[release:patch] Guard Against Shell-Escapes and Multi-File Support (G… #332
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Release" | ||
'on': | ||
push: | ||
branches: | ||
- main | ||
jobs: | ||
full-test: | ||
name: "Run Full Test Suite (Release)" | ||
if: startsWith(github.event.head_commit.message, '[release:minor]') || | ||
startsWith(github.event.head_commit.message, '[release:major]') || | ||
startsWith(github.event.head_commit.message, '[release:patch]') | ||
uses: flowr-analysis/flowr/.github/workflows/full-test.yaml@main | ||
release: | ||
name: "Release" | ||
runs-on: ubuntu-latest | ||
needs: ['full-test'] | ||
steps: | ||
- name: "Setup the Environment" | ||
uses: flowr-analysis/flowr/.github/actions/setup@main | ||
- name: "Checkout Repository" | ||
uses: Wandalen/wretry.action@master | ||
with: | ||
attempt_limit: 15 | ||
attempt_delay: 10000 | ||
action: actions/checkout@v4 | ||
with: | | ||
submodules: true | ||
lfs: true | ||
token: ${{ secrets.RELEASE_TOKEN }} | ||
fetch-depth: 0 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Name and Email for Git (config) | ||
run: | | ||
git config --local user.email "action@github.com" | ||
git config --local user.name "GitHub Action" | ||
git pull | ||
- name: Install Dependencies | ||
run: npm ci | ||
- name: Release | ||
run: | | ||
step=$(echo "$MESSAGE" | sed -n -E 's/\[release:(patch|minor|major)].*/\1/p') | ||
title=$(echo "$MESSAGE" | sed -n -E 's/\[release:(patch|minor|major)] (.*)/\2/p') | ||
if [ -z "$step" ]; then | ||
echo "fatal: Release step not found in commit message." | ||
exit 1 | ||
fi | ||
npm run release -- --increment "$step" --ci --verbose --github.releaseName="Release v\${version} (${title})" | ||
echo "version=$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT" | ||
env: | ||
RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }} | ||
# apparently, putting the message into an env variable first sanitizes it | ||
# (see https://github.com/flowr-analysis/flowr/security/code-scanning/29) | ||
MESSAGE: ${{ github.event.head_commit.message }} | ||
- name: Ensure up-to-date Dependencies | ||
run: npm ci | ||
- name: Publish on NPM | ||
# we use publish library because flowr itself is a runnable, and we do not want to publish something with extra | ||
# dist paths etc. | ||
# besides, we make dead-sure we have a clean directory to work on! | ||
run: | | ||
rm -rf dist | ||
npm run build | ||
npm run publish-library | ||
env: | ||
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }} | ||
deploy-docker: | ||
needs: ['performance-test'] | ||
name: "Deploy Docker (only on main)" | ||
uses: flowr-analysis/flowr/.github/workflows/deploy-docker.yaml@main | ||
Check failure on line 82 in .github/workflows/release.yaml GitHub Actions / .github/workflows/release.yamlInvalid workflow file
|
||
secrets: inherit | ||
performance-test: | ||
name: "Performance Test" | ||
needs: ['release'] | ||
# we do not run if the release workflow runs it with pushing | ||
if: startsWith(github.event.head_commit.message, '[release:minor]') || | ||
startsWith(github.event.head_commit.message, '[release:major]') || | ||
startsWith(github.event.head_commit.message, '[release:patch]') | ||
uses: flowr-analysis/flowr/.github/workflows/performance-test.yaml@main | ||
with: | ||
push: true | ||
ref: refs/tags/v${{ needs.release.outputs.version }} | ||
secrets: inherit |