|
| 1 | +name: Auto-publish tags |
| 2 | + |
| 3 | +on: |
| 4 | + push: |
| 5 | + tags: |
| 6 | + - 'v*' # Push events to release tags |
| 7 | + |
| 8 | +jobs: |
| 9 | + build: |
| 10 | + name: Publish GitHub Release from tag |
| 11 | + runs-on: ubuntu-latest |
| 12 | + steps: |
| 13 | + - uses: actions/checkout@v2 |
| 14 | + with: |
| 15 | + fetch-depth: 0 |
| 16 | + - name: Import public GPG keys to verify the tag |
| 17 | + uses: actions/github-script@v3 |
| 18 | + with: |
| 19 | + github-token: ${{secrets.GITHUB_TOKEN}} |
| 20 | + script: | |
| 21 | + const { execSync } = require('child_process') |
| 22 | +
|
| 23 | + for (const { key_id, raw_key } of (await github.users.listGpgKeysForUser({ |
| 24 | + username: 'dscho' |
| 25 | + })).data) { |
| 26 | + execSync(`gpg ${raw_key ? '--import' : `--recv-keys ${key_id}`}`, |
| 27 | + { input: raw_key, stdio: [null, 'inherit', 'inherit'] }) |
| 28 | + } |
| 29 | + - name: Check prerequisites |
| 30 | + id: prerequisites |
| 31 | + run: | |
| 32 | + die () { |
| 33 | + echo "::error::$*" >&2 |
| 34 | + exit 1 |
| 35 | + } |
| 36 | +
|
| 37 | + tag_name=${GITHUB_REF#refs/tags/} |
| 38 | + test "x$GITHUB_REF" != "x$tag_name" || die "Not a tag: $GITHUB_REF" |
| 39 | +
|
| 40 | + # `actions/checkout` only downloads the peeled tag (i.e. the commit) |
| 41 | + git fetch origin +$GITHUB_REF:$GITHUB_REF |
| 42 | +
|
| 43 | + train="$(echo "$tag_name" | sed -n 's|^\(v[0-9][0-9]*\)[.0-9]*$|\1|p')" |
| 44 | + test -n "$train" || die "Unexpected tag name: $tag_name" |
| 45 | + echo "$train" >train |
| 46 | +
|
| 47 | + if train_rev="$(git rev-parse --verify "refs/remotes/origin/$train" 2>/dev/null)" |
| 48 | + then |
| 49 | + test 0 -eq "$(git rev-list --count "$GITHUB_REF..$train_rev")" || |
| 50 | + die "Branch '$train' does not fast-forward to tag '$tag_name'" |
| 51 | + else |
| 52 | + test "$train.0.0" = "$tag_name" || die "Branch '$train' does not yet exist?!?" |
| 53 | + fi |
| 54 | +
|
| 55 | + git tag --verify "$tag_name" || die "Tag does not have a valid signature: $tag_name" |
| 56 | +
|
| 57 | + test "$(git rev-parse --verify refs/remotes/origin/main 2>&1)" = \ |
| 58 | + "$(git rev-parse --verify "$GITHUB_REF^0")" || |
| 59 | + die "The tag '$tag_name' does not point to the tip of 'main'" |
| 60 | +
|
| 61 | + printf '%s' "$tag_name" >tag_name |
| 62 | + git cat-file tag "$GITHUB_REF" | sed -e '1,/^$/d' -e '/-----BEGIN PGP SIGNATURE-----/,$d' >body |
| 63 | + - name: Create Release |
| 64 | + if: github.repository_owner == 'git-for-windows' |
| 65 | + uses: actions/github-script@v3 |
| 66 | + with: |
| 67 | + github-token: ${{secrets.GITHUB_TOKEN}} |
| 68 | + script: | |
| 69 | + const { readFileSync } = require('fs') |
| 70 | +
|
| 71 | + const tag_name = readFileSync('tag_name').toString() |
| 72 | + await github.repos.createRelease({ |
| 73 | + owner: context.repo.owner, |
| 74 | + repo: context.repo.repo, |
| 75 | + tag_name: tag_name, |
| 76 | + name: tag_name, |
| 77 | + draft: false, |
| 78 | + prerelease: false, |
| 79 | + body: readFileSync('body').toString() |
| 80 | + }) |
| 81 | + - name: Push to release train branch |
| 82 | + if: github.repository_owner == 'git-for-windows' |
| 83 | + run: | |
| 84 | + git push origin "$GITHUB_REF^0:refs/heads/$(cat train)" |
0 commit comments