[STRATCONN-3673] - Extract release to a separate job in publish workf…

…low (#1963) This PR makes couple of changes to fix: To avoid using GH PAT token with write access to Github repo, I have moved the release tag computation to thepostversion.sh script. This script will be executed via postversion hook - only for main branch. Extract the release steps to separate job that depends on the build-and-publish job to ensure we don't use GH_PAT token. GH_PAT token contains permissions only to pull data from ctl-plane-js-client.
segmentio · Apr 3, 2024 · cdab6e3 · cdab6e3
1 parent 16f2353
commit cdab6e3
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 22 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -25,7 +25,6 @@ jobs:
  - uses: actions/checkout@v3
  with:
  token: ${{ secrets.GH_PAT }}
- fetch-depth: 0 # Required as we compute the version based on the number of commits since the last tag
 
  - name: Use Node.js ${{ matrix.node-version }}
  uses: actions/setup-node@v3
@@ -45,6 +44,10 @@ jobs:
  - name: Build
  run: NODE_ENV=production yarn build
 
+ - name: Fetch Latest Tags
+ run: |
+ git fetch --tags
+
  - name: Set NPM Token
  run: |
  npm set '//registry.npmjs.org/:_authToken' ${{ secrets.NPM_PUBLISH_TOKEN }}
@@ -54,33 +57,30 @@ jobs:
  run: |
  yarn lerna publish from-git --yes --allowBranch=main --loglevel=verbose --dist-tag latest
 
- - name: Generate and Push Release Tag
- id: push-release-tag
- run: |
- git config user.name ${{ github.actor }}
- git config user.email ${{ github.actor }}@users.noreply.github.com
+ release:
+ needs: build-and-publish
+ runs-on: ubuntu-20.04
+ timeout-minutes: 15
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ fetch-depth: 0 # Shallow clones should be disabled for computing changelog
+ fetch-tags: true
 
- commit=${{ github.sha }}
- if ! n=$(git rev-list --count $commit~ --grep "Publish" --since="00:00"); then
- echo 'failed to calculate tag'
- exit 1
+ - name: Get Release tag
+ id: get-release-tag
+ run: |
+ if ! tag=$(git describe --abbrev=0 --tags --match "release-*"); then
+ echo "No release tag found, skipping release"
+ exit 1
  fi
-
- case "$n" in
- 0) suffix="" ;; # first commit of the day gets no suffix
- *) suffix=".$n" ;; # subsequent commits get a suffix, starting with .1
- esac
-
- tag=$(printf release-$(date '+%Y-%m-%d%%s') $suffix)
- git tag -a $tag -m "Release $tag"
- git push origin $tag
  echo "release-tag=$tag" >> $GITHUB_OUTPUT
 
  - name: Create Github Release
  id: create-github-release
  uses: actions/github-script@v7
  env:
- RELEASE_TAG: ${{ steps.push-release-tag.outputs.release-tag }}
+ RELEASE_TAG: ${{ steps.get-release-tag.outputs.release-tag }}
  with:
  script: |
  const script = require('./scripts/create-github-release.js')

diff --git a/package.json b/package.json
@@ -31,6 +31,7 @@
  "alpha": "lerna version prerelease --allow-branch $(git branch --show-current) --preid $(git branch --show-current) --no-push --no-git-tag-version",
  "release": "bash scripts/release.sh",
  "prepare": "husky install",
+ "postversion": "bash scripts/postversion.sh",
  "clean": "sh scripts/clean.sh"
  },
  "devDependencies": {

diff --git a/scripts/postversion.sh b/scripts/postversion.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# This script is executed after the version is bumped by lerna. It generates a release tag.
+# The release tag generated will be pushed to the repository by lerna version.
+set -e
+sha=$(git rev-parse HEAD);
+branch=$(git rev-parse --symbolic-full-name --abbrev-ref HEAD);
+
+if [[ $branch != "main" ]];
+then
+ echo "Skipping release tag generation for non-main branch"
+ exit 0
+fi;
+
+# Generate and push release tag. Release tag format: release-YYYY-MM-DD[.N] e.g. release-2024-01-01
+if ! n=$(git rev-list --count $sha~ --grep "Publish" --since="00:00"); then
+ echo 'Failed to compute release tag. Exiting.'
+ exit 1
+else 
+ case "$n" in
+ 0) suffix="" ;; # first commit of the day gets no suffix
+ *) suffix=".$n" ;; # subsequent commits get a suffix, starting with .1
+ esac
+
+ tag=$(printf release-$(date '+%Y-%m-%d%%s') $suffix)
+ echo "Tagging $sha with $tag"
+ git tag -a $tag -m "Release $tag"
+fi
diff --git a/scripts/release.sh b/scripts/release.sh
@@ -1,12 +1,12 @@
 #!/bin/bash
 branch=$(git rev-parse --symbolic-full-name --abbrev-ref HEAD);
+
 if [[ $branch != "main" ]];
 then
  echo "You must be on the main branch to release"
  exit
 fi;
 
-
 git pull --ff-only
 echo "Running lerna version minor..."
-lerna version minor --no-private -y
+lerna version minor --no-private -y