name: Release
on:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
permissions: {}
defaults:
run:
shell: bash -xeuo pipefail {0}
jobs:
build:
uses: ./.github/workflows/build.yml
permissions:
contents: read
with:
stable: true
profile: release
cache: false
release:
needs: build
runs-on: ubuntu-latest
permissions:
artifact-metadata: write
attestations: write
contents: write
id-token: write
outputs:
version: ${{ steps.version.outputs.version }}
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with:
persist-credentials: false
- name: Determine version
id: version
run: |
version="$(
cargo metadata --format-version=1 --no-deps |
jq --raw-output \
--arg package shortener \
'.packages[] | select(.name == $package) | .version'
)"
echo "version=$version" >> "$GITHUB_OUTPUT"
- name: Download artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c with:
path: artifacts
- name: Generate build provenance
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 with:
subject-path: artifacts/**/*.tar.gz
- name: Create bot token
id: token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 with:
client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
permission-contents: write
- name: Create tag
run: |
gh api "/repos/$GITHUB_REPOSITORY/git/refs" \
-f "ref=refs/tags/v$VERSION" \
-f "sha=$GITHUB_SHA"
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
VERSION: ${{ steps.version.outputs.version }}
- name: Create release
run: |
gh release create "v$VERSION" \
--draft \
--title "$VERSION" \
--generate-notes \
artifacts/**/*.tar.gz
env:
GH_TOKEN: ${{ github.token }}
VERSION: ${{ steps.version.outputs.version }}
publish-crate:
needs: release
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with:
persist-credentials: false
- name: Perform release checks
run: cargo publish --dry-run
- name: Authenticate to crates.io
id: auth
uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe - name: Publish crate
run: cargo publish
env:
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
bump-homebrew-formula:
needs: release
runs-on: ubuntu-latest
steps:
- name: Create bot token
id: token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 with:
client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: homebrew-tap
permission-contents: write
permission-pull-requests: write
- name: Configure Git user
run: |
BOT_LOGIN="$APP_SLUG[bot]"
BOT_ID="$(gh api "/users/$BOT_LOGIN" --jq '.id')"
{
echo "HOMEBREW_GIT_NAME=$BOT_LOGIN"
echo "HOMEBREW_GIT_EMAIL=$BOT_ID+$BOT_LOGIN@users.noreply.github.com"
} >> "$GITHUB_ENV"
env:
APP_SLUG: ${{ steps.token.outputs.app-slug }}
GH_TOKEN: ${{ steps.token.outputs.token }}
- name: Bump Homebrew formula
run: |
brew tap zhongruoyu/tap
brew bump-formula-pr --no-fork \
--version "$VERSION" \
zhongruoyu/tap/shortener
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ steps.token.outputs.token }}
VERSION: ${{ needs.release.outputs.version }}