-
Notifications
You must be signed in to change notification settings - Fork 477
113 lines (104 loc) · 4.93 KB
/
apply-release-notes.yml
File metadata and controls
113 lines (104 loc) · 4.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: Apply release notes
# Approval-based publish. When a member of the supabase/cli team approves a
# release-notes PR (head ref `release-notes/v<VERSION>`), this workflow pushes
# the proposed notes to the GitHub Release body for the corresponding tag,
# comments the release URL on the PR, and closes the PR without merging. The
# release-notes PR targets `develop` (not `main`) so an accidental merge can
# never rewrite `main`'s history; the file is not meant to land on any branch.
#
# Mirrors the fast-forward job in release.yml, which already gates on a
# `pull_request_review` + `approved` event.
on:
pull_request_review:
types: [submitted]
permissions:
contents: read
jobs:
authorize:
# `state == 'open'` makes re-approvals on an already-closed PR a no-op
# (a reviewer can re-approve from the GitHub UI even after close).
if: |
github.event.review.state == 'approved' &&
startsWith(github.event.pull_request.head.ref, 'release-notes/') &&
github.event.pull_request.base.ref == 'develop' &&
github.event.pull_request.state == 'open'
runs-on: ubuntu-latest
permissions:
pull-requests: write
outputs:
authorized: ${{ steps.check.outputs.authorized }}
steps:
# App token: needs `orgs/.../teams/.../memberships` read (the org-installed
# App has it), repo write to edit the release, and PR write to comment
# and close. Matches release.yml's fast-forward step.
- id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ vars.GH_APP_CLIENT_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
- name: Authorize approver against supabase/cli team
id: check
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
APPROVER: ${{ github.event.review.user.login }}
PR_NUMBER: ${{ github.event.pull_request.number }}
# Fail closed: any response other than an active membership means the
# approval is ignored. We post a comment so the reviewer sees why their
# approval didn't apply, then exit 0 so the workflow isn't flagged red.
run: |
set -euo pipefail
status=$(gh api \
-H "Accept: application/vnd.github+json" \
"orgs/supabase/teams/cli/memberships/${APPROVER}" \
--jq '.state' 2>/dev/null || true)
if [ "$status" != "active" ]; then
echo "Approver @${APPROVER} is not an active supabase/cli team member (state='${status:-none}'); ignoring approval." >&2
gh pr comment "$PR_NUMBER" --repo "${{ github.repository }}" --body \
"@${APPROVER} is not an active \`supabase/cli\` team member, so this approval was ignored. Ask a team member to approve to publish the notes."
echo "authorized=false" >> "$GITHUB_OUTPUT"
exit 0
fi
echo "authorized=true" >> "$GITHUB_OUTPUT"
apply:
needs: authorize
if: needs.authorize.outputs.authorized == 'true'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ vars.GH_APP_CLIENT_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
# Checkout the PR head so any reviewer edits made in the GitHub UI before
# approval are captured. apply-release-notes.ts reads from the working
# tree.
- uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 1
persist-credentials: false
- uses: ./.github/actions/setup
- name: Apply notes, comment, and close
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
HEAD_REF: ${{ github.event.pull_request.head.ref }}
PR_NUMBER: ${{ github.event.pull_request.number }}
APPROVER: ${{ github.event.review.user.login }}
# The branch is named `release-notes/v<VERSION>`, so the tag is just
# the basename. apply-release-notes.ts validates the file's existence.
run: |
set -euo pipefail
tag="${HEAD_REF##release-notes/}"
if [[ ! "$tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-(beta|alpha)\.[0-9]+)?$ ]]; then
echo "Unexpected head ref '$HEAD_REF'; cannot derive tag." >&2
exit 1
fi
echo "==> Applying notes for $tag"
pnpm exec bun apps/cli/scripts/apply-release-notes.ts --tag "$tag"
release_url="https://github.com/${{ github.repository }}/releases/tag/${tag}"
gh pr comment "$PR_NUMBER" --repo "${{ github.repository }}" --body \
"Applied to [${tag}](${release_url}) after approval by @${APPROVER}."
gh pr close "$PR_NUMBER" --repo "${{ github.repository }}" --delete-branch