Support publish-to-bcr workflow with attestations
Copybara Import from https://github.com/bazelbuild/rules_cc/pull/441
BEGIN_PUBLIC
Support publish-to-bcr workflow with attestations (#441)
Similar to https://github.com/bazelbuild/bazel-skylib/pull/581
Closes #441
END_PUBLIC
COPYBARA_INTEGRATE_REVIEW=https://github.com/bazelbuild/rules_cc/pull/441 from meteorcloudy:release d399c29748f8f59bb0bc52bacb2a95ec746d8861
PiperOrigin-RevId: 783256391
Change-Id: I4ccd53589076c948d34558c307d0213f5110bf2c
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..5e513ea
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,35 @@
+name: Publish to BCR
+on:
+ # Run the publish workflow after a successful release
+ # Will be triggered from the release.yaml workflow
+ workflow_call:
+ inputs:
+ tag_name:
+ required: true
+ type: string
+ secrets:
+ publish_token:
+ required: true
+ # In case of problems, let release engineers retry by manually dispatching
+ # the workflow from the GitHub UI
+ workflow_dispatch:
+ inputs:
+ tag_name:
+ description: git tag being released
+ required: true
+ type: string
+jobs:
+ publish:
+ uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v0.2.2
+ with:
+ tag_name: ${{ inputs.tag_name }}
+ # GitHub repository which is a fork of the upstream where the Pull Request will be opened.
+ registry_fork: bazel-io/bazel-central-registry
+ draft: false
+ permissions:
+ attestations: write
+ contents: write
+ id-token: write
+ secrets:
+ # Necessary to push to the BCR fork, and to open a pull request against a registry
+ publish_token: ${{ secrets.publish_token || secrets.BCR_PUBLISH_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 31edb4d..8e610bd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,17 +2,38 @@
name: Release
on:
+ # Can be triggered from the tag.yaml workflow
+ workflow_call:
+ inputs:
+ tag_name:
+ required: true
+ type: string
+ secrets:
+ publish_token:
+ required: true
+ # Or, developers can manually push a tag from their clone
push:
tags:
# Detect tags that look like a release.
# Note that we don't use a "v" prefix to help anchor this pattern.
# This is purely a matter of preference.
- "*.*.*"
-
+permissions:
+ id-token: write
+ attestations: write
+ contents: write
jobs:
release:
# Re-use https://github.com/bazel-contrib/.github/blob/v7/.github/workflows/release_ruleset.yaml
uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@v7
with:
prerelease: false
- release_files: rules_cc-*.tar.gz
\ No newline at end of file
+ release_files: rules_cc-*.tar.gz
+ tag_name: ${{ inputs.tag_name || github.ref_name }}
+ publish:
+ needs: release
+ uses: ./.github/workflows/publish.yaml
+ with:
+ tag_name: ${{ inputs.tag_name || github.ref_name }}
+ secrets:
+ publish_token: ${{ secrets.publish_token || secrets.BCR_PUBLISH_TOKEN }}
diff --git a/.github/workflows/release_prep.sh b/.github/workflows/release_prep.sh
index 749e34f..ee237c0 100755
--- a/.github/workflows/release_prep.sh
+++ b/.github/workflows/release_prep.sh
@@ -4,7 +4,7 @@
# Set by GH actions, see
# https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
-readonly TAG=${GITHUB_REF_NAME}
+readonly TAG=$1
# The prefix is chosen to match what GitHub generates for source archives.
# This guarantees that users can easily switch from a released artifact to a source archive
# with minimal differences in their code (e.g. strip_prefix remains the same)
