ldcli/.github/workflows/release-please.yml at main · launchdarkly/ldcli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: Run Release Please

on:
  push:
    branches:
      - main

jobs:
  release-please:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
      tag_name: ${{ steps.release.outputs.tag_name }}
    steps:
      # Create any releases in release, then create tags, and then optionally create any new PRs.
      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
        id: release
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          skip-github-pull-request: true

      # Need the repository content to be able to create and push a tag.
      - uses: actions/checkout@v4
        if: ${{ steps.release.outputs.release_created == 'true' }}

      - name: Create release tag
        if: ${{ steps.release.outputs.release_created == 'true' }}
        env:
          TAG_NAME: ${{ steps.release.outputs.tag_name }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          if gh api "repos/${{ github.repository }}/git/ref/tags/${TAG_NAME}" >/dev/null 2>&1; then
            echo "Tag ${TAG_NAME} already exists, skipping creation."
          else
            echo "Creating tag ${TAG_NAME}."
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git tag "${TAG_NAME}"
            git push origin "${TAG_NAME}"
          fi

      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
        if: ${{ steps.release.outputs.release_created != 'true' }}
        id: release-prs
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          skip-github-release: true

  release-ldcli:
    permissions:
      id-token: write # Needed to obtain Docker tokens and to sign attestations
      contents: write # Needed to upload release artifacts
      packages: read # Needed to load goreleaser-cross image
      attestations: write # Needed for artifact attestations
    needs: [release-please]
    if: needs.release-please.outputs.release_created == 'true'
    runs-on: ubuntu-22.04-8core-32gb
    outputs:
      images_and_digests: ${{ steps.publish.outputs.images_and_digests }}
    steps:
      - uses: actions/checkout@v4
        name: Checkout
        with:
          fetch-depth: 0

      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
        name: 'Get Docker token'
        with:
          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
          ssm_parameter_pairs: |
            /global/services/docker/public/username = DOCKER_HUB_USERNAME,
            /global/services/docker/public/token = DOCKER_HUB_TOKEN

      - uses: ./.github/actions/publish
        id: publish
        with:
          dry-run: 'false'
          token: ${{ secrets.GITHUB_TOKEN }}
          homebrew-gh-secret: ${{ secrets.HOMEBREW_DEPLOY_KEY }}
          tag: ${{ needs.release-please.outputs.tag_name }}
          ghcr_token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Attest binary artifacts
        uses: actions/attest@v4
        with:
          subject-checksums: ${{ steps.publish.outputs.checksum_file }}

  attest-image-provenance:
    needs: [release-ldcli]
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      attestations: write
    strategy:
      matrix:
        images_and_digests: ${{ fromJson(needs.release-ldcli.outputs.images_and_digests) }}
    steps:
      - name: Attest container image
        uses: actions/attest@v4
        with:
          subject-name: ${{ matrix.images_and_digests.image }}
          subject-digest: ${{ matrix.images_and_digests.digest }}

  release-ldcli-npm:
    runs-on: ubuntu-latest
    needs: [release-please, release-ldcli]
    # id-token: write lets npm CLI exchange the GITHUB_TOKEN for an OIDC token
    # that the npm registry trusts via the trusted publisher config for this
    # workflow. No static NPM token is needed (or wanted: if NODE_AUTH_TOKEN is
    # set, npm prefers the token path and skips OIDC).
    permissions:
      id-token: write
      contents: write
    if: needs.release-please.outputs.release_created == 'true'
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20.x
          registry-url: 'https://registry.npmjs.org'
      - name: Update npm
        shell: bash
        # npm CLI requires >= 11.5.1 for trusted publishing (OIDC) support.
        run: npm install -g npm@11.6.2
      - id: publish-npm
        name: Publish NPM Package
        uses: ./.github/actions/publish-npm
        with:
          dry-run: 'false'
          prerelease: 'false'

  publish-release:
    needs: [release-please, release-ldcli, attest-image-provenance, release-ldcli-npm]
    if: needs.release-please.outputs.release_created == 'true'
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Publish release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG_NAME: ${{ needs.release-please.outputs.tag_name }}
        run: >
          gh release edit "$TAG_NAME"
          --repo ${{ github.repository }}
          --draft=false