From 935aeb330fca632bdf82bb39e1ae508879724802 Mon Sep 17 00:00:00 2001 From: Rebecca Turner Date: Thu, 18 Sep 2025 14:43:15 -0700 Subject: [PATCH] GHA: Use `workflow_dispatch` --- .github/labeler.yml | 8 --- .github/workflows/label-prs.yaml | 59 ------------------ .github/workflows/release.yaml | 55 ++++++++--------- .github/workflows/version.yaml | 103 +++++++++---------------------- 4 files changed, 54 insertions(+), 171 deletions(-) delete mode 100644 .github/labeler.yml delete mode 100644 .github/workflows/label-prs.yaml diff --git a/.github/labeler.yml b/.github/labeler.yml deleted file mode 100644 index 4b574c1..0000000 --- a/.github/labeler.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# See: https://github.com/marketplace/actions/labeler -patch: - - 'src/**/*.rs' - - '**/Cargo.toml' - - '**/Cargo.lock' - - 'flake.nix' - - 'flake.lock' diff --git a/.github/workflows/label-prs.yaml b/.github/workflows/label-prs.yaml deleted file mode 100644 index 89064b6..0000000 --- a/.github/workflows/label-prs.yaml +++ /dev/null @@ -1,59 +0,0 @@ ---- -# This workflow runs when PRs are opened and labels them `patch`. - -on: - pull_request_target: - types: - - opened - - reopened - -name: Label PRs with `patch` by default - -jobs: - # It seems like GitHub doesn't correctly populate the PR labels for the - # `opened` event, so we use the GitHub API to fetch them separately. - - get-labels: - name: Get PR labels - runs-on: ubuntu-latest - if: > - ! startsWith(github.event.pull_request.head.ref, 'release/') - outputs: - labels: ${{ steps.get-labels.outputs.labels }} - steps: - - name: Get PR labels from GitHub API - id: get-labels - env: - REPO: ${{ github.repository }} - NUMBER: ${{ github.event.pull_request.number }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - LABELS=$(gh api "repos/$REPO/issues/$NUMBER/labels") - echo "PR #$NUMBER is labeled with: $LABELS" - echo "labels=$LABELS" >> "$GITHUB_OUTPUT" - - label: - name: Label PR with `patch` - needs: - - get-labels - permissions: - contents: read - pull-requests: write - # This has been endlessly frustrating. I have no clue why I've had such bad - # luck with this particular `if`, especially when I use the same logic - # elsewhere in these actions and it seems to Just Work there. Misery! - # Misery for Rebecca for 1000 years!!! - # - # total_hours_wasted_here = 4 - if: > - ! ( contains(fromJSON(needs.get-labels.outputs.labels).*.name, 'release') - || contains(fromJSON(needs.get-labels.outputs.labels).*.name, 'minor') - || contains(fromJSON(needs.get-labels.outputs.labels).*.name, 'major') - ) - - runs-on: ubuntu-latest - steps: - - name: Label PR with `patch` - uses: actions/labeler@v4 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0c4850a..2d8205a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,6 +8,7 @@ on: - closed branches: - main + workflow_dispatch: name: Build and publish a release @@ -15,19 +16,24 @@ jobs: # We make `if_merged` a `needs:` of the other jobs here to only run this # workflow on merged PRs. if_merged: - name: Check that PR was merged and not closed - if: github.event.pull_request.merged == true - && contains(github.event.pull_request.labels.*.name, 'release') - runs-on: ubuntu-latest permissions: + issues: write pull-requests: write + name: Check that PR was merged and not closed + if: github.event_name == 'workflow_dispatch' + || ( + github.event.pull_request.merged == true + && contains(github.event.pull_request.labels.*.name, 'release') + ) + runs-on: ubuntu-latest steps: - run: | echo "This is a canonical hack to run GitHub Actions on merged PRs" echo "See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-pull_request-workflow-when-a-pull-request-merges" - name: Comment on PR with link to this action - uses: peter-evans/create-or-update-comment@v3 + uses: peter-evans/create-or-update-comment@v4 + if: github.event_name == 'pull_request' with: issue-number: ${{ github.event.pull_request.number }} body: | @@ -43,14 +49,9 @@ jobs: version: ${{ steps.get_cargo_metadata.outputs.version }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - - uses: cachix/install-nix-action@v22 - with: - github_access_token: ${{ secrets.GITHUB_TOKEN }} - extra_nix_config: | - extra-experimental-features = nix-command flakes - accept-flake-config = true + - uses: cachix/install-nix-action@v31 - name: Get version number id: get_cargo_metadata @@ -64,20 +65,12 @@ jobs: # parts of the matrix (so we can have the macOS and Linux executables in # the next job). needs: if_merged - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-latest] + runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - - uses: cachix/install-nix-action@v22 - with: - github_access_token: ${{ secrets.GITHUB_TOKEN }} - extra_nix_config: | - extra-experimental-features = nix-command flakes - accept-flake-config = true + - uses: cachix/install-nix-action@v31 - name: Build documentation run: | @@ -86,14 +79,13 @@ jobs: cp "$RESULT"/* target/ - name: Upload documentation - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: documentation path: | target/* - name: Publish to crates.io - if: runner.os == 'Linux' env: CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} run: | @@ -108,13 +100,15 @@ jobs: - version permissions: contents: write + issues: write pull-requests: write steps: - name: Tag the release - uses: mathieudutour/github-tag-action@v6.0 + uses: mathieudutour/github-tag-action@v6.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} - commit_sha: ${{ github.event.pull_request.merge_commit_sha }} + commit_sha: ${{ github.sha }} + # Note: This action automatically applies a prefix for us! custom_tag: ${{ needs.version.outputs.version }} - name: Download artifacts @@ -130,11 +124,11 @@ jobs: # path: target/release/ghciwatch-aarch64-linux # # will be downloaded to `linux/ghciwatch-aarch64-linux`. - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v5 - name: Create release id: create_release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v2.3.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -146,7 +140,8 @@ jobs: documentation/* - name: Comment on PR with link to the release - uses: peter-evans/create-or-update-comment@v3 + uses: peter-evans/create-or-update-comment@v4 + if: github.event_name == 'pull_request' with: issue-number: ${{ github.event.pull_request.number }} body: | diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml index 00a394e..9560235 100644 --- a/.github/workflows/version.yaml +++ b/.github/workflows/version.yaml @@ -1,83 +1,45 @@ --- -# This workflow runs when PRs labeled `major`, `minor`, or `patch` are closed -# and increments version numbers. Then, it opens a PR labeled `release` for the -# changes. When that PR is merged, a release is created (see `release.yaml`). - on: - pull_request: - types: - - closed - branches: - - main + workflow_dispatch: + inputs: + bump_type: + description: 'Version bump type to perform' + required: true + default: 'patch' + type: choice + options: + - patch + - minor + - major name: Update versions and create release PR jobs: - # We make `if_merged` a `needs:` of the other jobs here to only run this - # workflow on merged PRs. - if_merged: - name: Check that PR was merged and not closed - if: github.event.pull_request.merged == true - && ( contains(github.event.pull_request.labels.*.name, 'major') - || contains(github.event.pull_request.labels.*.name, 'minor') - || contains(github.event.pull_request.labels.*.name, 'patch') - ) - runs-on: ubuntu-latest - steps: - - run: | - echo "This is a canonical hack to run GitHub Actions on merged PRs" - echo "See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-pull_request-workflow-when-a-pull-request-merges" - - bump_type: - name: Determine version bump type - needs: if_merged - runs-on: ubuntu-latest - outputs: - bump_type: ${{ steps.bump_type.outputs.bump_type }} - steps: - - name: Set output - id: bump_type - env: - is_major: ${{ contains(github.event.pull_request.labels.*.name, 'major') }} - is_minor: ${{ contains(github.event.pull_request.labels.*.name, 'minor') }} - is_patch: ${{ contains(github.event.pull_request.labels.*.name, 'patch') }} - run: | - if [[ "$is_major" == "true" ]]; then - echo "bump_type=major" >> "$GITHUB_OUTPUT" - elif [[ "$is_minor" == "true" ]]; then - echo "bump_type=minor" >> "$GITHUB_OUTPUT" - elif [[ "$is_patch" == "true" ]]; then - echo "bump_type=patch" >> "$GITHUB_OUTPUT" - fi - version: name: Bump version and create release PR - permissions: - pull-requests: write - needs: - - if_merged - - bump_type runs-on: ubuntu-latest steps: + # See: https://github.com/peter-evans/create-pull-request/blob/915d841dae6a4f191bb78faf61a257411d7be4d2/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens + - uses: actions/create-github-app-token@v2 + id: generate_token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: # Fetch all history/tags (needed to compute versions) fetch-depth: 0 - - uses: cachix/install-nix-action@v22 - with: - github_access_token: ${{ secrets.GITHUB_TOKEN }} - extra_nix_config: | - extra-experimental-features = nix-command flakes - accept-flake-config = true + - uses: cachix/install-nix-action@v31 - name: Get old version number id: old_cargo_metadata run: echo "version=$(nix run .#get-crate-version)" >> "$GITHUB_OUTPUT" - name: Increment `Cargo.toml` version - run: nix run .#make-release-commit -- ${{ needs.bump_type.outputs.bump_type }} + run: nix run .#make-release-commit -- ${{ inputs.bump_type }} - name: Get new version number id: new_cargo_metadata @@ -85,15 +47,17 @@ jobs: - name: Create release PR id: release_pr - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@v7 with: - # We push with the repo-scoped GitHub token to avoid branch - # protections. This token is tied to my account (@9999years) which is - # excluded from branch protection restrictions. - # # I'd love a better way of implementing this but GitHub doesn't have # one: https://github.com/github-community/community/discussions/13836 - token: ${{ secrets.REPO_GITHUB_TOKEN }} + # + # Also, PRs created with the default `secrets.GITHUB_TOKEN` won't + # trigger `pull_request` workflows, so regular CI won't run either. + # + # See: https://github.com/orgs/community/discussions/65321 + # See: https://github.com/peter-evans/create-pull-request/blob/915d841dae6a4f191bb78faf61a257411d7be4d2/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens + token: ${{ steps.generate_token.outputs.token }} branch: release/${{ steps.new_cargo_metadata.outputs.version }} delete-branch: true base: main @@ -102,12 +66,3 @@ jobs: Update version to ${{ steps.new_cargo_metadata.outputs.version }} with [cargo-release](https://github.com/crate-ci/cargo-release). Merge this PR to build and publish a new release. labels: release - - - name: Comment on PR with link to release PR - uses: peter-evans/create-or-update-comment@v3 - with: - issue-number: ${{ github.event.pull_request.number }} - body: | - [A PR to release these changes has been created, bumping the version from ${{ steps.old_cargo_metadata.outputs.version }} to ${{ steps.new_cargo_metadata.outputs.version }}.][pr] - - [pr]: ${{ steps.release_pr.outputs.pull-request-url }}