ci(release): harden release publishing workflow #373
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Preview CLI Packages | |
| # Release-notes PRs (head ref `release-notes/*`) are markdown-only and are not | |
| # meant to produce installable preview packages. | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - ready_for_review | |
| branches: | |
| - develop | |
| permissions: | |
| actions: read | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| if: | | |
| !startsWith(github.head_ref, 'release-notes/') && | |
| github.event.pull_request.draft == false | |
| name: Build preview CLI packages | |
| uses: ./.github/workflows/build-cli-artifacts.yml | |
| with: | |
| version: 0.0.0-pr.${{ github.event.pull_request.number }} | |
| shell: legacy | |
| publish: | |
| needs: build | |
| if: | | |
| !startsWith(github.head_ref, 'release-notes/') && | |
| github.event.pull_request.draft == false && | |
| needs.build.result == 'success' | |
| name: Publish preview package | |
| runs-on: ubuntu-latest | |
| env: | |
| PREVIEW_VERSION: 0.0.0-pr.${{ github.event.pull_request.number }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup | |
| uses: ./.github/actions/setup | |
| - name: Download preview build artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: cli-build-legacy-${{ env.PREVIEW_VERSION }} | |
| - name: Prepare package files | |
| run: | | |
| set -euo pipefail | |
| pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${PREVIEW_VERSION}" | |
| pnpm --dir apps/cli build:shim | |
| find packages -path '*/bin/supabase*' -type f -exec chmod +x {} + | |
| - name: Publish preview package | |
| run: | | |
| pnpm exec pkg-pr-new publish \ | |
| --pnpm \ | |
| --bin \ | |
| --comment=off \ | |
| --json pkg-pr-new.json \ | |
| --no-template \ | |
| './packages/cli-darwin-arm64' \ | |
| './packages/cli-darwin-x64' \ | |
| './packages/cli-linux-arm64' \ | |
| './packages/cli-linux-arm64-musl' \ | |
| './packages/cli-linux-x64' \ | |
| './packages/cli-linux-x64-musl' \ | |
| './packages/cli-windows-arm64' \ | |
| './packages/cli-windows-x64' \ | |
| './apps/cli' | |
| - name: Smoke test preview command | |
| run: | | |
| set -euo pipefail | |
| preview_url="https://pkg.pr.new/supabase@${PR_NUMBER}" | |
| echo "Preview command: npx ${preview_url}" | |
| npx --yes "${preview_url}" --version | |
| comment: | |
| needs: publish | |
| if: | | |
| !startsWith(github.head_ref, 'release-notes/') && | |
| github.event.pull_request.draft == false && | |
| needs.publish.result == 'success' | |
| name: Post preview command comment | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| steps: | |
| - name: Post preview command comment | |
| run: | | |
| set -euo pipefail | |
| marker="<!-- supabase-cli-preview-package -->" | |
| preview_url="https://pkg.pr.new/supabase@${PR_NUMBER}" | |
| short_sha="${HEAD_SHA:0:7}" | |
| comment_file="$(mktemp)" | |
| cat > "${comment_file}" <<EOF | |
| ${marker} | |
| ## Supabase CLI preview | |
| \`\`\`sh | |
| npx --yes ${preview_url} | |
| \`\`\` | |
| _Preview package for commit [\`${short_sha}\`](https://github.com/${GITHUB_REPOSITORY}/commit/${HEAD_SHA})._ | |
| EOF | |
| if ! comment_id="$( | |
| gh api \ | |
| "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \ | |
| --jq ".[] | select(.user.login == \"github-actions[bot]\" and (.body | contains(\"${marker}\"))) | .id" \ | |
| | head -n 1 | |
| )"; then | |
| echo "::warning::Unable to list PR comments. The preview package was published, but this workflow token cannot update the PR comment." | |
| exit 0 | |
| fi | |
| if [ -n "${comment_id}" ]; then | |
| if ! gh api \ | |
| --method PATCH \ | |
| "repos/${GITHUB_REPOSITORY}/issues/comments/${comment_id}" \ | |
| --field "body=@${comment_file}" \ | |
| >/dev/null; then | |
| echo "::warning::Unable to update the preview package PR comment." | |
| exit 0 | |
| fi | |
| else | |
| if ! gh api \ | |
| --method POST \ | |
| "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \ | |
| --field "body=@${comment_file}" \ | |
| >/dev/null; then | |
| echo "::warning::Unable to create the preview package PR comment." | |
| exit 0 | |
| fi | |
| fi |