name: Rollback on: workflow_dispatch: inputs: version: description: "Version to move npm latest and Docker latest to (example: 1.4.2)" required: true type: string permissions: contents: write concurrency: group: rollback-latest-${{ github.event.inputs.version }} cancel-in-progress: false jobs: rollback: name: Roll back npm and Docker latest runs-on: ubuntu-latest steps: - name: Checkout tags uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Fetch all tags run: git fetch --force --tags - name: Validate target version id: target shell: bash env: RAW_VERSION: ${{ inputs.version }} run: | set -euo pipefail VERSION="${RAW_VERSION#v}" case "$VERSION" in ''|*[!0-9.]*) echo "Invalid version: $VERSION" exit 1 ;; esac if ! [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "Version must be in semver format X.Y.Z" exit 1 fi if ! git rev-parse "refs/tags/v$VERSION" >/dev/null 2>&1; then echo "Git tag v$VERSION does not exist" exit 1 fi echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 registry-url: https://registry.npmjs.org - name: Verify npm package version exists run: npm view "@trebuchet/cli@${{ steps.target.outputs.version }}" version - name: Show current npm dist-tags env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: npm dist-tag ls @trebuchet/cli - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to Gitea registry uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: git.farh.net username: gitea-admin password: ${{ secrets.REGISTRY_TOKEN }} - name: Verify Docker image tag exists run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}" - name: Install cosign uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - name: Verify Docker image signature before rollback env: COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} run: | cosign verify --key env://COSIGN_PUBLIC_KEY \ "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}" - name: Move Docker latest run: | docker buildx imagetools create \ --tag "git.farh.net/farhoodlabs/trebuchet:latest" \ "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}" - name: Move npm latest env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: npm dist-tag add "@trebuchet/cli@${{ steps.target.outputs.version }}" latest - name: Show final npm dist-tags env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: npm dist-tag ls @trebuchet/cli - name: Verify Docker latest now points to target run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:latest" - name: Write summary run: | { echo "## Rollback latest" echo "" echo "- Target version: \`${{ steps.target.outputs.version }}\`" echo "- npm package: \`@trebuchet/cli\`" echo "- Docker image: \`git.farh.net/farhoodlabs/trebuchet\`" echo "" echo "NOTE: Gitea determines the 'latest' release by date, not a flag." echo "To re-mark \`v${{ steps.target.outputs.version }}\` as the latest" echo "release on Gitea, edit the release in the UI to bump its date." } >> "$GITHUB_STEP_SUMMARY"