release: draft -> attach .pkg -> publish (immutable-releases compatible)#9
Merged
Merged
Conversation
…atible) The immutable-releases ruleset rejects asset uploads to a published release, so the prior attach-after-publish flow failed. Now the workflow creates the release as a DRAFT, attaches the signed/notarized .pkg while mutable, then publishes (locking it with the asset attached). Also lets a manual workflow_dispatch run with a 'version' input create the tag + release itself, so a release no longer requires a (ruleset-blocked) tag push.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The repo's immutable-releases ruleset forbids modifying a published release, so the release workflow's attach-the-.pkg-after-create step fails (
HTTP 422: Cannot upload assets to an immutable release). v0.0.1-0.0.3 predate the rule.Fix
.pkgwhile it's still mutable, then publish (the release locks at publish, with the asset already attached).workflow_dispatchrun with aversioninput now creates the tag + release itself (softprops at the run's commit), so a release no longer needs a tag push (which the tag-protection ruleset blocks).After merge — cutting the next release
gh workflow run release.yml -f version=0.0.6(v0.0.4/v0.0.5 names are burned by the immutable rule — see notes below).Build/sign/notarize steps are unchanged (they already pass); only the publish path changed.