forked from rgooding/go-syncmap
-
Notifications
You must be signed in to change notification settings - Fork 0
154 lines (147 loc) · 5.13 KB
/
Copy pathrelease.yml
File metadata and controls
154 lines (147 loc) · 5.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: Release
on:
workflow_dispatch:
inputs:
tag:
description: "Tag to release (e.g. v1.0.0). Must not exist yet; workflow creates it."
required: true
type: string
dry_run:
description: "Dry run — build and validate without publishing or tagging."
required: false
default: false
type: boolean
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
jobs:
verify:
name: Verify quality gate
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Disallow non-dry release from a non-main ref
if: github.ref != 'refs/heads/main' && inputs.dry_run != true
run: |
echo "::error::Non-dry releases must dispatch from main (got ${{ github.ref }}). Merge to main first, then re-dispatch."
exit 1
- uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
- uses: actions/setup-go@v6.4.0
with:
go-version: "1.26"
cache: true
- name: Install goimports
run: go install golang.org/x/tools/cmd/goimports@v0.28.0
- name: Install golangci-lint
# Install directly so 'make check' can invoke it — the action
# tries to 'run' the linter itself which would run lint twice.
run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
- name: Run quality gate
run: make check
- name: Enforce 95% coverage threshold
run: |
set -euo pipefail
total=$(go tool cover -func=coverage.out | awk '/^total:/ {print $3}' | tr -d '%')
# v1.0.0 will not be cut until #11 raises the test suite past
# the 95% target — no TODO loosening needed here, the release
# gate stays strict and the release workflow is dispatched
# manually after coverage lands.
awk -v v="$total" 'BEGIN { exit !(v+0 >= 95) }' || {
echo "::error::Coverage ${total}% is below the 95% release threshold."
exit 1
}
echo "Coverage ${total}% meets the 95% release threshold."
tag:
name: Create tag
needs: verify
if: inputs.dry_run != true
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
- name: Validate tag format
run: |
if [[ ! "${{ inputs.tag }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.-]+)?$ ]]; then
echo "Tag must match vMAJOR.MINOR.PATCH[-prerelease]"
exit 1
fi
- name: Create and push tag
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git tag -a "${{ inputs.tag }}" -m "Release ${{ inputs.tag }}"
git push origin "${{ inputs.tag }}"
goreleaser:
name: GoReleaser
needs: [verify, tag]
if: always() && needs.verify.result == 'success' && (needs.tag.result == 'success' || needs.tag.result == 'skipped')
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
attestations: write
steps:
# On a real release the tag has just been pushed by the `tag`
# job, so we check it out. On a dry run no tag exists yet;
# fall back to the workflow's invocation ref so the build runs
# against the commit a human operator just validated.
- uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
ref: ${{ inputs.dry_run && github.ref || inputs.tag }}
- uses: actions/setup-go@v6.4.0
with:
go-version: "1.26"
cache: true
- name: Dry-run GoReleaser
if: inputs.dry_run == true
uses: goreleaser/goreleaser-action@v7.0.0
with:
distribution: goreleaser
version: v2.7.0
args: release --snapshot --clean
- name: Publish GoReleaser
if: inputs.dry_run != true
uses: goreleaser/goreleaser-action@v7.0.0
with:
distribution: goreleaser
version: v2.7.0
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Attest build provenance
if: inputs.dry_run != true
uses: actions/attest-build-provenance@v2
with:
subject-path: |
dist/*.tar.gz
dist/*.zip
dist/checksums.txt
proxy-warm:
name: Warm Go module proxy
needs: goreleaser
if: inputs.dry_run != true
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Request module from proxy (with retry)
run: |
tag="${{ inputs.tag }}"
for attempt in 1 2 3 4 5 6; do
if curl -sSfL "https://proxy.golang.org/github.com/axonops/syncmap/@v/${tag}.info" | tee /dev/stderr; then
exit 0
fi
echo "proxy not ready, retry ${attempt}/6 in 15s"
sleep 15
done
echo "proxy did not index ${tag} after 90s"
exit 1