diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml index 8688694..2a451cf 100644 --- a/.github/workflows/reusable-release.yml +++ b/.github/workflows/reusable-release.yml @@ -301,7 +301,6 @@ jobs: runs-on: ubuntu-latest env: KEY_FINGERPRINT: ${{ needs.init.outputs.key_fingerprint }} - ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }} steps: - id: generate-github-app-token uses: actions/create-github-app-token@v1 @@ -312,7 +311,7 @@ jobs: with: path: repo ref: ${{ needs.push-release-commit.outputs.release_commit_id }} - fetch-depth: 2 # To fast-forward the main branch, we need the commit on main, as well as the release commit + fetch-depth: 1 # For tag-signing, we only need the release commit - branch operations done with GitHub API token: ${{ steps.generate-github-app-token.outputs.token }} persist-credentials: true # Allow us to push as the GitHub App, and bypass branch ruleset - uses: actions/cache/restore@v4 @@ -321,6 +320,8 @@ jobs: key: unsigned-${{ env.RUN_ATTEMPT_UID }} fail-on-cache-miss: true - name: Verify artifact hashes before signing + env: + ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }} run: | sudo apt-get install hashdeep -q > /dev/null ARTIFACT_SHA256SUMS_FILE=$( mktemp ) @@ -342,11 +343,26 @@ jobs: run: | echo "KEY_FINGERPRINT=$KEY_FINGERPRINT" find $LOCAL_ARTIFACTS_STAGING_PATH -type f -exec gpg -a --local-user "$KEY_FINGERPRINT" --detach-sign {} \; + - name: Update default branch with release commit from the temporary-release branch + if: needs.init.outputs.release_type == 'FULL_MAIN_BRANCH' + env: + GH_TOKEN: ${{ steps.generate-github-app-token.outputs.token }} + GH_REPO: ${{ github.repository }} + RELEASE_COMMIT_ID: ${{ needs.push-release-commit.outputs.release_commit_id }} + run: | + echo "Full Main-Branch release, fast-forwarding the default branch to the release commit..." + if gh api --method PATCH /repos/:owner/:repo/git/refs/heads/$GITHUB_REF_NAME -f "sha=$RELEASE_COMMIT_ID"; then + echo "...fast-forward of default branch to release commit succeeded" + else + echo "...fast-forward failed (commits added to default branch while release running?), will attempt a merge instead" + gh api --method POST /repos/:owner/:repo/merges -f "base=$GITHUB_REF_NAME" -f "head=$RELEASE_COMMIT_ID" + fi - name: Push signed tag env: RELEASE_TAG: ${{ needs.push-release-commit.outputs.release_tag }} RELEASE_COMMIT_ID: ${{ needs.push-release-commit.outputs.release_commit_id }} KEY_EMAIL: ${{ needs.init.outputs.key_email }} + ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }} run: | cd $GITHUB_WORKSPACE/repo git config user.email "$KEY_EMAIL" @@ -354,13 +370,6 @@ jobs: git config tag.gpgSign true git config user.signingkey "$KEY_FINGERPRINT" - if [ "${{ needs.init.outputs.release_type }}" == "FULL_MAIN_BRANCH" ] - then - echo "Full Main-Branch release, fast-forwarding the default branch to the release commit" - git log --oneline -n 3 - git push origin $RELEASE_COMMIT_ID:refs/heads/$GITHUB_REF_NAME - fi - cat << EndOfFile > tag-message.txt Release $RELEASE_TAG initiated by $COMMITTER_NAME