cargo-binstall/.github/workflows/release-cli.yml
Félix Saparelli 216d548fd4
Use explicit write permissions (#1404)
* Use explicit write permissions

* Revert "release: cargo-binstall v1.4.1 (#1403)"

This reverts commit 00941d8b43.
2023-09-26 21:57:51 +00:00

121 lines
3.5 KiB
YAML

name: Release CLI
on:
workflow_call:
inputs:
info:
description: "The release metadata JSON"
required: true
type: string
CARGO_PROFILE_RELEASE_LTO:
description: "Used to speed up CI"
required: false
type: string
CARGO_PROFILE_RELEASE_CODEGEN_UNITS:
description: "Used to speed up CI"
required: false
type: string
jobs:
tag:
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- if: fromJSON(inputs.info).is-release == 'true'
name: Push cli release tag
uses: mathieudutour/github-tag-action@v6.1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
custom_tag: ${{ fromJSON(inputs.info).version }}
tag_prefix: v
keygen:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cargo-bins/cargo-binstall@main
- name: Create ephemeral keypair
id: keypair
env:
AGE_KEY_PUBLIC: ${{ vars.AGE_KEY_PUBLIC }}
run: .github/scripts/ephemeral-gen.sh
- uses: actions/upload-artifact@v3
with:
name: minisign.pub
path: minisign.pub
- uses: actions/upload-artifact@v3
with:
name: minisign.key.age
path: minisign.key.age
retention-days: 1
- name: Check that key can be decrypted
env:
AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
shell: bash
run: .github/scripts/ephemeral-sign.sh minisign.pub
package:
needs:
- tag
- keygen
uses: ./.github/workflows/release-packages.yml
secrets: inherit
with:
publish: ${{ inputs.info }}
CARGO_PROFILE_RELEASE_LTO: ${{ inputs.CARGO_PROFILE_RELEASE_LTO }}
CARGO_PROFILE_RELEASE_CODEGEN_UNITS: ${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}
publish:
needs: package
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v3
with:
name: minisign.pub
- run: .github/scripts/ephemeral-crate.sh
- if: fromJSON(inputs.info).is-release != 'true'
name: DRY-RUN Publish to crates.io
env:
crate: ${{ fromJSON(inputs.info).crate }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: |
set -ex
cargo publish -p "$crate" --allow-dirty --dry-run
cargo package --no-verify -p "$crate" --allow-dirty
- if: fromJSON(inputs.info).is-release != 'true'
name: Upload crate package as artifact
uses: actions/upload-artifact@v3
with:
name: crate-package
path: target/package/*.crate
- if: fromJSON(inputs.info).is-release == 'true'
name: Publish to crates.io
env:
crate: ${{ fromJSON(inputs.info).crate }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: cargo publish -p "$crate" --allow-dirty
- if: fromJSON(inputs.info).is-release == 'true'
name: Make release latest
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
release_name: v${{ fromJSON(inputs.info).version }}
tag: v${{ fromJSON(inputs.info).version }}
body: ${{ fromJSON(inputs.info).notes }}
promote: true
file: minisign.pub
- if: fromJSON(inputs.info).is-release == 'true'
name: Delete signing key artifact
uses: geekyeggo/delete-artifact@v2
with:
name: minisign.key.age
failOnError: false