diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 733c5b7..e40bc58 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -6,7 +6,7 @@ on: - "v*.*.*" permissions: - contents: read + contents: write packages: write env: @@ -58,3 +58,61 @@ jobs: cache-to: type=gha,mode=max tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + update-release-notes: + runs-on: ubuntu-latest + needs: build-and-push + + steps: + - name: Ensure GitHub release exists + env: + GH_TOKEN: ${{ github.token }} + run: | + tag="${GITHUB_REF_NAME}" + if ! gh release view "$tag" >/dev/null 2>&1; then + gh release create "$tag" --title "$tag" --generate-notes + fi + + - name: Append container image instructions to release body + env: + GH_TOKEN: ${{ github.token }} + IMAGE_REF: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + run: | + # GITHUB_REF_NAME comes from the trusted maintainer-created tag ref that triggered this workflow. + python3 <<'PY' + import os + import subprocess + import textwrap + + tag = os.environ["GITHUB_REF_NAME"] + image_ref = os.environ["IMAGE_REF"] + marker = "## Container image" + + body = subprocess.check_output( + ["gh", "release", "view", tag, "--json", "body", "-q", ".body"], + text=True, + ) + + container_section = textwrap.dedent( + f""" + ## Container image + + Pull the published container from GHCR: + + ```bash + docker pull {image_ref}:{tag.lstrip('v')} + docker pull {image_ref}:latest + ``` + """ + ).strip() + + if marker in body: + body = body.split(marker, 1)[0].rstrip() + + body = f"{body}\n\n{container_section}\n" if body.strip() else f"{container_section}\n" + + with open("RELEASE_NOTES.md", "w", encoding="utf-8") as fh: + fh.write(body) + PY + + gh release edit "$GITHUB_REF_NAME" --notes-file RELEASE_NOTES.md diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..a84a267 --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,35 @@ +name: Release Please + +on: + push: + branches: + - main + +permissions: + contents: write + issues: write + pull-requests: write + +concurrency: + group: release-please-${{ github.ref }} + cancel-in-progress: true + +jobs: + release-please: + runs-on: ubuntu-latest + + steps: + - name: Validate release-please token is configured + env: + RELEASE_PLEASE_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }} + run: | + if [ -z "$RELEASE_PLEASE_TOKEN" ]; then + echo "::error::Missing RELEASE_PLEASE_TOKEN secret. Configure a PAT or GitHub App token with repository write access before enabling this workflow." + exit 1 + fi + + - name: Run release-please + uses: googleapis/release-please-action@v4 + with: + token: ${{ secrets.RELEASE_PLEASE_TOKEN }} + release-type: go