Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 50 additions & 5 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,12 +45,18 @@ jobs:
secrets: inherit

# Build and publish the milo-ipam datumctl plugin as per-platform archives +
# checksums.txt, attached as GitHub release assets. Only runs on version tags
# (vX.Y.Z); independent of the container/kustomize jobs above. The produced
# asset names are consumed by the datumctl plugin catalog entry in
# milo-os/cli-plugins (plugins/ipam.yaml).
# checksums.txt, attached as GitHub release assets. The produced asset names
# are consumed by the datumctl plugin catalog entry in milo-os/cli-plugins
# (plugins/ipam.yaml).
#
# Runs ONLY on `release: published`. Publishing a release via the GitHub UI
# creates the tag, which fires BOTH `push: tags` and `release: published`; if
# this job keyed off the tag ref it would run twice concurrently and two
# goreleaser processes would race to upload the same assets. Gating on the
# release event makes it run exactly once and gives us a real release for
# goreleaser to attach artifacts to.
publish-plugin:
if: startsWith(github.ref, 'refs/tags/v')
if: github.event_name == 'release'
runs-on: ubuntu-latest
permissions:
contents: write
Expand All @@ -76,3 +82,42 @@ jobs:
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# After goreleaser attaches the archives + checksums.txt to the release, open
# a PR against the datumctl plugin catalog (milo-os/cli-plugins) bumping
# plugins/ipam.yaml to this release: new version, per-platform download URLs,
# and refreshed sha256s pulled from checksums.txt.
#
# One job: mint a short-lived, repo-scoped installation token from the milo-os
# GitHub App and hand it straight to the composite action in the same job. A
# GitHub App token minted in a separate job and passed via outputs is scrubbed
# to empty (masked values don't survive job-to-job hops), so mint + use must
# share a job. Gated on the release event (matching publish-plugin) so it runs
# once, and depends on publish-plugin so checksums.txt exists before it reads
# it. The App's ID and private key are stored as secrets (org-level, shared by
# every milo plugin repo); the minted token is repo-scoped and expires ~1h.
#
# NOTE: pinned to the datum-cloud/actions branch that introduces the composite
# action; switch to a version tag (e.g. @v1.18.0) once that release is cut.
update-plugin-index:
needs:
- publish-plugin
if: github.event_name == 'release'
runs-on: ubuntu-latest
steps:
- name: Mint catalog token from the milo-os GitHub App
id: app-token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.PLUGIN_INDEX_APP_ID }}
private-key: ${{ secrets.PLUGIN_INDEX_APP_PRIVATE_KEY }}
owner: milo-os
repositories: cli-plugins

- name: Open the catalog PR
uses: datum-cloud/actions/update-plugin-index@feat/update-plugin-index-composite
with:
index-repo: milo-os/cli-plugins
plugin-name: ipam
version: ${{ github.event.release.tag_name }}
token: ${{ steps.app-token.outputs.token }}
Loading