diff --git a/.github/actions/update-major-version-tag/action.yml b/.github/actions/update-major-version-tag/action.yml new file mode 100644 index 00000000..f001a454 --- /dev/null +++ b/.github/actions/update-major-version-tag/action.yml @@ -0,0 +1,41 @@ +name: Update Major Version Tag +description: 'Create or update the major version shorthand tag (e.g., v1) to point to HEAD, for use when releasing a GitHub Action.' + +inputs: + release-version: + required: true + description: 'Full release version (e.g., 1.2.3).' + github-token: + required: true + description: 'GitHub token with contents write permission.' + +runs: + using: composite + steps: + - name: Update major version tag + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + RELEASE_VERSION: ${{ inputs.release-version }} + run: | + set -euo pipefail + + MAJOR_VERSION_TAG="v${RELEASE_VERSION/\.*/}" + SHA=$(git rev-parse HEAD) + + # Try to update the existing tag; create it if it doesn't exist yet. + if gh api --method PATCH \ + "/repos/${GITHUB_REPOSITORY}/git/refs/tags/${MAJOR_VERSION_TAG}" \ + --field "sha=${SHA}" \ + --field "force=true" \ + 2>/dev/null; then + echo "Updated existing tag \"${MAJOR_VERSION_TAG}\"." + else + echo "Tag \"${MAJOR_VERSION_TAG}\" does not exist, creating it from scratch." + gh api --method POST \ + "/repos/${GITHUB_REPOSITORY}/git/refs" \ + --field "ref=refs/tags/${MAJOR_VERSION_TAG}" \ + --field "sha=${SHA}" + fi + + echo "Updated shorthand major version tag." diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a71f61c2..3da0cf3e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -62,7 +62,8 @@ jobs: if: needs.is-release.outputs.IS_RELEASE == 'true' name: Publish release permissions: - contents: write + contents: read + id-token: write uses: ./.github/workflows/publish-release.yml secrets: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index f5cdbe1a..faf9ff64 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -19,6 +19,9 @@ on: SLACK_WEBHOOK_URL: required: true +permissions: + contents: read + jobs: announce-release: name: Announce release @@ -64,10 +67,11 @@ jobs: publish-release: name: Publish release - environment: npm-publish + environment: action-publish needs: announce-release permissions: - contents: write + contents: read + id-token: write runs-on: ubuntu-latest steps: - name: Checkout repository @@ -78,13 +82,22 @@ jobs: fetch-depth: 0 ref: ${{ github.sha }} + - name: Get token + id: get-token + uses: ./.github/actions/get-token + with: + token-exchange-url: ${{ vars.TOKEN_EXCHANGE_URL }} + permissions: | + contents: write + - name: Publish release uses: MetaMask/action-publish-release@v3 id: publish-release env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.get-token.outputs.token }} - name: Update shorthand major version tag - run: | - ./.github/workflows/scripts/update-major-version-tag.sh \ - ${{ steps.publish-release.outputs.release-version }} + uses: ./.github/actions/update-major-version-tag + with: + release-version: ${{ steps.publish-release.outputs.release-version }} + github-token: ${{ steps.get-token.outputs.token }} diff --git a/.github/workflows/scripts/update-major-version-tag.sh b/.github/workflows/scripts/update-major-version-tag.sh deleted file mode 100755 index 5a9e78ec..00000000 --- a/.github/workflows/scripts/update-major-version-tag.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bash - -set -x -set -e -set -o pipefail - -RELEASE_VERSION="${1}" - -if [[ -z $RELEASE_VERSION ]]; then - echo "Error: No release version specified." - exit 1 -fi - -MAJOR_VERSION_TAG="v${RELEASE_VERSION/\.*/}" - -git config user.name github-actions -git config user.email github-actions@github.com - -if git show-ref --tags "$MAJOR_VERSION_TAG" --quiet; then - echo "Tag \"${MAJOR_VERSION_TAG}\" exists, attempting to delete it." - git tag --delete "$MAJOR_VERSION_TAG" - git push --delete origin "$MAJOR_VERSION_TAG" -else - echo "Tag \"${MAJOR_VERSION_TAG}\" does not exist, creating it from scratch." -fi - -git tag "$MAJOR_VERSION_TAG" HEAD -git push --tags -echo "Updated shorthand major version tag." - -echo "MAJOR_VERSION_TAG=$MAJOR_VERSION_TAG" >> "$GITHUB_OUTPUT"