-
Notifications
You must be signed in to change notification settings - Fork 0
137 lines (133 loc) · 5.76 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# brian's standard GitHub Actions release config for Perl 5 modules
# version 20250226.001
# https://github.com/briandfoy/github_workflows
# https://github.com/features/actions
# This file is licensed under the Artistic License 2.0
#
# This action builds a Perl distribution and adds it as a release
# on GitHub. This does not upload to PAUSE, but that wouldn't be
# that hard, but that doesn't fit with my workflow since this part
# happens after everything else has succeeded.
#
# This requires that you configure a repository secret named
# RELEASE_ACTION_TOKEN with a GitHub Personal Access Token
# that has "read and write" permissions on Repository/Contents
#
# Variables that you can set in the "automated_testing" environment:
#
# EXTRA_CPAN_MODULES - extra arguments to the first call to cpan.
# Just use EXTRA_CPANM_MODULES though. This is
# here for legacy
#
# EXTRA_CPANM_MODULES - extra arguments to the first call to cpanm.
# this is useful to install very particular
# modules, such as DBD::mysql@4.050
#
# UBUNTU_EXTRA_CPANM_MODULES - extra arguments to the first call to cpanm
# but only on Ubuntu. Other workflows won't use this.
# this is useful to install very particular
# modules, such as DBD::mysql@4.050
---
name: release
# https://github.com/actions/checkout/issues/1590
env:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
permissions:
contents: write
id-token: write
attestations: write
on:
push:
# tag a release commit with "release-....". This workflow then runs
# whenever it sees that tag, and doesn't run for other commits.
tags:
- 'release-*'
# With workflow_dispatch, you can trigger this manually. This is
# especially handy when you want to re-run a job that failed because
# the token had expired. Update the GitHub secret and re-run on the
# same commit.
workflow_dispatch:
jobs:
perl:
# We need a GitHub secret, so create an Environment named "release"
# * Go to Settings > Environment (repo settings, not account settings)
# * Make an environment named "release"
# * Add a secret named "RELEASE_ACTION_TOKEN" with a GitHub token with repo permissions
# If you use a different token name, update "RELEASE_ACTION_TOKEN" in the last
# step in this job.
environment: release
runs-on: ${{ matrix.os }}
strategy:
matrix:
os:
- ubuntu-24.04
perl-version:
- 'latest'
container:
image: perl:${{ matrix.perl-version }}
steps:
- uses: actions/checkout@v3
# Some older versions of Perl have trouble with hostnames in certs. I
# haven't figured out why.
- name: Setup environment
run: |
echo "PERL_LWP_SSL_VERIFY_HOSTNAME=0" >> $GITHUB_ENV
# I had some problems with openssl on Ubuntu, so I punted by installing
# cpanm first, which is easy. I can install IO::Socket::SSL with that,
# then switch back to cpan. I didn't explore this further, but what you
# see here hasn't caused problems for me.
#
# Need HTTP::Tiny 0.055 or later. Probably don't need it at all since I'm
# not using cpan here.
#
# Test::Manifest is there because it's a thing I do. If you are writing
# modules and don't know what it is, you don't need it.
- name: Install cpanm and multiple modules
run: |
curl -L https://cpanmin.us | perl - App::cpanminus
cpanm --notest IO::Socket::SSL HTTP::Tiny ExtUtils::MakeMaker Test::Manifest ${{ vars.EXTRA_CPANM_MODULES }} ${{ vars.UBUNTU_EXTRA_CPANM_MODULES }}
cpan -M http://www.cpan.org -T Test::Manifest ${{ vars.EXTRA_CPAN_MODULES }}
# Install the dependencies, again not testing them. This installs the
# module in the current directory, so we end up installing the module,
# but that's not a big deal.
- name: Install dependencies
run: |
cpanm --notest --installdeps --with-suggests --with-recommends .
# This makes the distribution and tests it, but assumes by the time we
# got here, everything else was already tested.
- name: Create distro
run: |
perl Makefile.PL
make disttest
make dist 2>/dev/null | grep Created | awk '{ print "ASSET_NAME=" $2 }' >> $GITHUB_ENV
- name: version
run: |
perl -le '($name) = $ARGV[0] =~ m/(.*?).tar.gz/; print qq(name=$name)' *.tar.gz >> $GITHUB_OUTPUT
id: version
- name: Changes extract
run: |
perl -00 -lne 'next unless /\A\d+\.\d+(_\d+)?/; s/^\h+([*-])/$1/gm; s/^-/ -/gm; print; last' Changes > Changes-latest
cat Changes-latest
id: extract
# https://cli.github.com/manual/gh_attestation_verify
# DISTRO_FILE is the .tar.gz in the release
# GITHUB_ACCOUNT is the github name of the releaser
# gh auth login
# gh attestation verify DISTRO_FILE --owner GITHUB_ACCOUNT
- name: Generate artifact attestation
id: attestation
uses: actions/attest-build-provenance@v1
with:
subject-path: ${{ env.ASSET_NAME }}
- name: upload
uses: softprops/action-gh-release@v1
with:
body_path: Changes-latest
draft: false
prerelease: false
name: ${{ steps.version.outputs.name }}
files: |
${{ env.ASSET_NAME }}
${{ steps.attestation.outputs.bundle-path }}
${{ vars.EXTRA_RELEASE_PATHS }}
token: ${{ secrets.RELEASE_ACTION_TOKEN }}