From 94664b461308a5e585f04770e8d7ed1b849660dc Mon Sep 17 00:00:00 2001 From: krassowski <5832902+krassowski@users.noreply.github.com> Date: Thu, 5 Sep 2024 12:39:03 +0100 Subject: [PATCH] Update release scripts to user trusted publisher --- .github/workflows/prep-release.yml | 14 ++++++++++---- .github/workflows/publish-release.yml | 20 +++++++++++--------- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/.github/workflows/prep-release.yml b/.github/workflows/prep-release.yml index d5c7f795..396330bb 100644 --- a/.github/workflows/prep-release.yml +++ b/.github/workflows/prep-release.yml @@ -12,6 +12,10 @@ on: post_version_spec: description: "Post Version Specifier" required: false + silent: + description: "Set a placeholder in the changelog and don't publish the release." + required: false + type: boolean since: description: "Use PRs with activity since this date or git reference" required: false @@ -22,18 +26,20 @@ on: jobs: prep_release: runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 - name: Prep Release id: prep-release - uses: fcollonval/jupyter_releaser/.github/actions/prep-release@1e5300b94b842e61d4f10bed0db8e855c8fe9108 - env: - RH_TAG_FORMAT: "{version}" + uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} version_spec: ${{ github.event.inputs.version_spec }} + silent: ${{ github.event.inputs.silent }} post_version_spec: ${{ github.event.inputs.post_version_spec }} + target: ${{ github.event.inputs.target }} branch: ${{ github.event.inputs.branch }} since: ${{ github.event.inputs.since }} since_last_stable: ${{ github.event.inputs.since_last_stable }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index d6d12e7c..c1881060 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -15,20 +15,23 @@ on: jobs: publish_release: runs-on: ubuntu-latest + environment: release permissions: - # This is useful if you want to use PyPI trusted publisher - # and NPM provenance id-token: write steps: - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Populate Release id: populate-release - uses: fcollonval/jupyter_releaser/.github/actions/populate-release@1e5300b94b842e61d4f10bed0db8e855c8fe9108 - env: - RH_TAG_FORMAT: "{version}" + uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} branch: ${{ github.event.inputs.branch }} release_url: ${{ github.event.inputs.release_url }} steps_to_skip: ${{ github.event.inputs.steps_to_skip }} @@ -37,10 +40,9 @@ jobs: id: finalize-release env: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - RH_TAG_FORMAT: "{version}" - uses: fcollonval/jupyter_releaser/.github/actions/finalize-release@1e5300b94b842e61d4f10bed0db8e855c8fe9108 + uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} release_url: ${{ steps.populate-release.outputs.release_url }} - name: "** Next Step **"