outpost/.github/workflows/publish.yml at bcc7620bf9a1a5baa640268b170551b3c6d53738 · getsentry/outpost · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Publish workflow: triggered when the "accepted" label is added to a
# craft-created publish issue (e.g. "publish: owner/repo@0.1.0").
#
# Runs `craft publish` which:
#   1. Publishes opentower to npm (OIDC auth)
#   2. Re-tags the Docker image with the release version + :latest
#   3. Creates a GitHub Release with auto-generated changelog
name: Publish

on:
  issues:
    types: [labeled]

jobs:
  publish:
    if: github.event.label.name == 'accepted' && github.event.issue.state == 'open'
    runs-on: ubuntu-latest
    name: Publish release
    environment: production
    permissions:
      contents: write
      id-token: write
      issues: write
      packages: write
    timeout-minutes: 15
    steps:
      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Parse publish request
        id: inputs
        env:
          ISSUE_TITLE: ${{ github.event.issue.title }}
        run: |
          # Title format: "publish: owner/repo@VERSION"
          VERSION=$(echo "$ISSUE_TITLE" | grep -oP '@\K[^\s]+$')
          if [[ -z "$VERSION" ]]; then
            echo "::error::Could not parse version from issue title: $ISSUE_TITLE"
            exit 1
          fi
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

      - uses: actions/checkout@v4
        with:
          ref: release/${{ steps.inputs.outputs.version }}
          token: ${{ steps.app-token.outputs.token }}
          fetch-depth: 0

      - name: Set git user
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

      # registry-url is required for npm OIDC trusted publishing — without
      # it, setup-node doesn't configure the authenticated .npmrc and
      # `npm publish` errors with ENEEDAUTH even though the workflow has
      # `id-token: write` permission.
      - uses: actions/setup-node@v4
        with:
          node-version: 24
          registry-url: 'https://registry.npmjs.org'

      # Docker login is required for the docker retag targets in .craft.yml.
      - name: Log in to ghcr.io
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Install Craft
        run: |
          CRAFT_URL=$(curl -fsSL https://api.github.com/repos/getsentry/craft/releases/latest \
            | jq -r '.assets[] | select(.name == "craft") | .browser_download_url')
          sudo curl -fsSL -o /usr/local/bin/craft "$CRAFT_URL"
          sudo chmod +x /usr/local/bin/craft

      # Wait for CI workflow to complete on the release branch.
      # CI builds and pushes the Docker image; Craft's docker target needs it.
      - name: Wait for CI
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: |
          branch="release/${{ steps.inputs.outputs.version }}"
          echo "Waiting for CI workflow on $branch..."
          run_id=$(gh run list --workflow CI --branch "$branch" --json databaseId --jq '.[0].databaseId')
          if [[ -z "$run_id" || "$run_id" == "null" ]]; then
            echo "::error::No CI workflow run found for branch $branch"
            exit 1
          fi
          gh run watch "$run_id" --exit-status

      - name: Publish
        run: craft publish "${{ steps.inputs.outputs.version }}" --no-input --no-status-check
        env:
          # GITHUB_TOKEN is the workflow token (packages:write for ghcr.io Docker retag).
          # GITHUB_API_TOKEN is the App token (contents:write for GitHub Release + branch merge).
          # Craft uses GITHUB_API_TOKEN for API calls when set, and falls back to
          # GITHUB_TOKEN for ghcr.io Docker auth.
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_API_TOKEN: ${{ steps.app-token.outputs.token }}

      - name: Close issue on success
        if: success()
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh issue close "${{ github.event.issue.number }}" \
            --comment "Published **${{ steps.inputs.outputs.version }}** successfully.
          [Workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})"

      - name: Comment on failure
        if: failure()
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh issue comment "${{ github.event.issue.number }}" \
            --body "Publish failed. [View workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})"
          gh issue edit "${{ github.event.issue.number }}" --remove-label accepted