Skip to content

Commit

Permalink
Allow users to commit to main branch while release running
Browse files Browse the repository at this point in the history
  • Loading branch information
rtyley committed Jun 23, 2024
1 parent 59122ef commit 4740182
Showing 1 changed file with 17 additions and 9 deletions.
26 changes: 17 additions & 9 deletions .github/workflows/reusable-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -301,7 +301,6 @@ jobs:
runs-on: ubuntu-latest
env:
KEY_FINGERPRINT: ${{ needs.init.outputs.key_fingerprint }}
ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }}
steps:
- id: generate-github-app-token
uses: actions/create-github-app-token@v1
Expand All @@ -312,7 +311,7 @@ jobs:
with:
path: repo
ref: ${{ needs.push-release-commit.outputs.release_commit_id }}
fetch-depth: 2 # To fast-forward the main branch, we need the commit on main, as well as the release commit
fetch-depth: 1 # For tag-signing, we only need the release commit - branch operations done with GitHub API
token: ${{ steps.generate-github-app-token.outputs.token }}
persist-credentials: true # Allow us to push as the GitHub App, and bypass branch ruleset
- uses: actions/cache/restore@v4
Expand All @@ -321,6 +320,8 @@ jobs:
key: unsigned-${{ env.RUN_ATTEMPT_UID }}
fail-on-cache-miss: true
- name: Verify artifact hashes before signing
env:
ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }}
run: |
sudo apt-get install hashdeep -q > /dev/null
ARTIFACT_SHA256SUMS_FILE=$( mktemp )
Expand All @@ -342,25 +343,32 @@ jobs:
run: |
echo "KEY_FINGERPRINT=$KEY_FINGERPRINT"
find $LOCAL_ARTIFACTS_STAGING_PATH -type f -exec gpg -a --local-user "$KEY_FINGERPRINT" --detach-sign {} \;
- name: "Full Main-Branch release: Add release commit (from temporary release branch) to default branch"
if: needs.init.outputs.release_type == 'FULL_MAIN_BRANCH'
env:
GH_TOKEN: ${{ steps.generate-github-app-token.outputs.token }}
GH_REPO: ${{ github.repository }}
RELEASE_COMMIT_ID: ${{ needs.push-release-commit.outputs.release_commit_id }}
run: |
if gh api --silent --method PATCH /repos/:owner/:repo/git/refs/heads/$GITHUB_REF_NAME -f "sha=$RELEASE_COMMIT_ID"; then
echo "...fast-forward of default branch to include release commit succeeded"
else
echo "...fast-forward failed (commits added to default branch while release running?), will attempt a merge instead"
gh api --silent --method POST /repos/:owner/:repo/merges -f "base=$GITHUB_REF_NAME" -f "head=$RELEASE_COMMIT_ID"
fi
- name: Push signed tag
env:
RELEASE_TAG: ${{ needs.push-release-commit.outputs.release_tag }}
RELEASE_COMMIT_ID: ${{ needs.push-release-commit.outputs.release_commit_id }}
KEY_EMAIL: ${{ needs.init.outputs.key_email }}
ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }}
run: |
cd $GITHUB_WORKSPACE/repo
git config user.email "$KEY_EMAIL"
git config user.name "$COMMITTER_NAME"
git config tag.gpgSign true
git config user.signingkey "$KEY_FINGERPRINT"
if [ "${{ needs.init.outputs.release_type }}" == "FULL_MAIN_BRANCH" ]
then
echo "Full Main-Branch release, fast-forwarding the default branch to the release commit"
git log --oneline -n 3
git push origin $RELEASE_COMMIT_ID:refs/heads/$GITHUB_REF_NAME
fi
cat << EndOfFile > tag-message.txt
Release $RELEASE_TAG initiated by $COMMITTER_NAME
Expand Down

0 comments on commit 4740182

Please sign in to comment.