Skip to content

Replace push:tags release trigger with validated workflow_dispatch #1159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tomleb wants to merge 3 commits into
base: main
Choose a base branch
from
+109 −12
Open

Replace push:tags release trigger with validated workflow_dispatch #1159

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
609ab9e
Replace push:tags release trigger with validated workflow_dispatch
tomleb Apr 27, 2026
748f656
Address reviewer feedback on release workflow
tomleb Apr 27, 2026
38e1597
Revert non-capturing group in version regex
tomleb Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
121 changes: 109 additions & 12 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,118 @@
name: Release

on:
push:
tags:
- v*
workflow_dispatch:
inputs:
version:
description: 'Version to release (e.g. v0.5.1)'
required: true
type: string

permissions: {}

jobs:
validate:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
persist-credentials: false

- name: Validate version format
env:
VERSION: ${{ inputs.version }}
run: |
if ! [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
echo "::error::Version '$VERSION' must match v<major>.<minor>.<patch>[-prerelease]"
exit 1
fi

- name: Resolve allowed minor from VERSION.md
id: minor
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
table=$(gh api "repos/$GITHUB_REPOSITORY/contents/VERSION.md" --jq .content | base64 -d)
allowed=$(grep -F "| $GITHUB_REF_NAME |" <<< "$table" | cut -d'|' -f3 | tr -d ' ')
if [ -z "$allowed" ]; then
echo "::error::Branch '$GITHUB_REF_NAME' not found in default-branch VERSION.md"
exit 1
fi
echo "Branch '$GITHUB_REF_NAME' is allowed minor '$allowed'"
echo "allowed=$allowed" >> "$GITHUB_OUTPUT"

- name: Validate version matches branch's allowed minor
env:
VERSION: ${{ inputs.version }}
ALLOWED: ${{ steps.minor.outputs.allowed }}
run: |
if [[ "$VERSION" != "${ALLOWED}."* ]]; then
echo "::error::Version $VERSION does not belong to branch $GITHUB_REF_NAME (allowed minor: $ALLOWED)"
exit 1
fi

- name: Validate version is next-sequential
env:
VERSION: ${{ inputs.version }}
ALLOWED: ${{ steps.minor.outputs.allowed }}
run: |
v_core="${VERSION%%-*}"
latest=$(git tag -l "${ALLOWED}.*" | grep -v -- '-' | sort -V | tail -n1 || true)
if [ -z "$latest" ]; then
if [ "$v_core" != "${ALLOWED}.0" ]; then
echo "::error::No prior ${ALLOWED} tags; first version must be ${ALLOWED}.0 (got $v_core)"
exit 1
fi
echo "First release on ${ALLOWED} line: OK"
else
patch="${latest##*.}"
expected="${ALLOWED}.$((patch + 1))"
if [ "$v_core" != "$expected" ]; then
echo "::error::Latest ${ALLOWED} tag is $latest; next must be $expected (got $v_core)"
exit 1
fi
echo "Next sequential after $latest: OK"
fi

- name: Validate tag does not already exist
env:
VERSION: ${{ inputs.version }}
run: |
if git rev-parse "$VERSION" >/dev/null 2>&1; then
echo "::error::Tag '$VERSION' already exists"
exit 1
fi

release:
needs: validate
runs-on: ubuntu-latest
permissions:
contents: write
contents: write
steps:
- name : Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Create release on Github
run: |
gh --repo "${{ github.repository }}" release create ${{ github.ref_name }} --verify-tag --generate-notes
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Configure git identity
run: |
git config user.name 'github-actions[bot]'
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'

- name: Create and push tag
env:
VERSION: ${{ inputs.version }}
run: |
git tag -a "$VERSION" -m "Release $VERSION"
git push origin "$VERSION"

- name: Create GitHub Release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ inputs.version }}
run: |
gh --repo "$GITHUB_REPOSITORY" release create "$VERSION" \
--verify-tag --generate-notes