STACKITGit/cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cli/.github/workflows/releases.yml
Mislav Marohnić 2f45173370 Publish docs site using a deploy key instead of PAT 
I'd like to decommission SITE_GITHUB_TOKEN as it's a PAT that has write
access to all my `github/*` repositories. Instead, I've created a deploy
key that only has access to `github/cli.github.com`.

    ssh-keygen -t ed25519 -C "gh docs push" -N "" -f ~/.ssh/gh-docs-publish
    gh repo -R github/cli.github.com deploy-key add ~/.ssh/gh-docs-publish.pub

    # testing:
    GIT_SSH_COMMAND='ssh -i $HOME/.ssh/gh-docs-publish' git push ...
2021-09-13 16:30:40 +02:00

214 lines
8 KiB
YAML
Raw Blame History

name: goreleaser
on:
push:
tags:
- "v*"
jobs:
goreleaser:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up Go 1.16
uses: actions/setup-go@v2
with:
go-version: 1.16
- name: Generate changelog
run: |
echo "GORELEASER_CURRENT_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
git fetch --unshallow
script/changelog | tee CHANGELOG.md
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v2
with:
version: v0.174.1
args: release --release-notes=CHANGELOG.md
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Checkout documentation site
uses: actions/checkout@v2
with:
repository: github/cli.github.com
path: site
fetch-depth: 0
ssh-key: ${{secrets.SITE_SSH_KEY}}
- name: Update site man pages
env:
GIT_COMMITTER_NAME: cli automation
GIT_AUTHOR_NAME: cli automation
GIT_COMMITTER_EMAIL: noreply@github.com
GIT_AUTHOR_EMAIL: noreply@github.com
run: make site-bump
- name: Move project cards
continue-on-error: true
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
PENDING_COLUMN: 8189733
DONE_COLUMN: 7110130
run: |
api() { gh api -H 'accept: application/vnd.github.inertia-preview+json' "$@"; }
api-write() { [[ $GITHUB_REF == *-* ]] && echo "skipping: api $*" || api "$@"; }
cards=$(api --paginate projects/columns/$PENDING_COLUMN/cards | jq ".[].id")
for card in $cards; do
api-write --silent projects/columns/cards/$card/moves -f position=top -F column_id=$DONE_COLUMN
done
echo "moved ${#cards[@]} cards to the Done column"
- name: Install packaging dependencies
run: sudo apt-get install -y rpm reprepro
- name: Set up GPG
run: |
gpg --import --no-tty --batch --yes < script/pubkey.asc
echo "${{secrets.GPG_KEY}}" | base64 -d | gpg --import --no-tty --batch --yes
echo "allow-preset-passphrase" > ~/.gnupg/gpg-agent.conf
gpg-connect-agent RELOADAGENT /bye
echo "${{secrets.GPG_PASSPHRASE}}" | /usr/lib/gnupg2/gpg-preset-passphrase --preset 867DAD5051270B843EF54F6186FA10E3A1D22DC5
- name: Sign RPMs
run: |
cp script/rpmmacros ~/.rpmmacros
rpmsign --addsign dist/*.rpm
- name: Run createrepo
run: |
mkdir -p site/packages/rpm
cp dist/*.rpm site/packages/rpm/
./script/createrepo.sh
cp -r dist/repodata site/packages/rpm/
pushd site/packages/rpm
gpg --yes --detach-sign --armor repodata/repomd.xml
popd
- name: Run reprepro
env:
RELEASES: "cosmic eoan disco groovy focal stable oldstable testing sid unstable buster bullseye stretch jessie bionic trusty precise xenial hirsute impish kali-rolling"
run: |
mkdir -p upload
for release in $RELEASES; do
for file in dist/*.deb; do
reprepro --confdir="+b/script" includedeb "$release" "$file"
done
done
cp -a dists/ pool/ upload/
mkdir -p site/packages
cp -a upload/* site/packages/
- name: Publish site
env:
GIT_COMMITTER_NAME: cli automation
GIT_AUTHOR_NAME: cli automation
GIT_COMMITTER_EMAIL: noreply@github.com
GIT_AUTHOR_EMAIL: noreply@github.com
working-directory: ./site
run: |
git add packages
git commit -m "Add rpm and deb packages for ${GITHUB_REF#refs/tags/}"
if [[ $GITHUB_REF == *-* ]]; then
git log --oneline @{upstream}..
git diff --name-status @{upstream}..
else
git push
fi
msi:
needs: goreleaser
runs-on: windows-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Download gh.exe
id: download_exe
shell: bash
run: |
hub release download "${GITHUB_REF#refs/tags/}" -i '*windows_amd64*.zip'
printf "::set-output name=zip::%s\n" *.zip
unzip -o *.zip && rm -v *.zip
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Install go-msi
run: choco install -y "go-msi"
- name: Prepare PATH
shell: bash
run: |
echo "$WIX\\bin" >> $GITHUB_PATH
echo "C:\\Program Files\\go-msi" >> $GITHUB_PATH
- name: Build MSI
id: buildmsi
shell: bash
env:
ZIP_FILE: ${{ steps.download_exe.outputs.zip }}
run: |
mkdir -p build
msi="$(basename "$ZIP_FILE" ".zip").msi"
printf "::set-output name=msi::%s\n" "$msi"
go-msi make --msi "$PWD/$msi" --out "$PWD/build" --version "${GITHUB_REF#refs/tags/}"
- name: Obtain signing cert
id: obtain_cert
env:
DESKTOP_CERT_TOKEN: ${{ secrets.DESKTOP_CERT_TOKEN }}
run: .\script\setup-windows-certificate.ps1
- name: Sign MSI
env:
CERT_FILE: ${{ steps.obtain_cert.outputs.cert-file }}
EXE_FILE: ${{ steps.buildmsi.outputs.msi }}
GITHUB_CERT_PASSWORD: ${{ secrets.GITHUB_CERT_PASSWORD }}
run: .\script\sign.ps1 -Certificate $env:CERT_FILE -Executable $env:EXE_FILE
- name: Upload MSI
shell: bash
run: |
tag_name="${GITHUB_REF#refs/tags/}"
hub release edit "$tag_name" -m "" -a "$MSI_FILE"
release_url="$(gh api repos/:owner/:repo/releases -q ".[]|select(.tag_name==\"${tag_name}\")|.url")"
publish_args=( -F draft=false )
if [[ $GITHUB_REF != *-* ]]; then
publish_args+=( -f discussion_category_name="$DISCUSSION_CATEGORY" )
fi
gh api -X PATCH "$release_url" "${publish_args[@]}"
env:
MSI_FILE: ${{ steps.buildmsi.outputs.msi }}
DISCUSSION_CATEGORY: General
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Bump homebrew-core formula
uses: mislav/bump-homebrew-formula-action@v1
if: "!contains(github.ref, '-')" # skip prereleases
with:
formula-name: gh
env:
COMMITTER_TOKEN: ${{ secrets.UPLOAD_GITHUB_TOKEN }}
- name: Checkout scoop bucket
uses: actions/checkout@v2
with:
repository: cli/scoop-gh
path: scoop-gh
fetch-depth: 0
token: ${{secrets.UPLOAD_GITHUB_TOKEN}}
- name: Bump scoop bucket
shell: bash
run: |
hub release download "${GITHUB_REF#refs/tags/}" -i '*_checksums.txt'
script/scoop-gen "${GITHUB_REF#refs/tags/}" ./scoop-gh/gh.json < *_checksums.txt
git -C ./scoop-gh commit -m "gh ${GITHUB_REF#refs/tags/}" gh.json
if [[ $GITHUB_REF == *-* ]]; then
git -C ./scoop-gh show -m
else
git -C ./scoop-gh push
fi
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
GIT_COMMITTER_NAME: cli automation
GIT_AUTHOR_NAME: cli automation
GIT_COMMITTER_EMAIL: noreply@github.com
GIT_AUTHOR_EMAIL: noreply@github.com
- name: Bump Winget manifest
shell: pwsh
env:
WINGETCREATE_VERSION: v0.2.0.29-preview
GITHUB_TOKEN: ${{ secrets.UPLOAD_GITHUB_TOKEN }}
run: |
$tagname = $env:GITHUB_REF.Replace("refs/tags/", "")
$version = $tagname.Replace("v", "")
$url = "https://github.com/cli/cli/releases/download/${tagname}/gh_${version}_windows_amd64.msi"
iwr https://github.com/microsoft/winget-create/releases/download/${env:WINGETCREATE_VERSION}/wingetcreate.exe -OutFile wingetcreate.exe
.\wingetcreate.exe update GitHub.cli --url $url --version $version
if ($version -notmatch "-") {
.\wingetcreate.exe submit .\manifests\g\GitHub\cli\${version}\ --token $env:GITHUB_TOKEN
}
Reference in a new issue View git blame Copy permalink