add workflow for manually finalizing release#1498
Conversation
|
This PR cannot be merged yet because a required label is missing: |
There was a problem hiding this comment.
Pull request overview
Adds a manual “Finalize Release” GitHub Actions workflow and refactors existing release steps into reusable workflows, with a small robustness tweak to the post-release script.
Changes:
- Introduce
release-finalize.ymlto manually run post-release bump, product publishing, and Windows installer build. - Extract “publish products” and “Windows build” into reusable
workflow_callworkflows and consume them fromrelease.yml. - Update
build/post-release.shto avoid failing when there are no staged/unstaged diffs after running the snapshot task; ignore.worktrees/.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| build/post-release.sh | Adds a “no changes” guard around commit/push after setSnapshot. |
| .gitignore | Ignores .worktrees/ directory. |
| .github/workflows/windows-build.yml | New reusable workflow for building/uploading the Windows installer. |
| .github/workflows/release.yml | Refactors publish/windows jobs to call reusable workflows. |
| .github/workflows/release-finalize.yml | New manually-triggered workflow to finalize an existing release/tag. |
| .github/workflows/publish-products.yml | New reusable workflow for building products, uploading release assets, and updating the site. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
stempler
force-pushed
the
feature/release-finalize
branch
from
ed529d4 to
b4299b2
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| description: "Build and publish Windows installer" | ||
|
|
||
| concurrency: | ||
| group: publish-${{ github.ref }} |
There was a problem hiding this comment.
concurrency.group is based on github.ref, but this workflow is workflow_dispatch and can be started from different refs. That means two runs for the same release (or a run overlapping with the main release.yml workflow) can bypass the intended single-publish lock and run concurrently, potentially clobbering release assets / update-site uploads. Consider using a ref-independent key (e.g., publish or publish-${{ inputs.version }}) so all finalize runs serialize correctly.
| group: publish-${{ github.ref }} | |
| group: publish-${{ inputs.version }} |
| publish-products: | ||
| name: Publish products and update site | ||
| runs-on: ubuntu-latest | ||
| needs: [release] | ||
| if: ${{ !inputs.dryRun && needs.release.outputs.release-published != 'false' }} | ||
| steps: | ||
| - name: Setup Maven | ||
| uses: s4u/setup-maven-action@ba34de01b7f4ba2ab8e2860df8993a29f4477056 # v1.20.0 | ||
| with: | ||
| java-version: 17 | ||
| java-distribution: temurin | ||
| maven-version: 3.9.6 | ||
| checkout-ref: refs/tags/v${{needs.release.outputs.release-version}} # check out release tag | ||
|
|
||
| - name: Install genisoimage # required for Mac build | ||
| run: sudo apt-get install -y genisoimage | ||
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 | ||
| with: | ||
| username: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
| password: ${{ secrets.DOCKER_HUB_PASSWORD }} | ||
|
|
||
| - name: Install AWS CLI # Required for uploading update site | ||
| uses: unfor19/install-aws-cli-action@f5b46b7f32cf5e7ebd652656c5036bf83dd1e60c # 1.0.8 | ||
| with: | ||
| version: 1 | ||
|
|
||
| - name: Clean | ||
| run: ./build.sh clean | ||
| working-directory: ./build | ||
|
|
||
| - name: Build products | ||
| run: | | ||
| ./build.sh product --arch x86_64 --os linux HALE | ||
| ./build.sh product --arch x86_64 --os windows HALE | ||
| ./build.sh product --arch x86_64 --os macosx HALE | ||
| ./build.sh product --arch x86_64 --os linux --publish Infocenter | ||
| working-directory: ./build | ||
|
|
||
| # use GitHub CLI to upload asset to release | ||
| # see https://cli.github.com/manual/gh_release_upload | ||
| - name: Add HALE products to release | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| echo "Adding to release assets..." | ||
| gh release upload v${{needs.release.outputs.release-version}} build/target/*.tar.gz --repo ${{ github.repository }} | ||
| gh release upload v${{needs.release.outputs.release-version}} build/target/*.zip --repo ${{ github.repository }} | ||
| gh release upload v${{needs.release.outputs.release-version}} build/target/*.dmg --repo ${{ github.repository }} | ||
| shell: bash | ||
|
|
||
| - name: Upload update site | ||
| env: | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.BUILD_ARCHIVE_ACCESS_KEY }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.BUILD_ARCHIVE_SECRET_KEY }} | ||
| run: ./upload-site.sh | ||
| working-directory: ./build | ||
|
|
||
| # https://github.com/marketplace/actions/slack-notify-build | ||
| - name: Notify failure to Slack | ||
| if: failure() | ||
| env: | ||
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_NOTIFICATIONS_BOT_TOKEN }} | ||
| uses: voxmedia/github-action-slack-notify-build@3665186a8c1a022b28a1dbe0954e73aa9081ea9e # v1.6.0 | ||
| with: | ||
| channel: build-failures | ||
| status: FAILED | ||
| color: danger | ||
| uses: ./.github/workflows/publish-products.yml | ||
| with: | ||
| version: ${{ needs.release.outputs.release-version }} | ||
| secrets: inherit |
There was a problem hiding this comment.
These jobs call reusable workflows that upload release assets via gh release upload. Unless the repo/org default GITHUB_TOKEN permissions are set to write, this can fail with 403 because the caller job does not grant contents: write. Please add explicit permissions: contents: write (job-level here, or workflow-level) for publish-products/windows-build so the called workflows can upload assets reliably.
| publish-products: | ||
| name: Publish products and update site | ||
| needs: [verify-tag] | ||
| if: ${{ inputs.publishProducts }} | ||
| uses: ./.github/workflows/publish-products.yml | ||
| with: | ||
| version: ${{ inputs.version }} | ||
| secrets: inherit |
There was a problem hiding this comment.
publish-products and windows-build call reusable workflows that run gh release upload using ${{ github.token }}. The token’s permissions are controlled by the caller job, but these jobs don’t declare permissions: contents: write, so uploads can fail when default workflow permissions are read-only. Add explicit job (or workflow) permissions for release-asset uploads.
|
hale studio builds for this pull request: Build triggered for commit c48d768. |
stempler
force-pushed
the
feature/release-finalize
branch
from
b4299b2 to
cb2760f
Compare
No description provided.