Files
ccs/.github/workflows/dev-release.yml
T
Kai (Tam Nhu) TranandGitHub 2273757c83 fix(ci): harden self-hosted workflow trust boundaries
Keep active CCS workflows on self-hosted runners, gate self-hosted PR execution to trusted authors, and scope privileged release credentials to the exact git operations that need them.
2026-05-12 12:34:15 -04:00

191 lines
6.8 KiB
YAML

name: Dev Release
on:
push:
branches: [dev]
workflow_dispatch:
concurrency:
group: dev-release-${{ github.ref }}
cancel-in-progress: false
jobs:
guard:
if: ${{ github.ref == 'refs/heads/dev' }}
runs-on: [self-hosted, linux, x64]
outputs:
should_release: ${{ steps.release-guard.outputs.should_release }}
steps:
- name: Check release recursion guard
id: release-guard
shell: bash
run: |
SHOULD_RELEASE=true
if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then
HEAD_SUBJECT=$(jq -r '.head_commit.message // "" | split("\n")[0]' "$GITHUB_EVENT_PATH")
case "$HEAD_SUBJECT" in
"chore(release): "*)
SHOULD_RELEASE=false
echo "Skipping generated dev release commit: $HEAD_SUBJECT"
;;
esac
fi
echo "should_release=$SHOULD_RELEASE" >> "$GITHUB_OUTPUT"
release:
needs: guard
if: ${{ needs.guard.outputs.should_release == 'true' }}
runs-on: [self-hosted, linux, x64]
permissions:
contents: write
issues: write
pull-requests: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: dev
persist-credentials: false
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: '1.3.9'
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
registry-url: 'https://registry.npmjs.org'
- name: Install dependencies
run: bash scripts/ensure-deps.sh
- name: Build
run: bun run build:all
- name: Validate fast gate
run: bun run validate
- name: Test slow bucket
run: bun run test:slow
- name: Test CLI e2e
env:
CCS_E2E_SKIP_BUILD: '1'
run: bun run test:e2e
- name: Release
id: release
env:
HUSKY: 0
# PAT_TOKEN bypasses branch protection so the workflow can push
# the dev release commit and tag back to the protected dev branch.
GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
GH_TOKEN: ${{ secrets.PAT_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
auth_header=$(printf 'x-access-token:%s' "$GITHUB_TOKEN" | base64 | tr -d '\n')
echo "::add-mask::${auth_header}"
export GIT_CONFIG_COUNT=2
export GIT_CONFIG_KEY_0=http.https://github.com/kaitranntt/ccs.extraheader
export GIT_CONFIG_VALUE_0="AUTHORIZATION: basic ${auth_header}"
export GIT_CONFIG_KEY_1=http.https://github.com/kaitranntt/ccs.git.extraheader
export GIT_CONFIG_VALUE_1="AUTHORIZATION: basic ${auth_header}"
# Use custom dev release script instead of semantic-release.
# This ensures dev versions follow {stable}-dev.{N} pattern.
chmod +x scripts/dev-release.sh
./scripts/dev-release.sh
- name: Notify Discord
if: success() && steps.release.outputs.released == 'true'
env:
DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
run: |
if [ -z "$DISCORD_WEBHOOK_URL" ]; then
echo "DISCORD_WEBHOOK_URL not set, skipping"
exit 0
fi
node scripts/send-discord-release.cjs dev "$DISCORD_WEBHOOK_URL"
- name: Tag resolved issues
if: success() && steps.release.outputs.released == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PREVIOUS_DEV_TAG: ${{ steps.release.outputs.previous_dev_tag }}
STABLE_TAG: ${{ steps.release.outputs.stable_tag }}
run: |
# Get version from package.json
VERSION=$(jq -r '.version' package.json)
# Get commits ONLY since last dev tag (not all release commits)
# This prevents re-tagging issues from older releases
if [[ -n "$PREVIOUS_DEV_TAG" ]]; then
# Commits between last dev tag and current (excluding release commit)
RANGE="${PREVIOUS_DEV_TAG}..HEAD~1"
else
# First dev release - check commits since last stable tag
RANGE="${STABLE_TAG:-HEAD~10}..HEAD~1"
fi
echo "Checking commits in range: $RANGE"
COMMIT_TEXT=$(git log $RANGE --pretty=format:"%s%n%b" 2>/dev/null || true)
ISSUES_FROM_COMMITS=$(printf '%s\n' "$COMMIT_TEXT" | \
perl -ne 'if (/(fixes|closes|resolves|refs?)(.*)/i) { print "$2\n"; }' | \
grep -oE '#[0-9]+' || true)
PR_CANDIDATES=$(printf '%s\n' "$COMMIT_TEXT" | \
grep -oE "Merge pull request #[0-9]+|\\(#[0-9]+\\)" | \
grep -oE "[0-9]+" | sort -u || true)
PR_TEXT=""
for PR_NUM in $PR_CANDIDATES; do
DETAILS=$(gh pr view "$PR_NUM" --repo "${{ github.repository }}" --json title,body --jq '.title + "\n" + (.body // "")' 2>/dev/null || true)
if [[ -n "$DETAILS" ]]; then
PR_TEXT="${PR_TEXT}"$'\n'"${DETAILS}"
fi
done
ISSUES_FROM_PRS=$(printf '%s\n' "$PR_TEXT" | \
perl -ne 'if (/(fixes|closes|resolves|refs?)(.*)/i) { print "$2\n"; }' | \
grep -oE '#[0-9]+' || true)
ISSUES=$(printf '%s\n%s\n' "$ISSUES_FROM_COMMITS" "$ISSUES_FROM_PRS" | \
grep -oE "#[0-9]+" | sort -u || true)
if [[ -z "$ISSUES" ]]; then
echo "No linked issues found in range"
exit 0
fi
# Create label if needed
gh label create "released-dev" \
--color "1d76db" \
--description "Fix available in @dev npm channel" \
--repo ${{ github.repository }} 2>/dev/null || true
for ISSUE in $ISSUES; do
NUM=${ISSUE#\#}
# Skip if already has ANY release label (prevents duplicate comments)
RELEASE_LABELS=$(gh issue view "$NUM" --repo "${{ github.repository }}" --json labels --jq '[.labels[].name | select(startswith("released"))] | length' 2>/dev/null || echo "0")
if [[ "$RELEASE_LABELS" -gt 0 ]]; then
echo "Issue #$NUM already released, skipping"
continue
fi
echo "Tagging issue #$NUM"
# Remove pending-release (transition), add released-dev
gh issue edit "$NUM" --remove-label "pending-release" --add-label "released-dev" --repo "${{ github.repository }}" 2>/dev/null || \
gh issue edit "$NUM" --add-label "released-dev" --repo "${{ github.repository }}" || true
gh issue comment "$NUM" --repo "${{ github.repository }}" --body "[bot] Available in \`$VERSION\`. Install: \`ccs update --dev\`" || true
done