fix(ci): guard release.yml against non-tag refs and pass body inline
The release-action@main reads GITHUB_REF directly and rejects anything that doesn't start with refs/tags/. The previous workflow tried to work around this by passing tag_name as an action input, but the action's action.yml never declared tag_name (or body_path) - both inputs were silently ignored, which is why every Gitea release since v1.4.1 was published with an empty body. Changes: - New "Validate tag ref" step fails fast with a clear message when the workflow is dispatched from a branch ref instead of a tag ref. - workflow_dispatch.inputs.tag dropped; recovery now means picking the tag from Gitea's Ref dropdown so GITHUB_REF lines up with refs/tags/. - release-body.md is re-emitted as a step output and passed via body: (the input the action actually reads) instead of body_path. - tag_name input removed from the action call - the action derives the tag from GITHUB_REF_NAME on its own.
This commit is contained in:
@@ -20,16 +20,12 @@ on:
|
|||||||
push:
|
push:
|
||||||
tags:
|
tags:
|
||||||
- "v*"
|
- "v*"
|
||||||
# Manual recovery trigger. Use when a tag was pushed but the auto-run
|
# Manual recovery trigger. Use Gitea's "Run workflow" UI and select the
|
||||||
# was missed or failed: `gh workflow run release.yml -f tag=v0.6.1`.
|
# tag (e.g. v1.4.4) from the Ref dropdown - not main. The Validate tag
|
||||||
# The tag input is validated against the same semver regex as the
|
# ref step below hard-fails if a non-tag ref is selected, because the
|
||||||
# auto-trigger before any string interpolation happens.
|
# release-action reads GITHUB_REF directly and rejects anything that
|
||||||
|
# does not start with refs/tags/.
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
inputs:
|
|
||||||
tag:
|
|
||||||
description: "Existing tag to (re)release, e.g. v0.6.1"
|
|
||||||
required: true
|
|
||||||
type: string
|
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: write
|
contents: write
|
||||||
@@ -41,14 +37,21 @@ jobs:
|
|||||||
timeout-minutes: 20
|
timeout-minutes: 20
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
# On push:tags, github.ref_name is the tag — checkout default works.
|
# release-action@main reads GITHUB_REF directly (its action.yml
|
||||||
# On workflow_dispatch, ref defaults to the branch the action was
|
# does not declare a tag_name input). Validate up-front so manual
|
||||||
# invoked from; we need to explicitly check out the tag the user
|
# dispatches from a branch ref fail loud here instead of burning
|
||||||
# supplied so the build comes from the tagged commit, not main.
|
# a full build before the final step errors out with "ref X is
|
||||||
|
# not a tag".
|
||||||
|
- name: Validate tag ref
|
||||||
|
run: |
|
||||||
|
if [[ "${GITHUB_REF}" != refs/tags/v* ]]; then
|
||||||
|
echo "::error::Release workflow must run on a v*.X.Y tag ref, got ${GITHUB_REF}"
|
||||||
|
echo "::error::Push a tag, or pick the tag (not main) in the workflow_dispatch Ref dropdown."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||||
with:
|
|
||||||
ref: ${{ github.event.inputs.tag || github.ref }}
|
|
||||||
|
|
||||||
- name: Setup .NET 10
|
- name: Setup .NET 10
|
||||||
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5
|
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5
|
||||||
@@ -89,12 +92,11 @@ jobs:
|
|||||||
- name: Generate release body
|
- name: Generate release body
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
env:
|
env:
|
||||||
# workflow_dispatch carries the user-supplied tag in inputs.tag;
|
# github.ref_name is the tag because Validate tag ref above
|
||||||
# push:tags carries it in github.ref_name. Either way the value
|
# already enforced refs/tags/v*. Read via env: so the value
|
||||||
# is treated as a PowerShell variable (env-var pass), not as
|
# is a PowerShell variable, not inline shell text, and gets
|
||||||
# inline shell text, and validated against the semver regex
|
# re-validated against the semver regex below.
|
||||||
# below before any string interpolation.
|
TAG_NAME: ${{ github.ref_name }}
|
||||||
TAG_NAME: ${{ github.event.inputs.tag || github.ref_name }}
|
|
||||||
run: |
|
run: |
|
||||||
$tag = $env:TAG_NAME
|
$tag = $env:TAG_NAME
|
||||||
if ($tag -notmatch '^v\d+\.\d+\.\d+$') {
|
if ($tag -notmatch '^v\d+\.\d+\.\d+$') {
|
||||||
@@ -154,19 +156,28 @@ jobs:
|
|||||||
Write-Host $body
|
Write-Host $body
|
||||||
Write-Host "----------------------------------------"
|
Write-Host "----------------------------------------"
|
||||||
|
|
||||||
|
# release-action@main only declares files/title/body/pre_release/
|
||||||
|
# draft/api_key/insecure as inputs (see its action.yml). It silently
|
||||||
|
# ignores anything else, including body_path and tag_name. The tag
|
||||||
|
# itself comes from GITHUB_REF, the body must be passed inline via
|
||||||
|
# body:, so we re-emit release-body.md as a step output first.
|
||||||
|
- name: Expose release body for release-action
|
||||||
|
id: body
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
{
|
||||||
|
echo 'content<<RELEASE_BODY_EOF'
|
||||||
|
cat release-body.md
|
||||||
|
echo 'RELEASE_BODY_EOF'
|
||||||
|
} >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
# Gitea-native release action. Creates the release if the tag has no
|
# Gitea-native release action. Creates the release if the tag has no
|
||||||
# release yet, or updates the existing one. body_path provides the
|
# release yet, or updates the existing one with latest.zip attached
|
||||||
# generated release body, files attaches latest.zip. The auto-injected
|
# and the generated body. The auto-injected GITHUB_TOKEN on Gitea
|
||||||
# GITHUB_TOKEN on Gitea Actions has Gitea-API scope and is sufficient
|
# Actions has Gitea-API scope and is sufficient for release write.
|
||||||
# for release write.
|
|
||||||
- name: Attach to Gitea release
|
- name: Attach to Gitea release
|
||||||
uses: https://gitea.com/actions/release-action@main
|
uses: https://gitea.com/actions/release-action@main
|
||||||
with:
|
with:
|
||||||
# Explicit tag_name so the action targets the correct release in
|
|
||||||
# both push:tags (auto) and workflow_dispatch (manual recovery)
|
|
||||||
# modes. Without this, dispatch runs would default to the branch
|
|
||||||
# ref (main) and fail to find the release.
|
|
||||||
tag_name: ${{ github.event.inputs.tag || github.ref_name }}
|
|
||||||
files: ${{ steps.locate.outputs.path }}
|
files: ${{ steps.locate.outputs.path }}
|
||||||
body_path: release-body.md
|
body: ${{ steps.body.outputs.content }}
|
||||||
api_key: ${{ secrets.GITHUB_TOKEN }}
|
api_key: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|||||||
Reference in New Issue
Block a user