fizzy-cli/.github/workflows/release.yml at master · basecamp/fizzy-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: Release

on:
  push:
    tags:
      - "v*"

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false

permissions: {}

jobs:
  test:
    uses: ./.github/workflows/test.yml
    permissions:
      contents: read

  security:
    uses: ./.github/workflows/security.yml
    permissions:
      contents: read
      security-events: write

  release:
    name: Release
    needs: [test, security]
    runs-on: ubuntu-latest
    timeout-minutes: 45
    environment: release
    permissions:
      contents: write
      id-token: write
      attestations: write
      pull-requests: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache
        with:
          go-version-file: go.mod

      - name: Verify tag is on default branch
        env:
          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          GIT_REF: ${{ github.ref }}
          REF_NAME: ${{ github.ref_name }}
        run: |
          TAG_COMMIT=$(git rev-list -n 1 "$GIT_REF")
          if ! git branch -r --contains "$TAG_COMMIT" | grep -q "origin/${DEFAULT_BRANCH}$"; then
            echo "ERROR: Tag $REF_NAME is not on ${DEFAULT_BRANCH}"
            exit 1
          fi

      - name: Verify macOS signing secrets
        env:
          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
        run: |
          missing=()
          for var in MACOS_SIGN_P12 MACOS_SIGN_PASSWORD MACOS_NOTARY_KEY MACOS_NOTARY_KEY_ID MACOS_NOTARY_ISSUER_ID; do
            if [ -z "${!var}" ]; then
              missing+=("$var")
            fi
          done
          if [ ${#missing[@]} -gt 0 ]; then
            echo "ERROR: Missing required macOS signing secrets: ${missing[*]}"
            echo "Notarization is mandatory. Configure all MACOS_* secrets before releasing."
            exit 1
          fi

      - name: Generate GitHub App token
        id: app-token
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
          app-id: ${{ vars.RELEASE_CLIENT_ID }}
          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
          repositories: homebrew-tap
          permission-contents: write

      - name: Install cosign
        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1

      - name: Install Syft
        uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0

      - name: Generate shell completions
        run: |
          go build -o fizzy-tmp ./cmd/fizzy
          mkdir -p completions
          ./fizzy-tmp completion bash > completions/fizzy.bash
          ./fizzy-tmp completion zsh > completions/fizzy.zsh
          ./fizzy-tmp completion fish > completions/fizzy.fish
          rm fizzy-tmp

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          version: 'v2.14.1'
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_TOKEN: ${{ steps.app-token.outputs.token }}
          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}

      - name: Attest build provenance
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-checksums-file: ./dist/checksums.txt

  aur-publish:
    runs-on: ubuntu-latest
    needs: release
    environment: release
    permissions:
      contents: read
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Check AUR secret
        id: check
        env:
          AUR_KEY: ${{ secrets.AUR_KEY }}
        run: |
          if [ -n "$AUR_KEY" ]; then
            echo "available=true" >> "$GITHUB_OUTPUT"
          fi

      - name: Publish to AUR
        if: steps.check.outputs.available == 'true'
        run: |
          scripts/publish-aur.sh
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AUR_KEY: ${{ secrets.AUR_KEY }}