diff --git a/.github/workflows/auto-changelog.yml b/.github/workflows/auto-changelog.yml index 436bdc92..5cf62a02 100644 --- a/.github/workflows/auto-changelog.yml +++ b/.github/workflows/auto-changelog.yml @@ -14,4 +14,4 @@ jobs: - name: Draft Release uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} diff --git a/.github/workflows/auto-versioning.yml b/.github/workflows/auto-versioning.yml index 222cd9c9..f67a9ec7 100644 --- a/.github/workflows/auto-versioning.yml +++ b/.github/workflows/auto-versioning.yml @@ -60,28 +60,42 @@ jobs: # Export the tag for downstream steps echo "tag=${TAG}" >> $GITHUB_OUTPUT env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} + + - name: Determine tag + id: determine_tag + run: | + # Prefer created tag output; if empty fallback to semver version + TAG="${{ steps.create_tag.outputs.tag }}" + if [ -z "$TAG" ]; then + # semver.version contains a tag value like 'vX.Y.Z' or fallback 'v0.0.0' + VERSION_RAW="${{ steps.semver.outputs.version }}" + VERSION_NO_V="${VERSION_RAW#v}" + TAG="v${VERSION_NO_V}" + fi + echo "Determined tag: $TAG" + echo "tag=$TAG" >> $GITHUB_OUTPUT - name: Check for existing GitHub Release id: check_release run: | - TAG=${{ steps.create_tag.outputs.tag }} + TAG=${{ steps.determine_tag.outputs.tag }} echo "Checking for release for tag: ${TAG}" - STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true + STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${CHARON_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true if [ "${STATUS}" = "200" ]; then echo "exists=true" >> $GITHUB_OUTPUT else echo "exists=false" >> $GITHUB_OUTPUT fi env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} - name: Create GitHub Release (tag-only, no workspace changes) if: ${{ steps.semver.outputs.changed && steps.check_release.outputs.exists == 'false' }} uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 with: - tag_name: ${{ steps.create_tag.outputs.tag }} - name: Release ${{ steps.create_tag.outputs.tag }} + tag_name: ${{ steps.determine_tag.outputs.tag }} + name: Release ${{ steps.determine_tag.outputs.tag }} body: ${{ steps.semver.outputs.release_notes }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 8076ce81..96d99347 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -42,7 +42,7 @@ jobs: name: Go Benchmark tool: 'go' output-file-path: backend/output.txt - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ secrets.CHARON_TOKEN }} auto-push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} # Show alert with commit comment on detection of performance regression alert-threshold: '150%' diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 32dce119..f0cd4ffe 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -169,7 +169,7 @@ jobs: uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 with: sarif_file: 'trivy-results.sarif' - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.CHARON_TOKEN }} - name: Create summary if: steps.skip.outputs.skip_build != 'true' diff --git a/.github/workflows/release-goreleaser.yml b/.github/workflows/release-goreleaser.yml index 2f60e9b6..3e478a81 100644 --- a/.github/workflows/release-goreleaser.yml +++ b/.github/workflows/release-goreleaser.yml @@ -13,10 +13,10 @@ jobs: goreleaser: runs-on: ubuntu-latest env: - # Use the built-in GITHUB_TOKEN by default for GitHub API operations. + # Use the built-in CHARON_TOKEN by default for GitHub API operations. # If you need to provide a PAT with elevated permissions, add a CHARON_TOKEN secret # at the repo or organization level and update the env here accordingly. - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} steps: - name: Checkout uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 @@ -47,7 +47,8 @@ jobs: with: version: 0.13.0 - # GITHUB_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN + # CHARON_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN + - name: Run GoReleaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6 diff --git a/.github/workflows/renovate_prune.yml b/.github/workflows/renovate_prune.yml index b75e836b..7089e435 100644 --- a/.github/workflows/renovate_prune.yml +++ b/.github/workflows/renovate_prune.yml @@ -26,15 +26,15 @@ jobs: run: | if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then echo "Using CHARON_TOKEN" >&2 - echo "GITHUB_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV + echo "CHARON_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV else echo "Using CPMP_TOKEN fallback" >&2 - echo "GITHUB_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV + echo "CHARON_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV fi - name: Prune renovate branches uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: - github-token: ${{ env.GITHUB_TOKEN }} + github-token: ${{ env.CHARON_TOKEN }} script: | const owner = context.repo.owner; const repo = context.repo.repo;