|
| 1 | +name: Release |
| 2 | + |
| 3 | +# Auto-releases when a version tag (vX.Y.Z) is pushed. GoReleaser builds the |
| 4 | +# cross-platform binaries, SHA-256 checksums, and cosign-keyless signatures, |
| 5 | +# publishes a GitHub Release, and — when the tap repos + tokens exist — pushes |
| 6 | +# the Homebrew formula and Scoop manifest. |
| 7 | +# |
| 8 | +# A validation gate (test + lint + config check) runs first, so a broken tag |
| 9 | +# never publishes. workflow_dispatch runs a snapshot dry-run (no publish) to |
| 10 | +# rehearse a release without tagging. |
| 11 | +on: |
| 12 | + push: |
| 13 | + tags: |
| 14 | + - "v*" |
| 15 | + workflow_dispatch: {} |
| 16 | + |
| 17 | +permissions: |
| 18 | + contents: read |
| 19 | + |
| 20 | +jobs: |
| 21 | + # Gate: the same checks CI runs, plus goreleaser config validation. The |
| 22 | + # release job depends on this, so a failing test/lint aborts before publish. |
| 23 | + validate: |
| 24 | + name: Validate |
| 25 | + runs-on: ubuntu-latest |
| 26 | + steps: |
| 27 | + - uses: actions/checkout@v6 |
| 28 | + with: |
| 29 | + fetch-depth: 0 |
| 30 | + persist-credentials: false # don't leave the token in .git/config |
| 31 | + - uses: actions/setup-go@v6 |
| 32 | + with: |
| 33 | + go-version-file: go.mod # reproducible: pin the toolchain to go.mod |
| 34 | + cache: true |
| 35 | + - name: Test |
| 36 | + run: go test ./... github.com/nixrajput/siphon/internal/driver/_mysqlcommon |
| 37 | + - name: Lint |
| 38 | + uses: golangci/golangci-lint-action@v6 |
| 39 | + - name: GoReleaser check |
| 40 | + uses: goreleaser/goreleaser-action@v6 |
| 41 | + with: |
| 42 | + version: "~> v2" |
| 43 | + args: check |
| 44 | + |
| 45 | + release: |
| 46 | + name: Release |
| 47 | + needs: validate |
| 48 | + runs-on: ubuntu-latest |
| 49 | + permissions: |
| 50 | + contents: write # create the GitHub Release |
| 51 | + id-token: write # cosign keyless signing via GitHub OIDC |
| 52 | + steps: |
| 53 | + - uses: actions/checkout@v6 |
| 54 | + with: |
| 55 | + fetch-depth: 0 |
| 56 | + persist-credentials: false # don't leave the token in .git/config # GoReleaser needs full history + tags for the changelog |
| 57 | + |
| 58 | + - uses: actions/setup-go@v6 |
| 59 | + with: |
| 60 | + go-version-file: go.mod # reproducible: pin the toolchain to go.mod |
| 61 | + cache: true |
| 62 | + |
| 63 | + - name: Install cosign |
| 64 | + uses: sigstore/cosign-installer@v3 |
| 65 | + |
| 66 | + # On a tag push: full release. On manual dispatch: snapshot dry-run that |
| 67 | + # builds everything locally and publishes nothing (rehearsal). |
| 68 | + - name: Set release args |
| 69 | + id: args |
| 70 | + run: | |
| 71 | + if [ "${{ github.ref_type }}" = "tag" ]; then |
| 72 | + echo "args=release --clean" >> "$GITHUB_OUTPUT" |
| 73 | + else |
| 74 | + echo "args=release --clean --snapshot" >> "$GITHUB_OUTPUT" |
| 75 | + fi |
| 76 | +
|
| 77 | + - name: Run GoReleaser |
| 78 | + uses: goreleaser/goreleaser-action@v6 |
| 79 | + with: |
| 80 | + version: "~> v2" |
| 81 | + args: ${{ steps.args.outputs.args }} |
| 82 | + env: |
| 83 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 84 | + # Tap-push tokens. These secrets may be unset on early releases; a |
| 85 | + # GitHub Actions secret expression yields "" when absent, so the |
| 86 | + # GoReleaser token template still resolves and skip_upload: auto |
| 87 | + # quietly skips the brew/scoop push instead of erroring. Provision |
| 88 | + # these (PATs with repo scope on the tap repos) to enable publishing. |
| 89 | + HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }} |
| 90 | + SCOOP_TAP_GITHUB_TOKEN: ${{ secrets.SCOOP_TAP_GITHUB_TOKEN }} |
0 commit comments