Add automated release workflow (#1748)
build / yamllint (push) Has been cancelled
build / smoke-test (push) Has been cancelled
build / eslint (push) Has been cancelled
build / unused-deps (push) Has been cancelled
build / jest (push) Has been cancelled
build / CodeQL (push) Has been cancelled

* Add automated release workflow

Triggered on semver tag push. Handles npm publish,
GitHub Release with binaries, .deb build+sign, and
PPA upload to Cloudflare R2. Includes workflow_dispatch
with dry-run mode for safe testing.

* Ignore all GitHub workflows in yamllint

* Pass GPG secrets via env vars instead of inline expansion

* Use npm trusted publishing instead of NPM_TOKEN

* Set version in package.json and index.ts from tag

* Use 0.0.0 placeholder for version in package.json and index.ts

* Use rclone copy instead of sync to never delete R2 files
This commit is contained in:
Mads Jon Nielsen
2026-02-14 12:05:43 +01:00
committed by GitHub
parent ee99b2048b
commit 6a54ffbf98
4 changed files with 106 additions and 3 deletions
+103
View File
@@ -0,0 +1,103 @@
---
name: release
on:
push:
tags:
- '[0-9]+.[0-9]+.[0-9]+'
workflow_dispatch:
inputs:
dry-run:
description: 'Dry run (npm --dry-run, draft release, skip R2 upload)'
type: boolean
default: true
env:
PKG_CACHE_PATH: .pkg
DRY_RUN: ${{ inputs.dry-run || false }}
jobs:
release:
runs-on: ubuntu-24.04
permissions:
contents: write
id-token: write
steps:
- uses: actions/checkout@v6
- name: Set version from tag
run: |
sed -i "s/0.0.0/${GITHUB_REF_NAME}/g" package.json src/index.ts
- uses: actions/setup-node@v6
with:
node-version: '24'
cache: 'npm'
registry-url: 'https://registry.npmjs.org'
- uses: actions/cache@v5.0.3
with:
path: ${{ env.PKG_CACHE_PATH }}
key: pkg-cache
- run: npm ci
- run: npm run build
- run: npm run esbuild
- run: npm run pkg-all
- name: Install rclone
run: sudo apt-get update && sudo apt-get install -y rclone
- name: Download existing ppa from R2
run: |
rclone copy r2:${R2_BUCKET}/ ppa/ \
--s3-provider=Cloudflare \
--s3-access-key-id="${R2_ACCESS_KEY_ID}" \
--s3-secret-access-key="${R2_SECRET_ACCESS_KEY}" \
--s3-endpoint="${R2_ENDPOINT}" \
--s3-no-check-bucket
env:
R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
R2_BUCKET: ${{ secrets.R2_BUCKET }}
- name: Import GPG key and preset passphrase
run: |
echo "${GPG_PRIVATE_KEY}" | gpg --batch --import
echo "allow-preset-passphrase" >> ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent
for keygrip in $(gpg --list-secret-keys --with-keygrip --with-colons madsjon@gmail.com | awk -F: '/grp/{print $10}'); do
/usr/lib/gnupg/gpg-preset-passphrase --preset --passphrase "${GPG_PASSPHRASE}" "$keygrip"
done
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Build .deb and sign
run: ./publish-deb
- name: Publish to npm
run: npm publish --provenance ${{ env.DRY_RUN == 'true' && '--dry-run' || '' }}
- name: Create GitHub Release
run: >
gh release create "${GITHUB_REF_NAME}" bin/*.gz --generate-notes
${{ env.DRY_RUN == 'true' && '--draft' || '' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload ppa to Cloudflare R2
if: env.DRY_RUN != 'true'
run: |
rclone copy ppa/ r2:${R2_BUCKET}/ \
--s3-provider=Cloudflare \
--s3-access-key-id="${R2_ACCESS_KEY_ID}" \
--s3-secret-access-key="${R2_SECRET_ACCESS_KEY}" \
--s3-endpoint="${R2_ENDPOINT}" \
--s3-no-check-bucket
env:
R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
R2_BUCKET: ${{ secrets.R2_BUCKET }}
+1 -1
View File
@@ -9,7 +9,7 @@ ignore: |
examples/docker-swarm-php/vendor/
MergeRequest-Pipelines.gitlab-ci.yml
PHP.gitlab-ci.yml
/.github/workflows/build.yml
/.github/workflows/
rules:
line-length: { max: 160 }
+1 -1
View File
@@ -4,7 +4,7 @@
"description": "Tired of pushing to test your .gitlab-ci.yml?",
"main": "src/index.js",
"bin": "src/index.js",
"version": "4.64.1",
"version": "0.0.0",
"scripts": {
"esbuild": "esbuild src/index.ts --outfile=bin/index.cjs --bundle --platform=node --format=cjs --minify --external:yargs --sourcemap=inline",
"pkg-linux": "pkg bin/index.cjs --public --options=enable-source-maps --no-bytecode -t linux-x64 -o bin/linux/gitlab-ci-local && chmod +x bin/linux/gitlab-ci-local && gzip -c bin/linux/gitlab-ci-local > bin/linux.gz",
+1 -1
View File
@@ -25,7 +25,7 @@ process.on("SIGUSR2", async () => await cleanupJobResources(jobs));
const yparser = yargs(process.argv.slice(2));
yparser.parserConfiguration({"greedy-arrays": false})
.showHelpOnFail(false)
.version("4.64.1")
.version("0.0.0")
.wrap(yparser.terminalWidth?.())
.command({
handler: async (argv) => {