Release #478
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # GitHub release workflow. | |
| name: Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release_channel: | |
| type: choice | |
| description: Release channel | |
| options: | |
| - mainline | |
| - stable | |
| release_notes: | |
| description: Release notes for the publishing the release. This is required to create a release. | |
| dry_run: | |
| description: Perform a dry-run release (devel). Note that ref must be an annotated tag when run without dry-run. | |
| type: boolean | |
| required: true | |
| default: false | |
| permissions: | |
| contents: read | |
| concurrency: ${{ github.workflow }}-${{ github.ref }} | |
| env: | |
| # Use `inputs` (vs `github.event.inputs`) to ensure that booleans are actual | |
| # booleans, not strings. | |
| # https://github.blog/changelog/2022-06-10-github-actions-inputs-unified-across-manual-and-reusable-workflows/ | |
| CODER_RELEASE: ${{ !inputs.dry_run }} | |
| CODER_DRY_RUN: ${{ inputs.dry_run }} | |
| CODER_RELEASE_CHANNEL: ${{ inputs.release_channel }} | |
| CODER_RELEASE_NOTES: ${{ inputs.release_notes }} | |
| jobs: | |
| release: | |
| name: Build and publish | |
| runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} | |
| permissions: | |
| # Required to publish a release | |
| contents: write | |
| # Necessary to push docker images to ghcr.io. | |
| packages: write | |
| # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage) | |
| # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/) | |
| # And for GitHub Actions attestation | |
| id-token: write | |
| # Required for GitHub Actions attestation | |
| attestations: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| # If the event that triggered the build was an annotated tag (which our | |
| # tags are supposed to be), actions/checkout has a bug where the tag in | |
| # question is only a lightweight tag and not a full annotated tag. This | |
| # command seems to fix it. | |
| # https://github.com/actions/checkout/issues/290 | |
| - name: Fetch git tags | |
| run: git fetch --tags --force | |
| - name: Authenticate to Google Cloud | |
| id: gcloud_auth | |
| uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10 | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_CODE_SIGNING_WORKLOAD_ID_PROVIDER }} | |
| service_account: ${{ secrets.GCP_CODE_SIGNING_SERVICE_ACCOUNT }} | |
| token_format: "access_token" | |
| - name: Setup GCloud SDK | |
| uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4 | |
| - name: Publish signatures to GCS retroactively | |
| run: | | |
| set -euxo pipefail | |
| mkdir -p /tmp/binaries | |
| versions=( | |
| 2.22.1 | |
| 2.23.0 | |
| 2.23.1 | |
| 2.23.2 | |
| 2.23.3 | |
| 2.24.0 | |
| 2.24.1 | |
| ) | |
| for version in "${versions[@]}"; do | |
| mkdir -p /tmp/binaries/${version} | |
| # Download all the binaries for the version | |
| gcloud storage cp "gs://releases.coder.com/coder-cli/${version}/*" /tmp/binaries/${version} | |
| # Sign all the binaries | |
| for file in /tmp/binaries/${version}/*; do | |
| ./scripts/sign_with_gpg.sh "$file" | |
| filename=$(basename "$file") | |
| gcloud storage cp "$file".asc "gs://releases.coder.com/coder-cli/${version}/${filename}.asc" | |
| done | |
| done | |
| env: | |
| CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }} |