action-python-security-auditing/.github/workflows/release-please.yml at main · developmentseed/action-python-security-auditing · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: Release Please

on:
  push:
    branches: [main]

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

permissions: {}

jobs:
  release-please:
    name: Release Please
    runs-on: ubuntu-latest
    environment: release
    permissions:
      contents: write # Create releases, tags, and release branches
      pull-requests: write # Open and update pin README pull requests
    steps:
      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
        id: release
        with:
          release-type: python

      # Move major version tag (e.g. v1) after a release is cut
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        if: ${{ steps.release.outputs.release_created }}
        with:
          persist-credentials: false
      - name: Tag major version
        if: ${{ steps.release.outputs.release_created }}
        env:
          GITHUB_TOKEN: ${{ github.token }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          RELEASE_MAJOR: ${{ steps.release.outputs.major }}
          RELEASE_TAG_NAME: ${{ steps.release.outputs.tag_name }}
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
          git tag -fa "v${RELEASE_MAJOR}" \
            -m "Release v${RELEASE_TAG_NAME}"
          git push origin "v${RELEASE_MAJOR}" --force

      - name: Pin README to release SHA
        if: ${{ steps.release.outputs.release_created }}
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_SHA: ${{ steps.release.outputs.sha }}
          RELEASE_TAG_NAME: ${{ steps.release.outputs.tag_name }}
        run: |
          sed -i -E \
            "s|developmentseed/action-python-security-auditing@[^ ]+( # v[0-9][^ ]*)?|developmentseed/action-python-security-auditing@${RELEASE_SHA} # ${RELEASE_TAG_NAME}|g" \
            README.md
          git add README.md
          git diff --cached --quiet && echo "README unchanged, skipping commit" && exit 0
          BRANCH="chore/pin-readme-${RELEASE_TAG_NAME}"
          git checkout -b "$BRANCH"
          git commit -m "chore: pin README to ${RELEASE_TAG_NAME}"
          git push origin "$BRANCH"
          gh pr create \
            --title "chore: pin README to ${RELEASE_TAG_NAME}" \
            --body "Automated: pin README SHA references to release ${RELEASE_TAG_NAME}." \
            --base main \
            --head "$BRANCH"

      - name: Notify tests repo to update action pin
        if: ${{ steps.release.outputs.release_created }}
        env:
          GH_TOKEN: ${{ secrets.TESTS_REPO_DISPATCH_TOKEN }}
          RELEASE_SHA: ${{ steps.release.outputs.sha }}
          RELEASE_TAG_NAME: ${{ steps.release.outputs.tag_name }}
        run: |
          gh api repos/lhoupert/action-python-security-auditing-tests/dispatches \
            --method POST \
            -f event_type=action-release \
            -F "client_payload[sha]=${RELEASE_SHA}" \
            -F "client_payload[tag]=${RELEASE_TAG_NAME}"