fix: security hardening across web dashboard and terminal UI (#17) #13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto Tag and Release on Merge | |
| on: | |
| push: | |
| branches: | |
| - main | |
| # Don't trigger on tag pushes | |
| tags-ignore: | |
| - '*' | |
| permissions: | |
| contents: write | |
| jobs: | |
| auto-release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Need full history for tags | |
| - name: Get latest tag | |
| id: get_tag | |
| run: | | |
| # Get the latest tag | |
| LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0") | |
| echo "latest_tag=$LATEST_TAG" >> $GITHUB_OUTPUT | |
| echo "Latest tag: $LATEST_TAG" | |
| - name: Calculate next version | |
| id: next_version | |
| run: | | |
| LATEST_TAG="${{ steps.get_tag.outputs.latest_tag }}" | |
| # Remove 'v' prefix and split into parts | |
| VERSION="${LATEST_TAG#v}" | |
| MAJOR=$(echo $VERSION | cut -d. -f1) | |
| MINOR=$(echo $VERSION | cut -d. -f2) | |
| PATCH=$(echo $VERSION | cut -d. -f3) | |
| # Increment patch version | |
| NEW_PATCH=$((PATCH + 1)) | |
| NEW_TAG="v${MAJOR}.${MINOR}.${NEW_PATCH}" | |
| echo "new_tag=$NEW_TAG" >> $GITHUB_OUTPUT | |
| echo "Next version: $NEW_TAG" | |
| - name: Create and push tag | |
| run: | | |
| NEW_TAG="${{ steps.next_version.outputs.new_tag }}" | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git tag -a "$NEW_TAG" -m "Release $NEW_TAG" | |
| git push origin "$NEW_TAG" | |
| echo "Created and pushed tag: $NEW_TAG" | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.21' | |
| cache: false | |
| - name: Build binaries | |
| run: make build-all | |
| - name: Create Release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| tag_name: ${{ steps.next_version.outputs.new_tag }} | |
| files: | | |
| dist/csm-darwin-amd64 | |
| dist/csm-darwin-arm64 | |
| dist/csm-linux-amd64 | |
| dist/csm-linux-arm64 | |
| generate_release_notes: true | |
| - name: Update Homebrew formula | |
| env: | |
| HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} | |
| TAG_NAME: ${{ steps.next_version.outputs.new_tag }} | |
| run: | | |
| VERSION="${TAG_NAME#v}" | |
| curl -X POST \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "Authorization: token $HOMEBREW_TAP_TOKEN" \ | |
| https://api.github.com/repos/yepzdk/homebrew-tools/dispatches \ | |
| -d "{\"event_type\":\"update-csm\",\"client_payload\":{\"version\":\"$VERSION\"}}" |