Skip to content

Commit 3eb584c

Browse files
gaborbernatgaborbernat
authored
πŸ”’ fix(ci): split release workflow for proper credential scoping (#158)
The post-release PR step in the release workflow fails with `fatal: could not read Username` because `persist-credentials: false` was added by the zizmor security audit (#154), but the step needs `git push` access via `RELEASE_TOKEN`. The fix splits the release workflow into two jobs. The `publish` job keeps `persist-credentials: false` since it only needs to build and publish β€” no git push. The `post-release` job also uses `persist-credentials: false` but configures git auth via `remote set-url` scoped to the single step that needs push access, with `RELEASE_TOKEN` protected by the `release` environment. The changelog patching is replicated in the post-release job so the version bump PR includes the updated `CHANGELOG.md`, matching the original behavior.
1 parent c86fb1c commit 3eb584c

1 file changed

Lines changed: 45 additions & 7 deletions

File tree

β€Ž.github/workflows/release.yamlβ€Ž

Lines changed: 45 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Secrets required: PUBLISH_TOKEN, PRIVATE_KEY, PRIVATE_KEY_PASSWORD, CERTIFICATE_CHAIN.
1+
# Secrets required: PUBLISH_TOKEN, PRIVATE_KEY, PRIVATE_KEY_PASSWORD, CERTIFICATE_CHAIN, RELEASE_TOKEN.
22
name: Release
33
on:
44
release:
@@ -10,7 +10,6 @@ jobs:
1010
runs-on: ubuntu-latest
1111
permissions:
1212
contents: write
13-
pull-requests: write
1413
environment:
1514
name: release
1615
url: https://plugins.jetbrains.com/plugin/20536-pyvenv-manage-2
@@ -62,13 +61,52 @@ jobs:
6261
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6362
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
6463
run: gh release upload ${GITHUB_EVENT_RELEASE_TAG_NAME} ./build/distributions/*
64+
65+
post-release:
66+
name: πŸ“ Post-release version bump
67+
needs: publish
68+
runs-on: ubuntu-latest
69+
permissions:
70+
contents: write
71+
pull-requests: write
72+
environment:
73+
name: release
74+
steps:
75+
- name: πŸ“₯ Checkout
76+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
77+
with:
78+
ref: ${{ github.event.release.tag_name }}
79+
persist-credentials: false
80+
- name: β˜• Set up Java
81+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
82+
with:
83+
distribution: zulu
84+
java-version: 21
85+
- name: 🐘 Set up Gradle
86+
uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6
87+
- name: 🏷️ Set version from tag
88+
id: version
89+
run: |
90+
VERSION="${GITHUB_EVENT_RELEASE_TAG_NAME#v}"
91+
echo "version=$VERSION" >> $GITHUB_OUTPUT
92+
sed -i "s/^pluginVersion=.*/pluginVersion=$VERSION/" gradle.properties
93+
env:
94+
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
95+
- name: πŸ“ Update changelog
96+
if: ${{ github.event.release.body != '' }}
97+
run: |
98+
cat > /tmp/release-notes.txt << 'RELEASE_NOTES_EOF'
99+
${GITHUB_EVENT_RELEASE_BODY}
100+
RELEASE_NOTES_EOF
101+
./gradlew patchChangelog --release-note="$(cat /tmp/release-notes.txt)"
102+
env:
103+
GITHUB_EVENT_RELEASE_BODY: ${{ github.event.release.body }}
65104
- name: πŸ”’ Calculate next dev version
66105
id: next
67106
run: |
68107
VERSION="${STEPS_VERSION_OUTPUTS_VERSION}"
69108
IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION"
70-
NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))-dev"
71-
echo "next_version=$NEXT_VERSION" >> $GITHUB_OUTPUT
109+
echo "next_version=$MAJOR.$MINOR.$((PATCH + 1))-dev" >> $GITHUB_OUTPUT
72110
env:
73111
STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
74112
- name: πŸ“ Create post-release PR
@@ -81,11 +119,11 @@ jobs:
81119
NEXT_VERSION="${STEPS_NEXT_OUTPUTS_NEXT_VERSION}"
82120
BRANCH="post-release-$VERSION"
83121
84-
# Save patched changelog before switching branches
85-
cp CHANGELOG.md /tmp/CHANGELOG.md
86-
87122
git config user.email "action@github.com"
88123
git config user.name "GitHub Action"
124+
git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
125+
126+
cp CHANGELOG.md /tmp/CHANGELOG.md
89127
90128
git fetch origin main
91129
git checkout -b $BRANCH origin/main

0 commit comments

Comments
Β (0)