chore: bump ospo-reusable-workflows release.yaml to v1.0.1#24
Open
jmeridth wants to merge 3 commits into
Open
Conversation
## What Pin the reusable release workflow to v1.0.0 (SHA 592067a69a43d2285f933753d89a7c9d51b96530). Add a Breaking Changes category to release-drafter. ## Why v1.0.0 of ospo-reusable-workflows broadens the release trigger to include breaking, feature, vuln, and release labels and folds GoReleaser, container image build, attestation, and discussion creation into the reusable workflow itself. Surfacing breaking changes prominently in release notes aligns the changelog with the new label-based release triggers. ## Notes - The outer label-filter `if:` block on the release job is removed because the v1.0 reusable workflow now handles label filtering internally. - Trigger updated to pull_request_target so the workflow can push tags via GITHUB_TOKEN. Signed-off-by: jmeridth <jmeridth@gmail.com>
## What Expand the release job's permissions block to include packages, id-token, attestations, and discussions. v1.0 of ospo-reusable-workflows/release.yaml declares those permissions on its internal release_image, release_goreleaser, and release_discussion jobs, and GitHub validates them at workflow startup regardless of whether the if: filter would skip the job. ## Why The initial v1.0 bump shipped a too-narrow permissions block. When pull_request_target.closed fires on merge, GitHub validates the called workflow's job permissions against the caller and rejects the run with startup_failure. Aligning the caller's release job permissions with the ospo/stale-repos reference fixes the validation. ## Notes - All extra permissions are required by GitHub's static validation even when the matching reusable-workflow job is gated by if: and would not actually run. ## Testing After merging, the next merged PR will trigger a successful Release workflow startup (no more startup_failure). Signed-off-by: jmeridth <jmeridth@gmail.com>
## What Bump the pin on ospo-reusable-workflows/release.yaml from v1.0.0 to v1.0.1 (SHA e92cb6053ace495fe40a5f185988557afcdcecbc). ## Why v1.0.1 lands two fixes from upstream PR #138: 1. release_discussion runs only after publish_release succeeds. 2. release_goreleaser auto-installs syft when GoReleaser config declares an sboms: block. ## Notes - No caller-side configuration changes are required; v1.0.1 is backward-compatible with v1.0.0 inputs and secrets. - This commit folds into the existing PR; the cumulative PR now lands at v1.0.1. Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Pin the reusable release workflow to v1.0.0 (SHA 592067a69a43d2285f933753d89a7c9d51b96530). Add a Breaking Changes category to release-drafter.
Why
v1.0.0 of ospo-reusable-workflows broadens the release trigger to include breaking, feature, vuln, and release labels and folds GoReleaser, container image build, attestation, and discussion creation into the reusable workflow itself. Surfacing breaking changes prominently in release notes aligns the changelog with the new label-based release triggers.
Notes
if:block on the release job is removed because the v1.0 reusable workflow now handles label filtering internally.pull_request_targetso the workflow can push tags viaGITHUB_TOKEN.goreleaserandattest-sbomsjobs have been dropped; the v1.0 reusable workflow handles GoReleaser, attestation, and SBOM publishing internally. This repo currently has no.goreleaser.yml, so confirm the reusable workflow either gates GoReleaser on the presence of a config or that this repo does not need release artifacts.Testing
featureorbreaking) and verify the reusable workflow drafts/publishes a release as expected.breakinglabel.