Update cli-plugins catalog on release; fix goreleaser double-run#66
Open
scotwells wants to merge 4 commits into
Open
Update cli-plugins catalog on release; fix goreleaser double-run#66scotwells wants to merge 4 commits into
scotwells wants to merge 4 commits into
Conversation
Gate the plugin-publishing jobs on the release event instead of the tag ref. Publishing a release creates the tag, firing both push:tags and release:published; keying off the tag ref ran goreleaser twice concurrently with two processes racing to upload the same assets. The release-event gate makes it run exactly once. Add an update-plugin-index job that, after goreleaser attaches the archives and checksums.txt, opens a PR against milo-os/cli-plugins bumping plugins/ipam.yaml to the released version with refreshed URLs and checksums. Pinned to the datum-cloud/actions branch until that workflow ships in a tagged release.
This was referenced Jul 1, 2026
Mint a short-lived, repo-scoped installation token from a milo-os GitHub App and pass it to the catalog-update job, instead of relying on a long-lived PAT secret. The token is scoped to milo-os/cli-plugins and expires in ~1 hour; the App's ID and private key are stored as secrets.
The reusable update-plugin-index workflow has shipped in a tagged release, so pin to it instead of the development branch.
Collapse the token-mint and catalog-update jobs into a single job that mints the GitHub App token and calls the composite action in the same job, so the token isn't scrubbed crossing a job boundary.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two related release-pipeline changes.
Fix: goreleaser ran twice per release
Publishing a release through the GitHub UI creates the tag, which fires both
push: tagsandrelease: published. The plugin job was gated on the tag ref (startsWith(github.ref, refs/tags/v)), which is true for both events — so goreleaser ran twice concurrently, with two processes racing to upload the same release assets.The plugin-publishing job is now gated on
github.event_name == release, so it runs exactly once (on the release event) and has a real release to attach artifacts to. Thevalidate-kustomize,publish-container-image, andpublish-kustomize-bundlejobs are unchanged.Feature: auto-update the datumctl plugin catalog
Adds an
update-plugin-indexjob that runs after goreleaser attaches the archives +checksums.txt. In a single job it (1) mints a short-lived, repo-scoped installation token from the milo-os GitHub App, and (2) calls thedatum-cloud/actions/update-plugin-indexcomposite action, which opens a PR againstmilo-os/cli-pluginsbumpingplugins/ipam.yamlto the released version — refreshed per-platform URLs and checksums fromchecksums.txt, and a link back to the release. This replaces the manual manifest edit after each release.Mint + call live in the same job on purpose: a GitHub App token minted in a separate job and passed via outputs is scrubbed to empty (masked values don't survive job-to-job hops), so a composite action — not a reusable workflow — is required. Verified end-to-end against the v0.2.0 assets.
Pinning
The
update-plugin-indexstep pinsdatum-cloud/actions/update-plugin-index@feat/update-plugin-index-composite(datum-cloud/actions#85) until the composite action ships in a tagged release; switch to a version tag (e.g.@v1.18.0) once that release is cut.Required setup — milo-os GitHub App
Cross-repo PRs need a token the built-in
GITHUB_TOKENcan't provide (it only reaches this repo). This pipeline mints a short-lived, repo-scoped token from a GitHub App in the milo-os org — no long-lived PAT. One-time setup by an org admin:milo-plugin-index-updater..pem).milo-os/ipam:PLUGIN_INDEX_APP_ID— the App IDPLUGIN_INDEX_APP_PRIVATE_KEY— the full contents of the.pemThe workflow's
generate-index-tokenjob exchanges these for an installation token scoped tomilo-os/cli-plugins(expires ~1h), which the catalog-update job uses to open the PR.Related work