mirror of
https://github.com/goreleaser/goreleaser-action
synced 2026-06-29 21:29:42 +00:00
Carlos Alexandro Becker
a4f614e65e
* ci: use a GitHub App token to rebuild dist on dependabot PRs Replaces GH_PAT (a broad org PAT) with a GitHub App token for pushing the rebuilt dist/ back to Dependabot PR branches. An App token is scoped to this repo with minimal permissions and is short-lived, so it is much safer to expose on the (semi-trusted) Dependabot PR build than a wide PAT. The job stays a no-op until the DIST_REBUILD_APP_ID and DIST_REBUILD_APP_PRIVATE_KEY Dependabot secrets are configured. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci: use GORELEASER_APP_ID/GORELEASER_APP_KEY for dist rebuild Use the existing GoReleaser GitHub App secrets instead of dedicated DIST_REBUILD_* ones. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> --------- Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
81 lines
3.1 KiB
YAML
81 lines
3.1 KiB
YAML
name: rebuild-dist
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
pull_request:
|
|
|
|
jobs:
|
|
# Rebuilds the bundled dist/ on Dependabot PRs and pushes it back to the PR
|
|
# branch, so a dependency bump and its matching dist/ land in a single PR and
|
|
# the validate workflow stays green.
|
|
#
|
|
# Dependabot runs get a read-only GITHUB_TOKEN, and commits pushed with it do
|
|
# not re-trigger checks. Pushing the dist commit therefore uses a GitHub App
|
|
# token, which is repo-scoped and short-lived, and can re-run workflows.
|
|
# Configure a GitHub App with contents:write on this repo and set its
|
|
# credentials as Dependabot secrets named GORELEASER_APP_ID and
|
|
# GORELEASER_APP_KEY (Dependabot runs only expose Dependabot secrets).
|
|
# Until both exist this job is a no-op.
|
|
rebuild-dist:
|
|
if: github.actor == 'dependabot[bot]'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check app credentials
|
|
id: app
|
|
env:
|
|
GORELEASER_APP_ID: ${{ secrets.GORELEASER_APP_ID }}
|
|
GORELEASER_APP_KEY: ${{ secrets.GORELEASER_APP_KEY }}
|
|
run: |
|
|
if [ -n "$GORELEASER_APP_ID" ] && [ -n "$GORELEASER_APP_KEY" ]; then
|
|
echo "available=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "available=false" >> "$GITHUB_OUTPUT"
|
|
echo "::notice::GORELEASER_APP_ID/GORELEASER_APP_KEY Dependabot secrets are not set; skipping automatic dist rebuild."
|
|
fi
|
|
- name: Generate token
|
|
if: steps.app.outputs.available == 'true'
|
|
id: token
|
|
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
|
|
with:
|
|
app-id: ${{ secrets.GORELEASER_APP_ID }}
|
|
private-key: ${{ secrets.GORELEASER_APP_KEY }}
|
|
- name: Checkout
|
|
if: steps.app.outputs.available == 'true'
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
ref: ${{ github.head_ref }}
|
|
token: ${{ steps.token.outputs.token }}
|
|
- name: Setup Node.js
|
|
if: steps.app.outputs.available == 'true'
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version-file: '.node-version'
|
|
cache: npm
|
|
- name: Install dependencies
|
|
if: steps.app.outputs.available == 'true'
|
|
run: npm ci --ignore-scripts
|
|
- name: Rebuild dist
|
|
if: steps.app.outputs.available == 'true'
|
|
run: npm run build
|
|
- name: Commit and push dist if changed
|
|
if: steps.app.outputs.available == 'true'
|
|
env:
|
|
HEAD_REF: ${{ github.head_ref }}
|
|
run: |
|
|
if [ -z "$(git status --porcelain -- dist)" ]; then
|
|
echo "dist is already up to date."
|
|
exit 0
|
|
fi
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
git add dist
|
|
git commit -m "build: rebuild dist"
|
|
git push origin "HEAD:${HEAD_REF}"
|