privilegedescalation/headlamp-sealed-secrets-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity

ci: consolidate release workflow into single step

Browse Source 
Merged prepare-release and release workflows into a single workflow
that handles everything in one job. This eliminates the need for
separate tokens or manual intervention.

Single workflow now:
- Validates version format
- Updates package.json and artifacthub-pkg.yml
- Builds and packages plugin (with type check and linting)
- Computes checksum
- Verifies tarball contents
- Updates metadata with real checksum
- Commits all changes to main
- Creates and pushes tag
- Creates GitHub release with tarball

No more tag push triggers, no separate tokens needed.
Everything runs in one workflow_dispatch job.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
This commit is contained in:
Chris Farhood
2026-02-12 15:23:15 -05:00
parent de67b4dd1a
commit 9ee113e583
2 changed files with 64 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/prepare-release.yaml
-69
View File
@@ -1,69 +0,0 @@
name: Prepare Release
on:
workflow_dispatch:
inputs:
version:
description: 'Version to release (without v prefix, e.g., 0.2.5)'
required: true
type: string
jobs:
prepare:
runs-on: local-ubuntu-latest
permissions:
contents: write
steps:
- name: Validate version format
run: |
if ! echo "${{ inputs.version }}" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
echo "::error::Version must be in format X.Y.Z (e.g., 0.2.5)"
exit 1
fi
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Configure git
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
- name: Update package.json version
working-directory: ./headlamp-sealed-secrets
run: |
jq --arg version "${{ inputs.version }}" '.version = $version' package.json > package.json.tmp
mv package.json.tmp package.json
- name: Update artifacthub-pkg.yml version
run: |
VERSION="${{ inputs.version }}"
RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/headlamp-sealed-secrets-${VERSION}.tar.gz"
sed -i "s|^version:.*|version: ${VERSION}|" artifacthub-pkg.yml
sed -i "s|^appVersion:.*|appVersion: ${VERSION}|" artifacthub-pkg.yml
sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"${RELEASE_URL}\"|" artifacthub-pkg.yml
# Set placeholder checksum - will be updated after release
sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:PLACEHOLDER_WILL_BE_UPDATED_AFTER_RELEASE|" artifacthub-pkg.yml
- name: Commit version bump
run: |
git add headlamp-sealed-secrets/package.json artifacthub-pkg.yml
git commit -m "chore: bump version to ${{ inputs.version }}"
git push origin main
- name: Create and push tag
run: |
git tag "v${{ inputs.version }}"
git push origin "v${{ inputs.version }}"
- name: Summary
run: |
echo "✓ Version bumped to ${{ inputs.version }}"
echo "✓ Tag v${{ inputs.version }} created"
echo ""
echo "The release workflow will now run automatically."
echo "After it completes, the checksum will be updated on main."
.github/workflows/release.yaml
+64 -57
View File
@@ -1,28 +1,48 @@
name: Release
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
version:
description: 'Version to release (without v prefix, e.g., 0.2.5)'
required: true
type: string
jobs:
build-and-release:
release:
runs-on: local-ubuntu-latest
permissions:
contents: write
outputs:
version: ${{ steps.extract_version.outputs.version }}
checksum: ${{ steps.compute_checksum.outputs.checksum }}
steps:
- name: Validate version format
run: |
if ! echo "${{ inputs.version }}" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
echo "::error::Version must be in format X.Y.Z (e.g., 0.2.5)"
exit 1
fi
- name: Checkout
uses: actions/checkout@v4
- name: Extract version from tag
id: extract_version
- name: Configure git
run: |
VERSION=${GITHUB_REF_NAME#v}
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "Version: ${VERSION}"
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
- name: Update package.json version
working-directory: ./headlamp-sealed-secrets
run: |
jq --arg version "${{ inputs.version }}" '.version = $version' package.json > package.json.tmp
mv package.json.tmp package.json
- name: Update artifacthub-pkg.yml version
run: |
VERSION="${{ inputs.version }}"
RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/headlamp-sealed-secrets-${VERSION}.tar.gz"
sed -i "s|^version:.*|version: ${VERSION}|" artifacthub-pkg.yml
sed -i "s|^appVersion:.*|appVersion: ${VERSION}|" artifacthub-pkg.yml
sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"${RELEASE_URL}\"|" artifacthub-pkg.yml
- name: Setup Node.js
uses: actions/setup-node@v4
@@ -54,8 +74,7 @@ jobs:
- name: Move tarball to root
working-directory: ./headlamp-sealed-secrets
run: |
# Get the specific tarball created by package command
TARBALL="headlamp-sealed-secrets-${{ steps.extract_version.outputs.version }}.tar.gz"
TARBALL="headlamp-sealed-secrets-${{ inputs.version }}.tar.gz"
if [ ! -f "${TARBALL}" ]; then
echo "::error::Expected tarball ${TARBALL} not found"
ls -la *.tar.gz
@@ -66,7 +85,7 @@ jobs:
- name: Validate tarball name
run: |
EXPECTED="headlamp-sealed-secrets-${{ steps.extract_version.outputs.version }}.tar.gz"
EXPECTED="headlamp-sealed-secrets-${{ inputs.version }}.tar.gz"
ACTUAL=$(ls *.tar.gz)
if [ "$EXPECTED" != "$ACTUAL" ]; then
echo "::error::Tarball name mismatch! Expected: $EXPECTED, Got: $ACTUAL"
@@ -77,14 +96,14 @@ jobs:
- name: Compute checksum
id: compute_checksum
run: |
TARBALL="headlamp-sealed-secrets-${{ steps.extract_version.outputs.version }}.tar.gz"
TARBALL="headlamp-sealed-secrets-${{ inputs.version }}.tar.gz"
CHECKSUM=$(sha256sum "$TARBALL" | awk '{print $1}')
echo "checksum=${CHECKSUM}" >> $GITHUB_OUTPUT
echo "Checksum: sha256:${CHECKSUM}"
- name: Verify tarball contents
run: |
TARBALL="headlamp-sealed-secrets-${{ steps.extract_version.outputs.version }}.tar.gz"
TARBALL="headlamp-sealed-secrets-${{ inputs.version }}.tar.gz"
echo "Tarball contents:"
tar -tzf "${TARBALL}" | head -20
@@ -95,10 +114,27 @@ jobs:
fi
echo "✓ Tarball contents validated"
- name: Update checksum in metadata
run: |
CHECKSUM="${{ steps.compute_checksum.outputs.checksum }}"
sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
- name: Commit version bump and metadata
run: |
git add headlamp-sealed-secrets/package.json artifacthub-pkg.yml
git commit -m "chore: release v${{ inputs.version }}"
git push origin main
- name: Create and push tag
run: |
git tag "v${{ inputs.version }}"
git push origin "v${{ inputs.version }}"
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
files: headlamp-sealed-secrets-${{ steps.extract_version.outputs.version }}.tar.gz
tag_name: "v${{ inputs.version }}"
files: headlamp-sealed-secrets-${{ inputs.version }}.tar.gz
fail_on_unmatched_files: true
draft: false
prerelease: false
@@ -106,47 +142,18 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
update-metadata:
needs: build-and-release
runs-on: local-ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout main branch
uses: actions/checkout@v4
with:
ref: main
token: ${{ secrets.GITHUB_TOKEN }}
- name: Configure git
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
- name: Update checksum in metadata
run: |
VERSION="${{ needs.build-and-release.outputs.version }}"
CHECKSUM="${{ needs.build-and-release.outputs.checksum }}"
sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
git add artifacthub-pkg.yml
if ! git diff --cached --quiet; then
git commit -m "ci: update checksum for v${VERSION}"
git push origin main
echo "✓ Checksum updated on main branch"
else
echo "✓ Checksum already up to date"
fi
- name: Release Summary
- name: Summary
run: |
echo "Release Summary:"
echo "=================="
echo "Version: v${{ needs.build-and-release.outputs.version }}"
echo "Tarball: headlamp-sealed-secrets-${{ needs.build-and-release.outputs.version }}.tar.gz"
echo "Checksum: sha256:${{ needs.build-and-release.outputs.checksum }}"
echo "Archive URL: https://github.com/${{ github.repository }}/releases/download/v${{ needs.build-and-release.outputs.version }}/headlamp-sealed-secrets-${{ needs.build-and-release.outputs.version }}.tar.gz"
echo "Version: v${{ inputs.version }}"
echo "Tarball: headlamp-sealed-secrets-${{ inputs.version }}.tar.gz"
echo "Checksum: sha256:${{ steps.compute_checksum.outputs.checksum }}"
echo "Archive URL: https://github.com/${{ github.repository }}/releases/download/v${{ inputs.version }}/headlamp-sealed-secrets-${{ inputs.version }}.tar.gz"
echo ""
echo "✓ Version bumped to ${{ inputs.version }}"
echo "✓ Metadata updated with checksum"
echo "✓ Tag v${{ inputs.version }} created"
echo "✓ GitHub release published with tarball"
echo ""
echo "Metadata updated on main branch."
echo "Artifact Hub will sync within 5-10 minutes."