chore: refactor release workflow

sweatybridge · sweatybridge · commit 1d1f6565c6d7 · 2025-11-26T11:44:53.000+08:00
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -28,6 +28,7 @@ jobs:
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       # Here the PR gets approved.
       - name: Approve a PR
         if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
diff --git a/.github/workflows/release-beta.yml b/.github/workflows/release-beta.yml
@@ -8,7 +8,6 @@ on:
 
 permissions:
   contents: write
-  id-token: write
 
 jobs:
   release:
@@ -66,18 +65,18 @@ jobs:
     if: needs.release.outputs.new-release-published == 'true'
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
       # use GitHub app to create a release token that can publish to homebrew-tap and scoop
       - name: Generate token
         id: app-token
         uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          cache: true
       - run: go run tools/publish/main.go --beta "${{ needs.release.outputs.new-release-version }}"
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,7 +9,6 @@ on:
 permissions:
   contents: write
   packages: write
-  id-token: write
 
 jobs:
   settings:
@@ -18,35 +17,34 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     outputs:
       release_tag: ${{ steps.prerelease.outputs.tagName }}
+      app_token: ${{ steps.app-token.outputs.token }}
     steps:
       - uses: actions/checkout@v6
       - id: prerelease
         run: |
           gh release list --limit 1 --json tagName --jq \
           '.[]|to_entries|map("\(.key)=\(.value|tostring)")|.[]' >> $GITHUB_OUTPUT
       - run: gh release edit ${{ steps.prerelease.outputs.tagName }} --latest --prerelease=false
+      - id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
   commit:
     name: Publish Brew and Scoop
     needs:
       - settings
     runs-on: ubuntu-latest
     steps:
-      # use GitHub app to create a release token that can publish to homebrew-tap and scoop
-      - name: Generate token
-        id: app-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           cache: true
       - run: go run tools/publish/main.go ${{ needs.settings.outputs.release_tag }}
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
 
   publish:
     name: Publish NPM
@@ -59,44 +57,35 @@ jobs:
 
   compose:
     name: Bump self-hosted versions
+    needs:
+      - settings
     runs-on: ubuntu-latest
     steps:
-      - name: Generate token
-        id: app-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           cache: true
       - run: go run tools/selfhost/main.go
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
 
   changelog:
     name: Publish changelog
     needs:
+      - settings
       - commit
       - publish
     runs-on: ubuntu-latest
     steps:
-      - name: Generate token
-        id: app-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           cache: true
       - run: go run tools/changelog/main.go ${{ secrets.SLACK_CHANNEL }}
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
           SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
 
   docs:
@@ -105,17 +94,11 @@ jobs:
       - settings
     runs-on: ubuntu-latest
     steps:
-      - name: Generate token
-        id: app-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           cache: true
       - run: go run docs/main.go ${{ needs.settings.outputs.release_tag }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
