-
Notifications
You must be signed in to change notification settings - Fork 10
154 lines (136 loc) · 5.48 KB
/
Copy pathsemantic-release.yml
File metadata and controls
154 lines (136 loc) · 5.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: Semantic Release
on:
push:
branches: [main]
workflow_run:
workflows: ["Quality Checks", "Unit Tests", "Security Scanning", "Workflow Validation", "Changelog Validation", "Container Build", "PyPI Publishing", "Documentation"]
types: [completed]
branches: [main]
workflow_dispatch:
inputs:
commit:
description: 'Commit hash (for historical releases)'
required: false
type: string
version:
description: 'Version (for historical releases)'
required: false
type: string
force_level:
description: 'Force a specific bump level (auto = commit analysis)'
required: false
default: 'auto'
type: choice
options:
- auto
- major
- minor
- patch
- prerelease
permissions:
contents: write
packages: write
concurrency:
group: "semantic-release"
cancel-in-progress: false
jobs:
preview:
name: Preview next version
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
if: |
(github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, 'release:')) ||
github.event_name == 'workflow_dispatch' ||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' && contains(github.event.workflow_run.head_commit.message, 'release:'))
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup UV
uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0
- name: Install dependencies
run: uv sync
- name: Compute next version (dry run)
id: next_version
run: |
FORCE_FLAG=${{ inputs.force_level != 'auto' && format('--{0}', inputs.force_level) || '' }}
NEXT=$(uv run semantic-release version --print $FORCE_FLAG 2>/dev/null || echo "no-release")
echo "next_version=$NEXT" >> "$GITHUB_OUTPUT"
{
echo "## Semantic Release Preview"
echo ""
echo "Next version: **$NEXT**"
} >> "$GITHUB_STEP_SUMMARY"
release:
name: Semantic Release
runs-on: ubuntu-latest
needs: [preview]
environment: release-approval
permissions:
contents: write
packages: write
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
# The composite below mints the App token and resets the remote
# URL to authenticate as the ORB CICD App. If actions/checkout
# also persists the default GITHUB_TOKEN as an extraheader git
# config entry, that header beats the URL-embedded token at push
# time and the request lands as github-actions[bot] - which is
# not in the main branch protection bypass list and is rejected
# with GH006. Skip the persistence so the composite's remote
# URL is the sole credential source.
persist-credentials: false
- name: ORB CICD App token
id: cicd
uses: ./.github/actions/orb-cicd-app-token
with:
app-id: ${{ secrets.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
- name: Setup UV
uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0
- name: Setup Bun (for UI static bundle)
uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f4b11 # v2
with:
bun-version: latest
- name: Build UI static bundle
run: make ui-build
# Do NOT `uv sync` here: the next step is a Docker action that mounts
# the workspace, so a host .venv would be visible inside the container
# with a dangling interpreter and break `make semantic-release-build`.
- name: Python Semantic Release
id: release
uses: python-semantic-release/python-semantic-release@37a30a7987cfebb6d49240bf1c4e9cd9817d0673 # v10.6.0
with:
github_token: ${{ steps.cicd.outputs.token }}
git_committer_name: ${{ steps.cicd.outputs.committer-name }}
git_committer_email: ${{ steps.cicd.outputs.committer-email }}
force: ${{ inputs.force_level != 'auto' && inputs.force_level || '' }}
- name: Publish to GitHub Release Assets
uses: python-semantic-release/publish-action@4f3c5d7f5caddf6535050c4bcb55f033f000a7dd # v10.6.0
if: steps.release.outputs.released == 'true'
with:
github_token: ${{ steps.cicd.outputs.token }}
tag: ${{ steps.release.outputs.tag }}
- name: Install ORB
if: steps.release.outputs.released == 'true'
run: uv sync --all-extras --group ci
- name: Export OpenAPI spec for Go SDK
if: steps.release.outputs.released == 'true'
run: uv run make sdk-go-export-spec
- name: Update Go SDK version
if: steps.release.outputs.released == 'true'
env:
GIT_AUTHOR_NAME: ${{ steps.cicd.outputs.committer-name }}
GIT_AUTHOR_EMAIL: ${{ steps.cicd.outputs.committer-email }}
GIT_COMMITTER_NAME: ${{ steps.cicd.outputs.committer-name }}
GIT_COMMITTER_EMAIL: ${{ steps.cicd.outputs.committer-email }}
run: uv run make sdk-go-update-version VERSION=${{ steps.release.outputs.version }}