ci: sign tags by default #43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
workflow_dispatch: | |
inputs: | |
release_behavior: | |
description: "If publish_release, will create a release and publish it to the release branch. If push_beta, will create a beta build and push it to the beta track." | |
required: true | |
default: "publish_release" | |
type: choice | |
options: | |
- publish_release | |
- push_beta | |
push: | |
branches: | |
- "main" | |
env: | |
APP_BUILD_OFFSET: 300 | |
jobs: | |
app_build: | |
runs-on: ubuntu-latest | |
steps: | |
- id: calculate | |
run: | | |
APP_BUILD=$((${{ github.run_number }} + $APP_BUILD_OFFSET)) | |
echo "app_build=$APP_BUILD" >> $GITHUB_OUTPUT | |
echo Current build number: $APP_BUILD | |
outputs: | |
app_build: ${{ steps.calculate.outputs.app_build }} | |
app_version: | |
runs-on: ubuntu-latest | |
outputs: | |
app_version: ${{ steps.app_version.outputs.app_version }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: 22 | |
- name: Get current version from package.json | |
id: app_version | |
run: | | |
CURRENT_APP_VERSION=$(node -p "require('./package.json').version") | |
echo "app_version=$CURRENT_APP_VERSION" >> $GITHUB_OUTPUT | |
- name: Verify provided version not already released | |
if: inputs.release_behavior == 'publish_release' | |
run: | | |
git fetch --tags | |
TAG_NAME="${{ steps.app_version.outputs.app_version }}" | |
if git rev-parse "$TAG_NAME" >/dev/null 2>&1; then | |
echo "Error: Tag $TAG_NAME already exists" | |
exit 1 | |
fi | |
bump_src: | |
needs: [app_build, app_version] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- run: corepack enable | |
- name: 📦 Install dependencies | |
run: pnpm install --frozen-lockfile | |
- name: Run trapeze (update iOS and Android version/code) | |
run: pnpm exec trapeze run trapeze.yaml -y | |
env: | |
APP_BUILD: ${{ needs.app_build.outputs.app_build }} | |
APP_VERSION: ${{ needs.app_version.outputs.app_version }} | |
- name: Upload bumped version artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: trapeze-artifacts | |
retention-days: 3 | |
path: | | |
android | |
ios | |
dispatch_beta_release: | |
if: inputs.release_behavior != 'publish_release' | |
needs: [app_build, bump_src] | |
uses: ./.github/workflows/build_release.yml | |
with: | |
is_main_build: true | |
app_build: ${{ needs.app_build.outputs.app_build }} | |
secrets: inherit | |
permissions: | |
contents: write # needed for create_release, even though it won't be called | |
push_release: | |
needs: [bump_src, app_build, app_version] | |
runs-on: ubuntu-latest | |
if: inputs.release_behavior == 'publish_release' | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false # Don't clobber the PAT below | |
- name: Download bumped version artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: trapeze-artifacts | |
- name: Import GPG key | |
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
git_user_signingkey: true | |
git_commit_gpgsign: true | |
git_tag_gpgsign: true | |
- name: Commit and push release | |
env: | |
PAT_TOKEN: ${{ secrets.PAT_TOKEN }} | |
# Github doesn't trigger subsequent workflows unless push with a PAT | |
run: | | |
git remote set-url origin "https://${PAT_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" | |
git checkout -b "release/${{ needs.app_version.outputs.app_version }}" | |
git config --global user.email "[email protected]" | |
git config --global user.name "Voyager CI" | |
git add . | |
git commit -S -m "release: ${{ needs.app_version.outputs.app_version }} (${{ needs.app_build.outputs.app_build }})" | |
TAG_NAME="${{ needs.app_version.outputs.app_version }}" | |
echo "Creating tag: $TAG_NAME" | |
git tag "$TAG_NAME" | |
git push origin "release/${{ needs.app_version.outputs.app_version }}" | |
git push origin "$TAG_NAME" |