Improve security of 'create release' workflow #1

Workflow file for this run

.github/workflows/create-release.yml at a545e3e

	name: Create Release

	on:
	push:
	tags:
	- 'build#..*'

	env:
	PREFIX_REGEX: 'build#(.*)'
	IS_PRERELEASE: ${{ !startsWith(github.ref, 'refs/tags/build#') \|\| contains(github.ref, '-') }}

	permissions:
	contents: read

	jobs:
	create-release:
	runs-on: ubuntu-latest
	permissions:
	# Give the default GITHUB_TOKEN write permission to commit and push the
	# added or changed files to the repository.
	contents: write

	steps:
	- name: Harden runner
	uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
	with:
	egress-policy: audit

	- name: Check out source code
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Set up node
	uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
	with:
	node-version: 20
	cache: 'npm'

	- name: Install dependencies
	run: npm ci

	- name: Get current tag
	id: get-tag
	uses: devops-actions/action-get-tag@19f393df16cb09284484fb49bf678004bf50896a # v1.0.3
	with:
	strip_v: false

	- name: Get the new version
	# Remove the prefix
	id: get-version
	run: \|
	rctag=${{ steps.get-tag.outputs.tag }}
	re='${{ env.PREFIX_REGEX }}'
	if [[ $rctag =~ $re ]]; then
	echo "::debug::Tag matches regex pattern"
	rctag=${BASH_REMATCH[1]}
	else
	echo "::debug::Tag DOES NOT match regex pattern"
	fi
	echo "version=$rctag" >> "$GITHUB_OUTPUT"

	- name: Update package version to ${{ steps.get-version.outputs.version }}
	uses: BellCubeDev/update-package-version-by-release-tag@1f8aff46e596cd4f81166e8e437e5a117cab20bc # v2
	with:
	version: ${{ steps.get-version.outputs.version }}

	- name: Update library package version to ${{ steps.get-version.outputs.version }}
	uses: BellCubeDev/update-package-version-by-release-tag@1f8aff46e596cd4f81166e8e437e5a117cab20bc # v2
	with:
	version: ${{ steps.get-version.outputs.version }}
	package-json-path: './projects/log4ngx/package.json'

	- name: Commit updated package
	uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
	with:
	commit_message: NPM package version updated to ${{ steps.get-version.outputs.version }}
	branch: main
	commit_user_name: ${{ github.actor }}
	commit_user_email: ${{ github.actor }}@users.noreply.github.com

	- name: Update git tag on latest commit
	# The deletes the original prefixed tag on the remote (origin) repo but
	# obviously doesn't remove it from any local repos that created/pulled
	# the tag beforehand. That shouldn't be an issue though, as we're only
	# tidying it up because it's redundant.
	run: \|
	git tag -d ${{ steps.get-tag.outputs.tag }}
	git push origin :refs/tags/${{ steps.get-tag.outputs.tag }}
	git tag v${{ steps.get-version.outputs.version }}
	git push origin --tags

	- name: Create draft Github pre-release for ${{ steps.get-version.outputs.version }} (${{ env.IS_PRERELEASE }})
	if: env.IS_PRERELEASE == 'true'
	uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
	with:
	name: ${{ steps.get-version.outputs.version }}
	tag_name: ${{ steps.get-version.outputs.version }}
	prerelease: true
	draft: true

	- name: Create draft Github release for ${{ steps.get-version.outputs.version }} (!${{ env.IS_PRERELEASE }})
	if: env.IS_PRERELEASE == 'false'
	uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
	with:
	name: ${{ steps.get-version.outputs.version }}
	tag_name: ${{ steps.get-version.outputs.version }}
	prerelease: false
	draft: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve security of 'create release' workflow #1

Workflow file

Improve security of 'create release' workflow #1

Jobs

Run details

Workflow file for this run