diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 71e649c..ad5a495 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,12 +45,18 @@ jobs: secrets: inherit # Build and publish the milo-ipam datumctl plugin as per-platform archives + - # checksums.txt, attached as GitHub release assets. Only runs on version tags - # (vX.Y.Z); independent of the container/kustomize jobs above. The produced - # asset names are consumed by the datumctl plugin catalog entry in - # milo-os/cli-plugins (plugins/ipam.yaml). + # checksums.txt, attached as GitHub release assets. The produced asset names + # are consumed by the datumctl plugin catalog entry in milo-os/cli-plugins + # (plugins/ipam.yaml). + # + # Runs ONLY on `release: published`. Publishing a release via the GitHub UI + # creates the tag, which fires BOTH `push: tags` and `release: published`; if + # this job keyed off the tag ref it would run twice concurrently and two + # goreleaser processes would race to upload the same assets. Gating on the + # release event makes it run exactly once and gives us a real release for + # goreleaser to attach artifacts to. publish-plugin: - if: startsWith(github.ref, 'refs/tags/v') + if: github.event_name == 'release' runs-on: ubuntu-latest permissions: contents: write @@ -76,3 +82,39 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # After goreleaser attaches the archives + checksums.txt to the release, open + # a PR against the datumctl plugin catalog (milo-os/cli-plugins) bumping + # plugins/ipam.yaml to this release: new version, per-platform download URLs, + # and refreshed sha256s pulled from checksums.txt. + # + # One job: mint a short-lived, repo-scoped installation token from the milo-os + # GitHub App and hand it straight to the composite action in the same job. A + # GitHub App token minted in a separate job and passed via outputs is scrubbed + # to empty (masked values don't survive job-to-job hops), so mint + use must + # share a job. Gated on the release event (matching publish-plugin) so it runs + # once, and depends on publish-plugin so checksums.txt exists before it reads + # it. The App's ID and private key are stored as secrets (org-level, shared by + # every milo plugin repo); the minted token is repo-scoped and expires ~1h. + update-plugin-index: + needs: + - publish-plugin + if: github.event_name == 'release' + runs-on: ubuntu-latest + steps: + - name: Mint catalog token from the milo-os GitHub App + id: app-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.PLUGIN_INDEX_APP_ID }} + private-key: ${{ secrets.PLUGIN_INDEX_APP_PRIVATE_KEY }} + owner: milo-os + repositories: cli-plugins + + - name: Open the catalog PR + uses: datum-cloud/actions/update-plugin-index@v1.18.0 + with: + index-repo: milo-os/cli-plugins + plugin-name: ipam + version: ${{ github.event.release.tag_name }} + token: ${{ steps.app-token.outputs.token }}