment: release-approval | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 0 | |
| # The composite below mints the App token and resets the remote | |
| # URL to authenticate as the ORB CICD App. If actions/checkout | |
| # also persists the default GITHUB_TOKEN as an extraheader git | |
| # config entry, that header beats the URL-embedded token at push | |
| # time and the request lands as github-actions[bot] - which is | |
| # not in the main branch protection bypass list and is rejected | |
| # with GH006. Skip the persistence so the composite's remote | |
| # URL is the sole credential source. | |
| persist-credentials: false | |
| - name: ORB CICD App token | |
| id: cicd | |
| uses: ./.github/actions/orb-cicd-app-token | |
| with: | |
| app-id: ${{ secrets.GH_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} | |
| - name: Setup UV | |
| uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 | |
| - name: Setup Bun (for UI static bundle) | |
| uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f4b11 # v2 | |
| with: | |
| bun-version: "1.2.15" # pinned; update intentionally to avoid surprise breakage | |
| - name: Build UI static bundle | |
| run: make ui-build | |
| # Do NOT `uv sync` here: the next step is a Docker action that mounts | |
| # the workspace, so a host .venv would be visible inside the container | |
| # with a dangling interpreter and break `make semantic-release-build`. | |
| - name: Python Semantic Release | |
| id: release | |
| uses: python-semantic-release/python-semantic-release@39dd2052f2ce8282a5d932c31d58a2ca06d2550e # v10.6.1 | |
| with: | |
| github_token: ${{ steps.cicd.outputs.token }} | |
| git_committer_name: ${{ steps.cicd.outputs.committer-name }} | |
| git_committer_email: ${{ steps.cicd.outputs.committer-email }} | |
| force: ${{ inputs.force_level != 'auto' && inputs.force_level || '' }} | |
| - name: Publish to GitHub Release Assets | |
| uses: python-semantic-release/publish-action@5a5718ce47b892ef699f2972dae122297771d641 # v10.6.1 | |
| if: steps.release.outputs.released == 'true' | |
| with: | |
| github_token: ${{ steps.cicd.outputs.token }} | |
| tag: ${{ steps.release.outputs.tag }} | |
| - name: Install ORB | |
| if: steps.release.outputs.released == 'true' | |
| run: uv sync --all-extras --group ci | |
| - name: Export OpenAPI spec for Go SDK | |
| if: steps.release.outputs.released == 'true' | |
| run: uv run make sdk-go-export-spec | |
| - name: Update Go SDK version | |
| if: steps.release.outputs.released == 'true' | |
| env: | |
| GIT_AUTHOR_NAME: ${{ steps.cicd.outputs.committer-name }} | |
| GIT_AUTHOR_EMAIL: ${{ steps.cicd.outputs.committer-email }} | |
| GIT_COMMITTER_NAME: ${{ steps.cicd.outputs.committer-name }} | |
| GIT_COMMITTER_EMAIL: ${{ steps.cicd.outputs.committer-email }} | |
| run: uv run make sdk-go-update-version VERSION=${{ steps.release.outputs.version }} |