CodeWhale/.github/workflows/auto-tag.yml at main · Hmbown/CodeWhale · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
name: Auto-tag on version bump

# When the workspace version on `main` advances past the latest existing
# `vX.Y.Z` tag, push the matching tag automatically. The push then triggers
# `release.yml`, which runs parity, builds binaries, drafts the GitHub
# Release, and publishes the npm wrapper.
#
# IMPORTANT: tag pushes signed by the default `GITHUB_TOKEN` do NOT trigger
# downstream `on: push: tags` workflows (GitHub Actions safety rule). For
# this auto-tag flow to actually fire `release.yml`, store a PAT (or
# fine-grained token) with `contents: write` on this repo as the
# `RELEASE_TAG_PAT` secret. Without it, the tag is created but `release.yml`
# does NOT run automatically — you'd have to push the tag again manually
# (`git push origin v$VERSION` from a developer machine) to trigger release.

on:
  push:
    branches: [main]
    paths:
      - 'Cargo.toml'
      - 'npm/codewhale/package.json'
  workflow_dispatch:

permissions:
  contents: write

concurrency:
  group: auto-tag-${{ github.ref_name }}
  cancel-in-progress: false

jobs:
  tag:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v7
        with:
          fetch-depth: 0
          # Prefer PAT so the resulting tag push triggers release.yml.
          # Falls back to GITHUB_TOKEN, which will tag but NOT trigger.
          token: ${{ secrets.RELEASE_TAG_PAT || github.token }}

      - name: Read workspace version
        id: ver
        run: |
          v="$(grep -E '^version = "' Cargo.toml | head -n1 | sed -E 's/^version = "([^"]+)".*/\1/')"
          if [ -z "$v" ]; then
            echo "::error::Could not parse workspace version from Cargo.toml" >&2
            exit 1
          fi
          if ! echo "$v" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
            echo "::error::Workspace version '$v' is not valid semver (expected X.Y.Z)" >&2
            exit 1
          fi
          echo "version=$v" >> "$GITHUB_OUTPUT"
          echo "tag=v$v" >> "$GITHUB_OUTPUT"
          echo "Workspace version: $v"

      - name: Check whether tag already exists
        id: check
        env:
          TAG: ${{ steps.ver.outputs.tag }}
        run: |
          git fetch --tags --quiet
          if git rev-parse -q --verify "refs/tags/${TAG}" >/dev/null \
             || git ls-remote --tags origin "refs/tags/${TAG}" | grep -q .; then
            echo "exists=true" >> "$GITHUB_OUTPUT"
            echo "Tag ${TAG} already exists; nothing to do."
          else
            echo "exists=false" >> "$GITHUB_OUTPUT"
            echo "Tag ${TAG} does not exist; will create."
          fi

      - name: Verify version consistency
        if: steps.check.outputs.exists == 'false'
        run: |
          ./scripts/release/check-versions.sh || {
            echo "::error::Version consistency check failed. Aborting tag creation." >&2
            exit 1
          }

      - name: Create and push tag
        id: create
        if: steps.check.outputs.exists == 'false'
        env:
          TAG: ${{ steps.ver.outputs.tag }}
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git fetch --tags --quiet
          if git rev-parse -q --verify "refs/tags/${TAG}" >/dev/null \
             || git ls-remote --tags origin "refs/tags/${TAG}" | grep -q .; then
            echo "pushed=false" >> "$GITHUB_OUTPUT"
            echo "Tag ${TAG} already exists after refresh; nothing to do."
            exit 0
          fi
          git tag "${TAG}"
          max_retries=3
          retry_count=0
          while [ "${retry_count}" -lt "${max_retries}" ]; do
            if git push origin "${TAG}"; then
              echo "pushed=true" >> "$GITHUB_OUTPUT"
              echo "Pushed ${TAG}. release.yml should now run (requires RELEASE_TAG_PAT for trigger)."
              exit 0
            fi
            if git ls-remote --tags origin "refs/tags/${TAG}" | grep -q .; then
              echo "pushed=false" >> "$GITHUB_OUTPUT"
              echo "Tag ${TAG} appeared during push; treating as already handled."
              exit 0
            fi
            retry_count=$((retry_count + 1))
            if [ "${retry_count}" -lt "${max_retries}" ]; then
              echo "Push attempt ${retry_count} failed; retrying in 10s..."
              sleep 10
            fi
          done

          echo "::error::Failed to push tag ${TAG} after ${max_retries} attempts." >&2
          exit 1

      - name: Warn if PAT missing
        if: steps.create.outputs.pushed == 'true'
        env:
          HAS_PAT: ${{ secrets.RELEASE_TAG_PAT != '' }}
        run: |
          if [ "${HAS_PAT}" != "true" ]; then
            echo "::warning::RELEASE_TAG_PAT secret is not set. The tag was pushed using GITHUB_TOKEN, which does NOT trigger release.yml. Manually re-push the tag from a developer machine, or run 'gh workflow run release.yml --ref ${{ steps.ver.outputs.tag }}'."
          fi