goose/.github/workflows/release.yml
dependabot[bot] 782f69f175
chore(deps): bump actions/checkout from 6.0.2 to 7.0.0 (#10236)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-05 22:20:17 +00:00

193 lines
6.4 KiB
YAML

# This workflow builds release artifacts for release branches and publishes tagged releases.
on:
push:
paths-ignore:
- "documentation/**"
branches:
- "release/*"
tags:
- "v1.*"
name: Release
permissions:
id-token: write # Required for Sigstore OIDC signing and AWS OIDC (Windows signing)
contents: write # Required for creating releases and by actions/checkout
actions: read # May be needed for some workflows
pull-requests: write # Required for npm publish workflow
attestations: write # Required for SLSA build provenance attestations
env:
# Set this repository Actions variable to "true" in GitHub Settings > Secrets and variables
# > Actions > Variables after a release containing desktop app-update.yml has shipped.
ENABLE_MAC_NATIVE_AUTO_UPDATE: ${{ vars.ENABLE_MAC_NATIVE_AUTO_UPDATE || 'false' }}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
# ------------------------------------
# 1) Build CLI for multiple OS/Arch
# ------------------------------------
build-cli:
uses: ./.github/workflows/build-cli.yml
# ------------------------------------
# 2) Upload Install CLI Script
# ------------------------------------
install-script:
name: Upload Install Script
runs-on: ubuntu-latest
needs: [build-cli]
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: download_cli.sh
path: download_cli.sh
# ------------------------------------------------------------
# 3) Bundle Desktop App (macOS)
# ------------------------------------------------------------
bundle-desktop:
uses: ./.github/workflows/bundle-desktop.yml
permissions:
id-token: write
contents: read
with:
signing: ${{ startsWith(github.ref, 'refs/tags/') }}
environment: ${{ startsWith(github.ref, 'refs/tags/') && 'signing' || '' }}
secrets: inherit
# ------------------------------------------------------------
# 4) Bundle Desktop App (macOS)
# ------------------------------------------------------------
bundle-desktop-intel:
uses: ./.github/workflows/bundle-desktop-intel.yml
permissions:
id-token: write
contents: read
with:
signing: ${{ startsWith(github.ref, 'refs/tags/') }}
environment: ${{ startsWith(github.ref, 'refs/tags/') && 'signing' || '' }}
secrets: inherit
# ------------------------------------------------------------
# 5) Bundle Desktop App (Linux)
# ------------------------------------------------------------
bundle-desktop-linux:
uses: ./.github/workflows/bundle-desktop-linux.yml
# # ------------------------------------------------------------
# # 6) Bundle Desktop App (Windows)
# # ------------------------------------------------------------
bundle-desktop-windows:
uses: ./.github/workflows/bundle-desktop-windows.yml
permissions:
id-token: write
contents: read
actions: read
with:
signing: ${{ startsWith(github.ref, 'refs/tags/') }}
secrets: inherit
bundle-desktop-windows-cuda:
uses: ./.github/workflows/bundle-desktop-windows.yml
permissions:
id-token: write
contents: read
actions: read
with:
signing: ${{ startsWith(github.ref, 'refs/tags/') }}
windows_variant: cuda
secrets: inherit
# ------------------------------------
# 7) Create/Update GitHub Release
# ------------------------------------
release:
name: Release
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
needs: [build-cli, install-script, bundle-desktop, bundle-desktop-intel, bundle-desktop-linux, bundle-desktop-windows, bundle-desktop-windows-cuda]
permissions:
contents: write
id-token: write # Required for Sigstore OIDC signing
attestations: write # Required for SLSA build provenance attestations
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Download all artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
merge-multiple: true
- name: Generate macOS update manifest
if: ${{ env.ENABLE_MAC_NATIVE_AUTO_UPDATE == 'true' }}
run: node ui/desktop/scripts/generate-mac-update-manifest.js --version "${GITHUB_REF_NAME}" --directory .
- name: Attest macOS update manifest
if: ${{ env.ENABLE_MAC_NATIVE_AUTO_UPDATE == 'true' }}
uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
with:
subject-path: latest-mac.yml
- name: Attest build provenance
uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
with:
subject-path: |
goose-*.tar.bz2
goose-*.tar.gz
goose-*.zip
Goose*.zip
*.deb
*.rpm
*.flatpak
download_cli.sh
# Create/update the versioned release
- name: Release versioned
uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
artifacts: |
goose-*.tar.bz2
goose-*.tar.gz
goose-*.zip
Goose*.zip
*.deb
*.rpm
*.flatpak
download_cli.sh
allowUpdates: true
omitBody: true
omitPrereleaseDuringUpdate: true
# Create/update the stable release
- name: Release stable
uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
with:
tag: stable
name: Stable
token: ${{ secrets.GITHUB_TOKEN }}
artifacts: |
goose-*.tar.bz2
goose-*.tar.gz
goose-*.zip
Goose*.zip
*.deb
*.rpm
*.flatpak
download_cli.sh
allowUpdates: true
omitBody: true
omitPrereleaseDuringUpdate: true
- name: Upload macOS update manifest
if: ${{ env.ENABLE_MAC_NATIVE_AUTO_UPDATE == 'true' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release upload "${GITHUB_REF_NAME}" latest-mac.yml --clobber
gh release upload stable latest-mac.yml --clobber