Create a new release PR #108
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow allows for the creation of a new release through the GitHub UI. | |
| # This is done by creating a pull request to the protected stable release branch. | |
| # From there, the publish-release.yml workflow will take over and publish the release. | |
| name: Create a new release PR | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| type: | |
| type: choice | |
| description: The SemVer level of the release | |
| options: | |
| - patch | |
| - minor | |
| - major | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| id-token: write | |
| attestations: write | |
| jobs: | |
| prepare-release: | |
| runs-on: ubuntu-latest | |
| name: Prepare a new release | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ssh-key: ${{ secrets.SSH_PRIVATE_KEY }} | |
| ref: stable | |
| - name: Pull latest changes from master | |
| run: | | |
| git fetch origin master:master | |
| git reset --hard master | |
| - name: Remove development dependencies | |
| run: | | |
| composer remove mockery/mockery --dev --no-install | |
| composer remove pestphp/pest --dev --no-install | |
| - name: Install dependencies | |
| run: composer install --no-interaction --no-progress --no-suggest --prefer-dist | |
| - name: Bump application version | |
| id: build-version | |
| run: | | |
| php ./bin/bump-application-version.php ${{ github.event.inputs.type }} | |
| echo "version=$(php ./bin/get-release-version.php)" >> $GITHUB_OUTPUT | |
| echo "Version: v$(php ./bin/get-release-version.php)" | |
| - name: Build executable | |
| run: php hyde standalone:build --build-version-suffix="${{ steps.build-version.outputs.sha_short }}" | |
| - name: Verify executable | |
| run: php builds/hyde | |
| - name: Verify executable version | |
| run: php builds/hyde --version | |
| - name: Upload executable artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: hyde | |
| path: builds/hyde | |
| - name: Import GPG key | |
| if: github.event.repository.full_name == 'hydephp/cli' | |
| uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_SIGNING_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }} | |
| trust_level: 5 | |
| - name: Sign the executable | |
| if: github.event.repository.full_name == 'hydephp/cli' | |
| run: | | |
| gpg --local-user 657B4D97184E9E6E596E6EA13B829782D5B7BA59 \ | |
| --batch \ | |
| --yes \ | |
| --passphrase="${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}" \ | |
| --detach-sign \ | |
| --output builds/hyde.sig \ | |
| builds/hyde | |
| - name: Verify the signature | |
| if: github.event.repository.full_name == 'hydephp/cli' | |
| run: | | |
| gpg --import-ownertrust <<< "657B4D97184E9E6E596E6EA13B829782D5B7BA59:6:" | |
| gpg --verify builds/hyde.sig builds/hyde | |
| - name: Create OpenSSL fallback signature | |
| if: github.event.repository.full_name == 'hydephp/cli' | |
| run: | | |
| mkdir -p $HOME/.cert/ | |
| chmod 0700 $HOME/.cert/ | |
| echo "${{ secrets.RSA_SIGNING_PRIVATE_KEY }}" > $HOME/.cert/private_encrypted.key | |
| echo "${{ secrets.RSA_SIGNING_KEY_PASSPHRASE }}" > $HOME/.cert/passphrase.txt | |
| openssl rsa -in $HOME/.cert/private_encrypted.key -out $HOME/.cert/private.key -passin file:$HOME/.cert/passphrase.txt | |
| openssl dgst -sha512 -sign $HOME/.cert/private.key -out builds/signature.bin builds/hyde | |
| rm -rf $HOME/.cert/ | |
| - name: Upload signature artifacts | |
| if: github.event.repository.full_name == 'hydephp/cli' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: signature | |
| path: | | |
| builds/hyde.sig | |
| builds/signature.bin | |
| - name: Attest build provenance | |
| if: false # Disabled pending issue https://github.com/actions/attest-build-provenance/issues/110 | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: builds/hyde | |
| - name: Reset Composer file changes | |
| run: git restore composer.json composer.lock | |
| - name: Create pull request | |
| uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e | |
| with: | |
| commit-message: "HydeCLI v${{ steps.build-version.outputs.version }}" | |
| title: "HydeCLI v${{ steps.build-version.outputs.version }}" | |
| branch: "release/v${{ steps.build-version.outputs.version }}" | |
| delete-branch: true | |
| add-paths: | | |
| app/Application.php | |
| builds/hyde | |
| builds/hyde.sig | |
| builds/signature.bin | |
| body: | | |
| This pull request was automatically created by the [HydeCLI release workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). | |
| Please review and merge it to publish a new release, which will be created automatically upon merge. | |
| reviewers: caendesilva | |
| labels: release |