-
Notifications
You must be signed in to change notification settings - Fork 35
302 lines (255 loc) · 11.9 KB
/
bumpversion.yml
File metadata and controls
302 lines (255 loc) · 11.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
# GitHub action to bump version, update changelog, and create release.
# Can optionally be executed as a two-stage process with an intermediate pull request to allow reviews.
name: Bump Version
run-name: Bump version (${{ inputs.bump-type }}) by @${{ github.actor }}
# Note: Enable GitHub Actions to create pull requests in repository settings:
# Settings -> Actions -> General -> Workflow permissions -> Allow GitHub Actions to create and approve pull requests
#
# Optional secrets:
# - GPG_PRIVATE_KEY: The private GPG key for signing commits and tags
# - GPG_PASSPHRASE: The passphrase for the GPG private key (optional if key has no passphrase)
permissions:
contents: write
pull-requests: write
on:
workflow_dispatch:
inputs:
bump-type:
description: 'Version bump type'
required: true
default: 'patch'
type: choice
options:
- major
- minor
- patch
- post-review-release # Do not bump version, just create tag & release based on latest changelog
fail-on-empty-changelog:
description: 'Fail if changelog is empty'
required: false
default: true
type: boolean
create-pull-request:
description: 'Create pull request for review'
required: false
default: true
type: boolean
gpg-signing:
description: 'Sign commits and tags with GPG'
required: false
default: true
type: boolean
jobs:
bump_version:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.bump.outputs.current-version }}
pr-number: ${{ steps.create_pr.outputs.pull-request-number }}
steps:
- name: Checkout repository
uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Python environment
uses: astral-sh/setup-uv@v6
- name: Install bump-my-version
run: uv tool install bump-my-version
- name: Bump version
id: bump
shell: bash
run: |
if [[ "${{ inputs.bump-type }}" == "post-review-release" ]]; then
echo "::notice::Post-review release: skipping version bump"
else
echo "::notice::Bumping version with type: ${{ inputs.bump-type }}"
bump-my-version bump ${{ inputs.bump-type }}
fi
CURRENT_VERSION=$(bump-my-version show current_version)
echo "current-version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
echo "::notice::Current version: $CURRENT_VERSION"
- name: Update changelog
id: changelog
uses: release-flow/keep-a-changelog-action@v2
if: ${{ inputs.bump-type != 'post-review-release' }}
with:
command: bump
version: ${{ inputs.bump-type }}
keep-unreleased-section: true
fail-on-empty-release-notes: ${{ inputs.fail-on-empty-changelog }}
- name: Query changelog for release notes
id: query_changelog
uses: release-flow/keep-a-changelog-action@v2
with:
command: query
version: latest
- name: Configure Git and GPG
id: git_setup
run: |
# Configure Git user
git config --global user.name "${{ github.actor }}"
git config --global user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
if ${{ inputs.gpg-signing }}; then
echo "::group::Setting up GPG signing"
# Validate required secrets
if [ -z "${{ secrets.GPG_PRIVATE_KEY }}" ]; then
echo "::error::GPG_PRIVATE_KEY secret is required when GPG signing is enabled"
exit 1
fi
# Create GPG directory with proper permissions
mkdir -p ~/.gnupg
chmod 700 ~/.gnupg
# Configure GPG for non-interactive use
cat > ~/.gnupg/gpg.conf << EOF
use-agent
pinentry-mode loopback
batch
no-tty
EOF
# Configure GPG agent for GitHub Actions
cat > ~/.gnupg/gpg-agent.conf << EOF
allow-preset-passphrase
default-cache-ttl 21600
max-cache-ttl 21600
pinentry-program /usr/bin/pinentry-curses
EOF
# Set proper permissions
chmod 600 ~/.gnupg/gpg.conf ~/.gnupg/gpg-agent.conf
# Kill any existing GPG agent and start fresh
gpgconf --kill gpg-agent 2>/dev/null || true
gpg-agent --daemon --allow-preset-passphrase 2>/dev/null || true
# Import the GPG private key
echo "Importing GPG private key..."
echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg \
--pinentry-mode loopback \
--passphrase "${{ secrets.GPG_PASSPHRASE }}" \
--import --batch --yes
# Extract GPG key ID
KEY_ID=$(echo "${{ secrets.GPG_PRIVATE_KEY }}" | \
gpg --with-colons --import-options show-only --import 2>/dev/null | \
awk -F: '/^sec:/ {print $5; exit}')
if [ -z "$KEY_ID" ]; then
echo "::error::Failed to extract GPG key ID from private key"
exit 1
fi
echo "Using GPG key ID: $KEY_ID"
# Handle passphrase preset if provided
if [ -n "${{ secrets.GPG_PASSPHRASE }}" ]; then
echo "Setting up GPG passphrase preset..."
# Extract keygrip
GPG_KEYGRIP=$(gpg --with-keygrip --list-secret-keys "$KEY_ID" 2>/dev/null | \
grep -A1 "^sec" | grep "Keygrip" | head -1 | \
sed 's/.*Keygrip = //' | tr -d ' ')
if [ -n "$GPG_KEYGRIP" ]; then
echo "Found keygrip: $GPG_KEYGRIP"
# Convert passphrase to hex format
GPG_PASSPHRASE_HEX=$(echo -n "${{ secrets.GPG_PASSPHRASE }}" | \
od -A n -t x1 | tr -d ' \n')
# Preset the passphrase in GPG agent
echo "PRESET_PASSPHRASE $GPG_KEYGRIP -1 $GPG_PASSPHRASE_HEX" | \
gpg-connect-agent --no-autostart
echo "Passphrase preset successful for keygrip: $GPG_KEYGRIP"
else
echo "::warning::Could not extract keygrip, passphrase preset may not work"
fi
else
echo "No GPG passphrase provided, assuming key has no passphrase"
fi
# Test GPG signing capability
echo "Testing GPG signing..."
if echo "test signing" | gpg \
--pinentry-mode loopback \
--passphrase "${{ secrets.GPG_PASSPHRASE }}" \
--clearsign --default-key "$KEY_ID" >/dev/null 2>&1; then
echo "::notice::GPG signing test successful"
else
echo "::error::GPG signing test failed"
exit 1
fi
# Configure Git for GPG signing
git config --global commit.gpgSign true
git config --global tag.gpgSign true
git config --global user.signingkey "$KEY_ID"
git config --global gpg.program gpg
echo "::notice::GPG signing enabled with key: $KEY_ID"
echo "::endgroup::"
else
echo "::notice::GPG signing disabled"
git config --global commit.gpgSign false
git config --global tag.gpgSign false
fi
- name: Create version commit
id: create_commit
if: ${{ inputs.bump-type != 'post-review-release' }}
run: |
git add .
git commit -m "docs: Increase version to ${{ steps.bump.outputs.current-version }}"
if ${{ inputs.create-pull-request }}; then
echo "::notice::Commit created, will be pushed via pull request"
else
echo "::notice::Pushing commit directly"
git push
fi
- name: Create Pull Request
id: create_pr
if: ${{ inputs.create-pull-request && inputs.bump-type != 'post-review-release' }}
uses: peter-evans/create-pull-request@v7
with:
title: "Bump version to ${{ steps.bump.outputs.current-version }}"
body: |
## Version Bump: ${{ steps.bump.outputs.current-version }}
This PR bumps the version to `${{ steps.bump.outputs.current-version }}` and updates the changelog.
### Next Steps
After merging this PR, trigger this workflow again with `bump type` set to `post-review-release` to create the tag and GitHub release.
### Changelog (automatically extracted from Unreleased section)
${{ steps.query_changelog.outputs.release-notes }}
---
*This PR was automatically created by the Bump Version workflow*
branch: bumpversion-${{ steps.bump.outputs.current-version }}
token: ${{ secrets.GITHUB_TOKEN }}
delete-branch: true
- name: Create version tag
id: create_tag
if: ${{ !inputs.create-pull-request || inputs.bump-type == 'post-review-release' }}
run: |
TAG_NAME="v${{ steps.bump.outputs.current-version }}"
echo "::notice::Creating tag: $TAG_NAME"
git tag "$TAG_NAME" -m "Version ${{ steps.bump.outputs.current-version }}"
git push origin "$TAG_NAME"
echo "tag-name=$TAG_NAME" >> $GITHUB_OUTPUT
- name: Create GitHub Release
id: create_release
if: ${{ !inputs.create-pull-request || inputs.bump-type == 'post-review-release' }}
uses: ncipollo/release-action@v1
with:
tag: v${{ steps.bump.outputs.current-version }}
name: v${{ steps.bump.outputs.current-version }}
body: ${{ steps.query_changelog.outputs.release-notes }}
draft: false
prerelease: false
token: ${{ secrets.GITHUB_TOKEN }}
makeLatest: true
- name: Summary
if: always()
run: |
echo "## Workflow Summary" >> $GITHUB_STEP_SUMMARY
echo "- **Bump Type:** ${{ inputs.bump-type }}" >> $GITHUB_STEP_SUMMARY
echo "- **Version:** ${{ steps.bump.outputs.current-version }}" >> $GITHUB_STEP_SUMMARY
echo "- **GPG Signing:** ${{ inputs.gpg-signing }}" >> $GITHUB_STEP_SUMMARY
if [[ "${{ steps.create_pr.outputs.pull-request-number }}" != "" ]]; then
PR_NUMBER="${{ steps.create_pr.outputs.pull-request-number }}"
PR_URL="https://github.com/${{ github.repository }}/pull/$PR_NUMBER"
echo "- **Pull Request:** [#$PR_NUMBER]($PR_URL)" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Next Steps" >> $GITHUB_STEP_SUMMARY
echo "1. Review and merge [Pull Request #$PR_NUMBER]($PR_URL)" >> $GITHUB_STEP_SUMMARY
echo "2. After merging, re-run this workflow with \`bump type\` set to \`post-review-release\` to create the tag and GitHub release" >> $GITHUB_STEP_SUMMARY
fi
if [[ "${{ steps.create_release.outputs.html_url }}" != "" ]]; then
RELEASE_URL="${{ steps.create_release.outputs.html_url }}"
echo "- **GitHub Release:** [Version ${{ steps.bump.outputs.current-version }}]($RELEASE_URL)" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "### 📋 Workflow Details" >> $GITHUB_STEP_SUMMARY
echo "- **Triggered by:** @${{ github.actor }}" >> $GITHUB_STEP_SUMMARY
echo "- **Repository:** ${{ github.repository }}" >> $GITHUB_STEP_SUMMARY
echo "- **Run ID:** [${{ github.run_id }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})" >> $GITHUB_STEP_SUMMARY