Skip to content

ci: draft-then-publish releases to close the empty public window #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TMHSDigital merged 1 commit into from
Jun 5, 2026
+31 −3
Merged

ci: draft-then-publish releases to close the empty public window #21

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 31 additions & 3 deletions .github/workflows/go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,11 @@ jobs:
# matrix below then only adds files to this already-existing release and can
# never race to create it (the race that made action-gh-release v3 fail with
# "already_exists (tag_name)").
#
# The release is created as a draft so it is not publicly visible while the
# upload matrix is still attaching assets. The publish-release job flips it to
# published only after all assets are present, so the public never sees a
# partial or empty release.
create-release:
needs: build
if: startsWith(github.ref, 'refs/tags/v')
Expand All @@ -58,8 +63,10 @@ jobs:
contents: write

steps:
- name: Ensure release exists for tag
- name: Create draft release for tag
uses: softprops/action-gh-release@v3
with:
draft: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Expand Down Expand Up @@ -137,12 +144,33 @@ jobs:

# The release already exists (created by create-release), so each matrix leg
# only adds its binary and checksum. No matrix job creates the release, which
# avoids the concurrent-create race entirely.
- name: Upload assets to release
# avoids the concurrent-create race entirely. draft: true is set explicitly
# so these update calls keep the release in draft (the action's draft input
# defaults to false and would otherwise publish it early).
- name: Upload assets to draft release
uses: softprops/action-gh-release@v3
with:
draft: true
files: |
${{ matrix.asset_name }}
${{ matrix.asset_name }}.sha256
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# Single job that publishes the release once, only after the full asset set is
# attached. Flipping draft to false here is the moment the release becomes
# public, so there is no window where a partial or empty release is visible.
publish-release:
needs: upload-assets
if: startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
permissions:
contents: write

steps:
- name: Publish release
uses: softprops/action-gh-release@v3
with:
draft: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Loading