.github/workflows/release: sign zip before sending pull request #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release (Bazel) | ||
| on: | ||
| # Allow manual triggering from GH UI | ||
| workflow_dispatch: | ||
| inputs: | ||
| tag_name: | ||
| required: true | ||
| type: string | ||
| # Automated trigger from the release.yaml workflow | ||
| workflow_call: | ||
| inputs: | ||
| tag_name: | ||
| required: true | ||
| type: string | ||
| secrets: | ||
| BCR_PUBLISH_TOKEN: | ||
| description: 'Token for pushing to re2-machine/bazel-central-registry' | ||
| required: true | ||
| jobs: | ||
| permissions: | ||
| contents: write | ||
| id-token: write | ||
| attestations: write | ||
| sign: | ||
| uses: bazel-contrib/.github/.github/workflows/[email protected] | ||
| with: | ||
| release_files: *.zip | ||
| prerelease: false | ||
| tag_name: ${{ inputs.tag_name || github.ref_name }} | ||
| send-pull-request: | ||
| needs: sign | ||
| uses: bazel-contrib/publish-to-bcr/.github/workflows/[email protected] | ||
| with: | ||
| tag_name: ${{ inputs.tag_name }} | ||
| # This workflow seems to require keeping a fork of the upstream to open | ||
| # PRs from. | ||
| registry_fork: re2-machine/bazel-central-registry | ||
| attest: true | ||
| secrets: | ||
| # Necessary to push to the BCR fork, and to open a pull request against a registry | ||
| publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }} | ||
