chore(main): release 1.2.1 (#11) #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| release-please: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| release_created: ${{ steps.release.outputs.release_created }} | |
| tag_name: ${{ steps.release.outputs.tag_name }} | |
| steps: | |
| - uses: googleapis/release-please-action@v4 | |
| id: release | |
| with: | |
| release-type: go | |
| goreleaser: | |
| needs: release-please | |
| if: ${{ needs.release-please.outputs.release_created }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write # Required for WIF OIDC and cosign keyless signing | |
| env: | |
| GAR_IMAGE: us-central1-docker.pkg.dev/etsy-github-tooling-prod/github-app-sts-binaries/github-app-sts-server | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| filter: blob:none | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2.1.13 | |
| with: | |
| workload_identity_provider: 'projects/454188917020/locations/global/workloadIdentityPools/github-app-sts-gha/providers/etsy-github' | |
| service_account: 'github-app-sts-main-gha@etsy-github-tooling-prod.iam.gserviceaccount.com' | |
| - name: Set up gcloud CLI | |
| uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2.2.1 | |
| - name: Configure Docker for GAR | |
| run: gcloud auth configure-docker us-central1-docker.pkg.dev --quiet | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: go.mod | |
| - name: Build and publish Go binaries and Docker image | |
| uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 | |
| with: | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Print immutable image reference | |
| run: | | |
| TAG="${{ needs.release-please.outputs.tag_name }}" | |
| DIGEST="$(docker buildx imagetools inspect "${GAR_IMAGE}:${TAG}" --format '{{.Manifest.Digest}}')" | |
| echo "::notice::Docker image: ${GAR_IMAGE}:${TAG}@${DIGEST}" | |
| action-tag: | |
| needs: release-please | |
| if: ${{ needs.release-please.outputs.release_created }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ needs.release-please.outputs.tag_name }} | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: 24 | |
| - name: Build GitHub Action | |
| run: cd action && npm ci && npm run build | |
| - name: Publish signed GitHub Action tag | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| VERSION="${{ needs.release-please.outputs.tag_name }}" | |
| REPO="${{ github.repository }}" | |
| # Get the release tag's commit SHA and tree SHA | |
| TAG_SHA=$(gh api "repos/${REPO}/git/ref/tags/${VERSION}" --jq '.object.sha') | |
| TREE_SHA=$(gh api "repos/${REPO}/git/commits/${TAG_SHA}" --jq '.tree.sha') | |
| # 1. Create blob for built dist/index.js (base64 encoded) | |
| BLOB_SHA=$(base64 -i action/dist/index.js | jq -Rs '{content: ., encoding: "base64"}' \ | |
| | gh api "repos/${REPO}/git/blobs" --input - --jq '.sha') | |
| # 2. Create tree: release tag's tree + dist/index.js | |
| DIST_TREE_SHA=$(jq -n \ | |
| --arg base_tree "$TREE_SHA" \ | |
| --arg sha "$BLOB_SHA" \ | |
| '{base_tree: $base_tree, tree: [{path: "action/dist/index.js", mode: "100644", type: "blob", sha: $sha}]}' \ | |
| | gh api "repos/${REPO}/git/trees" --input - --jq '.sha') | |
| # 3. Create commit (auto-signed by GitHub) | |
| COMMIT_SHA=$(gh api "repos/${REPO}/git/commits" \ | |
| -f "message=chore: build action dist for ${VERSION}" \ | |
| -f "tree=${DIST_TREE_SHA}" \ | |
| -f "parents[]=${TAG_SHA}" \ | |
| --jq '.sha') | |
| # 4. Create immutable action tag (action/v1.2.0) | |
| gh api "repos/${REPO}/git/refs" \ | |
| -f "ref=refs/tags/action/${VERSION}" \ | |
| -f "sha=${COMMIT_SHA}" |