From fa95187ef27fea30ad3abbd88b85ef3061366643 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Fri, 26 Jun 2026 14:40:37 +0200 Subject: [PATCH 1/4] Extract major version tag update into reusable composite action Replaces the shell script with a composite action so other repos can use it via `uses: MetaMask/github-tools/.github/actions/update-major-version-tag`. Switches from `git push` to the GitHub API so a GitHub App token can be used, enabling tag protection rules that restrict who can push tags. --- .../update-major-version-tag/action.yml | 41 +++++++++++++++++++ .github/workflows/publish-release.yml | 16 ++++++-- .../scripts/update-major-version-tag.sh | 31 -------------- 3 files changed, 53 insertions(+), 35 deletions(-) create mode 100644 .github/actions/update-major-version-tag/action.yml delete mode 100755 .github/workflows/scripts/update-major-version-tag.sh diff --git a/.github/actions/update-major-version-tag/action.yml b/.github/actions/update-major-version-tag/action.yml new file mode 100644 index 00000000..88e73ec8 --- /dev/null +++ b/.github/actions/update-major-version-tag/action.yml @@ -0,0 +1,41 @@ +name: Update Major Version Tag +description: 'Create or update the major version shorthand tag (e.g., v1) to point to HEAD, for use when releasing a GitHub Action.' + +inputs: + release-version: + required: true + description: 'Full release version (e.g., 1.2.3).' + github-token: + required: true + description: 'GitHub token with contents write permission.' + +runs: + using: composite + steps: + - name: Update major version tag + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + RELEASE_VERSION: ${{ inputs.release-version }} + run: | + set -euo pipefail + + MAJOR_VERSION_TAG="v${RELEASE_VERSION/\.*/}" + SHA=$(git rev-parse HEAD) + + # Try to update the existing tag; create it if it doesn't exist yet. + if gh api --method PATCH \ + "/repos/${GITHUB_REPOSITORY}/git/refs/tags/${MAJOR_VERSION_TAG}" \ + --field "sha=${SHA}" \ + --field "force=true" \ + 2>/dev/null; then + echo "Updated existing tag \"${MAJOR_VERSION_TAG}\"." + else + echo "Tag \"${MAJOR_VERSION_TAG}\" does not exist, creating it from scratch." + gh api --method POST \ + "/repos/${GITHUB_REPOSITORY}/git/refs" \ + --field "ref=refs/tags/${MAJOR_VERSION_TAG}" \ + --field "sha=${SHA}" + fi + + echo "Updated shorthand major version tag." \ No newline at end of file diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index f5cdbe1a..15d3d51b 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -64,7 +64,7 @@ jobs: publish-release: name: Publish release - environment: npm-publish + environment: action-publish needs: announce-release permissions: contents: write @@ -84,7 +84,15 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Get token + uses: ./.github/actions/get-token + with: + token-exchange-url: ${{ vars.TOKEN_EXCHANGE_URL }} + permissions: | + contents: write + - name: Update shorthand major version tag - run: | - ./.github/workflows/scripts/update-major-version-tag.sh \ - ${{ steps.publish-release.outputs.release-version }} + uses: ./.github/actions/update-major-version-tag + with: + release-version: ${{ steps.publish-release.outputs.release-version }} + github-token: ${{ steps.get-token.outputs.token }} diff --git a/.github/workflows/scripts/update-major-version-tag.sh b/.github/workflows/scripts/update-major-version-tag.sh deleted file mode 100755 index 5a9e78ec..00000000 --- a/.github/workflows/scripts/update-major-version-tag.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bash - -set -x -set -e -set -o pipefail - -RELEASE_VERSION="${1}" - -if [[ -z $RELEASE_VERSION ]]; then - echo "Error: No release version specified." - exit 1 -fi - -MAJOR_VERSION_TAG="v${RELEASE_VERSION/\.*/}" - -git config user.name github-actions -git config user.email github-actions@github.com - -if git show-ref --tags "$MAJOR_VERSION_TAG" --quiet; then - echo "Tag \"${MAJOR_VERSION_TAG}\" exists, attempting to delete it." - git tag --delete "$MAJOR_VERSION_TAG" - git push --delete origin "$MAJOR_VERSION_TAG" -else - echo "Tag \"${MAJOR_VERSION_TAG}\" does not exist, creating it from scratch." -fi - -git tag "$MAJOR_VERSION_TAG" HEAD -git push --tags -echo "Updated shorthand major version tag." - -echo "MAJOR_VERSION_TAG=$MAJOR_VERSION_TAG" >> "$GITHUB_OUTPUT" From 890f77f51a3860a59776e288831522ee710e71e7 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Fri, 26 Jun 2026 14:44:09 +0200 Subject: [PATCH 2/4] Add missing new line --- .github/actions/update-major-version-tag/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/update-major-version-tag/action.yml b/.github/actions/update-major-version-tag/action.yml index 88e73ec8..f001a454 100644 --- a/.github/actions/update-major-version-tag/action.yml +++ b/.github/actions/update-major-version-tag/action.yml @@ -38,4 +38,4 @@ runs: --field "sha=${SHA}" fi - echo "Updated shorthand major version tag." \ No newline at end of file + echo "Updated shorthand major version tag." From 0d74f23a53f1561ad7ccd918f01bd49356438e20 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Fri, 26 Jun 2026 14:45:01 +0200 Subject: [PATCH 3/4] Add missing step ID --- .github/workflows/publish-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 15d3d51b..89dd6dff 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -85,6 +85,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Get token + id: get-token uses: ./.github/actions/get-token with: token-exchange-url: ${{ vars.TOKEN_EXCHANGE_URL }} From 52936dbc7fb864560a48b880ad6fff59703b21dc Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Fri, 26 Jun 2026 14:49:41 +0200 Subject: [PATCH 4/4] Fix workflow permissions --- .github/workflows/main.yml | 3 ++- .github/workflows/publish-release.yml | 18 +++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a71f61c2..3da0cf3e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -62,7 +62,8 @@ jobs: if: needs.is-release.outputs.IS_RELEASE == 'true' name: Publish release permissions: - contents: write + contents: read + id-token: write uses: ./.github/workflows/publish-release.yml secrets: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 89dd6dff..faf9ff64 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -19,6 +19,9 @@ on: SLACK_WEBHOOK_URL: required: true +permissions: + contents: read + jobs: announce-release: name: Announce release @@ -67,7 +70,8 @@ jobs: environment: action-publish needs: announce-release permissions: - contents: write + contents: read + id-token: write runs-on: ubuntu-latest steps: - name: Checkout repository @@ -78,12 +82,6 @@ jobs: fetch-depth: 0 ref: ${{ github.sha }} - - name: Publish release - uses: MetaMask/action-publish-release@v3 - id: publish-release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Get token id: get-token uses: ./.github/actions/get-token @@ -92,6 +90,12 @@ jobs: permissions: | contents: write + - name: Publish release + uses: MetaMask/action-publish-release@v3 + id: publish-release + env: + GITHUB_TOKEN: ${{ steps.get-token.outputs.token }} + - name: Update shorthand major version tag uses: ./.github/actions/update-major-version-tag with: