micasa/.github/workflows/scheduled-release.yml at 1a81afcb35ee024d4044dc1662af0225dbc0d25f · micasa-dev/micasa · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Copyright 2026 Phillip Cloud
# Licensed under the Apache License, Version 2.0

name: Scheduled Release

on:
  schedule:
    - cron: "0 7 * * 0" # Sundays at 3am America/New_York (EDT)
  workflow_dispatch: {}

concurrency:
  group: scheduled-release
  cancel-in-progress: false

permissions:
  contents: read

jobs:
  semantic-release:
    name: Semantic Release
    runs-on: blacksmith-2vcpu-ubuntu-2404
    permissions:
      checks: read
      contents: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          deploy-on-self-hosted-vm: true
          egress-policy: audit
          disable-sudo-and-containers: true

      - name: Generate app token
        id: app-token
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
          client-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          token: ${{ steps.app-token.outputs.token }}
          persist-credentials: false

      - name: Verify HEAD passed required checks
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
          HEAD_SHA: ${{ github.sha }}
          REPO: ${{ github.repository }}
        run: |
          sha="$HEAD_SHA"

          # Fetch required check names from the branch ruleset
          required=$(gh api "repos/$REPO/rules/branches/main" \
            --jq '[.[] | select(.type == "required_status_checks") | .parameters.required_status_checks[].context] |
              if length == 0 then "::error::No required status checks found for main. Aborting release." | halt_error(1)
              else . end')

          # Fetch all check runs for HEAD once, then verify each required check
          gh api "repos/$REPO/commits/$sha/check-runs" \
            --jq '.check_runs | group_by(.name) | map(sort_by(.completed_at) | last | {name, conclusion})' \
          | jq --argjson required "$required" -e '
            ($required - [.[].name]) as $missing |
            if ($missing | length) > 0 then
              "::error::Missing checks for \($missing | join(", "))" | halt_error(1)
            else . end |
            map(select(.name as $n | $required | index($n))) |
            map(select(.conclusion != "success")) |
            if length > 0 then
              map("::error::\(.name) is \(.conclusion // "none"), expected success") | .[] | halt_error(1)
            else true end'

      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: lts/*

      - name: Run semantic-release
        run: bash ci/release/run.bash
        env:
          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}