85 lines
2.7 KiB
YAML
85 lines
2.7 KiB
YAML
name: Release (GoReleaser)
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: false
|
|
|
|
env:
|
|
GO_VERSION: '1.26.1'
|
|
NODE_VERSION: '24.12.0'
|
|
GOTOOLCHAIN: auto
|
|
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
|
|
jobs:
|
|
goreleaser:
|
|
if: ${{ !contains(github.ref_name, '-candidate') && !contains(github.ref_name, '-rc') }}
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
# Use the built-in GITHUB_TOKEN by default for GitHub API operations.
|
|
# If you need to provide a PAT with elevated permissions, add a GITHUB_TOKEN secret
|
|
# at the repo or organization level and update the env here accordingly.
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Enforce PR-2 release promotion guard
|
|
env:
|
|
REPO_VARS_JSON: ${{ toJSON(vars) }}
|
|
run: |
|
|
PR2_GATE_STATUS="$(printf '%s' "$REPO_VARS_JSON" | jq -r '.CHARON_PR2_GATES_PASSED // "false"')"
|
|
if [[ "$PR2_GATE_STATUS" != "true" ]]; then
|
|
echo "::error::Releasable tag promotion is blocked until PR-2 security/retirement gates pass."
|
|
echo "::error::Set repository variable CHARON_PR2_GATES_PASSED=true only after PR-2 approval."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
cache-dependency-path: backend/go.sum
|
|
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
|
|
with:
|
|
node-version: ${{ env.NODE_VERSION }}
|
|
|
|
- name: Build Frontend
|
|
working-directory: frontend
|
|
run: |
|
|
# Inject version into frontend build from tag (if present)
|
|
VERSION=${GITHUB_REF#refs/tags/}
|
|
echo "VITE_APP_VERSION=${VERSION}" >> "$GITHUB_ENV"
|
|
npm ci
|
|
npm run build
|
|
|
|
- name: Install Cross-Compilation Tools (Zig)
|
|
# Security: Pinned to full SHA for supply chain security
|
|
uses: goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 # v2
|
|
with:
|
|
version: 0.13.0
|
|
|
|
# GITHUB_TOKEN is set from GITHUB_TOKEN or CHARON_TOKEN (fallback), defaulting to GITHUB_TOKEN
|
|
|
|
|
|
- name: Run GoReleaser
|
|
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
|
|
with:
|
|
distribution: goreleaser
|
|
version: '~> v2.5'
|
|
args: release --clean
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
# CGO settings are handled in .goreleaser.yaml via Zig
|