ci: Update release workflow tokens and permissions (shaka-project#87)

Also: - Upgrades release-please and simplifies the release workflow using the new JSON updater feature of release-please - Replaces a third-party action with the official GitHub command line, to avoid exposing priveleged tokens to a third-party - Drop explicit usage of node 12, which no longer works with our package lock
joeyparrish · Dec 11, 2024 · e2ef7a9 · e2ef7a9
1 parent 3de3e4c
commit e2ef7a9
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 36 deletions.
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -9,51 +9,28 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: google-github-actions/release-please-action@v3
+      - uses: googleapis/release-please-action@v4
         id: release
         with:
-          release-type: node
-
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.after }}
-
-      # If we didn't create a release, we may have created or updated a PR.
-      - run: |
-          # Check out the branch that release-please created, if it exists.
-          git fetch
-          git checkout release-please--branches--main || exit 0
-          # If it does exist, update manifest.json in the PR branch.
-          # release-please can't update it for us yet.  See:
-          # https://github.com/googleapis/release-please/issues/1171
-          VERSION=$(jq -r .version package.json)
-          cp manifest.json manifest.json.orig
-          jq -r ".version = \"$VERSION\"" manifest.json.orig > manifest.json
-          git add manifest.json
-          # Emulate the author of the existing commit (the bot).
-          git config user.email "$(git log -n 1 --format='%ae')"
-          git config user.name "$(git log -n 1 --format='%an')"
-          # Update the PR.
-          git commit --amend --no-edit
-          git push -f
-        if: ${{ ! steps.release.outputs.release_created }}
+          # Use a special shaka-bot access token for releases.
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
+          # See also settings in these files:
+          manifest-file: .release-please-manifest.json
+          config-file: .release-please-config.json
 
       # If we did create a release, we should attach the extension's zip file
       # to it.
-      - uses: actions/setup-node@v1
+      - uses: actions/checkout@v4
         with:
-          node-version: 12
-          registry-url: 'https://registry.npmjs.org'
+          ref: ${{ github.event.after }}
         if: ${{ steps.release.outputs.release_created }}
 
       - run: npm run build
         if: ${{ steps.release.outputs.release_created }}
 
-      - uses: svenstaro/upload-release-action@483c1e56f95e88835747b1c7c60581215016cbf2
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          tag: ${{ steps.release.outputs.tag_name }}
-          file: eme_logger-*.zip
-          file_glob: true
-          overwrite: true
+      - name: Attach files to release
+        env:
+          GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }}
+        run: |
+          gh release upload --clobber "${{ steps.release.outputs.tag_name }}" eme_logger-*.zip
         if: ${{ steps.release.outputs.release_created }}
diff --git a/.release-please-config.json b/.release-please-config.json
@@ -0,0 +1,17 @@
+{
+  "packages": {
+    ".": {
+      "include-component-in-tag": false,
+      "include-v-in-tag": true,
+      "component": "",
+      "release-type": "node",
+      "extra-files": [
+        {
+          "type": "json",
+          "path": "manifest.json",
+          "jsonpath": "$.version"
+        }
+      ]
+    }
+  }
+}
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -0,0 +1,3 @@
+{
+  ".": "3.4.0"
+}