Publish #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - "plugins/**" | |
| workflow_dispatch: | |
| inputs: | |
| plugins: | |
| description: "Space-separated plugin slugs to (re)publish. Empty = none." | |
| required: false | |
| default: "" | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: publish | |
| cancel-in-progress: false | |
| jobs: | |
| publish: | |
| name: Pack, sign, and upload changed plugins | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| - name: Install tooling | |
| run: npm ci | |
| - name: Check publishing is configured | |
| id: configured | |
| env: | |
| HAS_SIGNING_KEY: ${{ secrets.MINISIGN_SECRET_KEY != '' }} | |
| run: | | |
| if [ ! -f minisign.pub ] || grep -q "PLACEHOLDER" minisign.pub || grep -q "REPLACE ME" minisign.pub; then | |
| echo "::notice::minisign.pub is missing or still the placeholder; skipping publish. Commit the real public key to enable." | |
| echo "ready=false" >> "$GITHUB_OUTPUT" | |
| elif [ "$HAS_SIGNING_KEY" != "true" ]; then | |
| echo "::notice::MINISIGN_SECRET_KEY secret is not set; skipping publish." | |
| echo "ready=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "ready=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Determine changed plugins | |
| id: changed | |
| if: steps.configured.outputs.ready == 'true' | |
| env: | |
| DISPATCH_INPUT: ${{ github.event.inputs.plugins }} | |
| BEFORE_SHA: ${{ github.event.before }} | |
| AFTER_SHA: ${{ github.sha }} | |
| run: | | |
| set -euo pipefail | |
| if [ -n "$DISPATCH_INPUT" ]; then | |
| raw="$DISPATCH_INPUT" | |
| else | |
| before="$BEFORE_SHA" | |
| if [ -z "$before" ] || [ "$before" = "0000000000000000000000000000000000000000" ]; then | |
| before="HEAD~1" | |
| fi | |
| if ! git cat-file -e "$before^{commit}" 2>/dev/null; then | |
| echo "::warning::before ref '$before' unavailable; falling back to HEAD~1" | |
| before="HEAD~1" | |
| fi | |
| raw="$(git diff --name-only "$before" "$AFTER_SHA" -- plugins/ \ | |
| | awk -F/ 'NF>1 && $1=="plugins" {print $2}' \ | |
| | sort -u)" | |
| fi | |
| names="" | |
| for slug in $raw; do | |
| if ! printf '%s' "$slug" | grep -Eq '^[a-z0-9][a-z0-9-]*$'; then | |
| echo "::warning::skipping slug with invalid characters: '$slug'" | |
| continue | |
| fi | |
| if [ ! -f "plugins/$slug/composer.json" ]; then | |
| echo "skip $slug (removed)" | |
| continue | |
| fi | |
| names="$names $slug" | |
| done | |
| names="$(printf '%s' "$names" | sed 's/^ *//')" | |
| echo "names=$names" >> "$GITHUB_OUTPUT" | |
| echo "Publishing: ${names:-<none>}" | |
| - name: Validate changed plugins | |
| if: steps.changed.outputs.names != '' | |
| env: | |
| NAMES: ${{ steps.changed.outputs.names }} | |
| run: node scripts/validate.mjs $NAMES | |
| - name: Install minisign | |
| if: steps.changed.outputs.names != '' | |
| env: | |
| MINISIGN_VERSION: "0.12" | |
| run: | | |
| set -euo pipefail | |
| curl -fsSL "https://github.com/jedisct1/minisign/releases/download/${MINISIGN_VERSION}/minisign-${MINISIGN_VERSION}-linux.tar.gz" -o /tmp/minisign.tar.gz | |
| tar -xzf /tmp/minisign.tar.gz -C /tmp | |
| sudo install -m 0755 "/tmp/minisign-linux/$(uname -m)/minisign" /usr/local/bin/minisign | |
| minisign -v | |
| - name: Pack, sign, and upload | |
| if: steps.changed.outputs.names != '' | |
| env: | |
| NAMES: ${{ steps.changed.outputs.names }} | |
| VITO_UPLOAD_URL: ${{ vars.VITO_UPLOAD_URL || 'https://vitodeploy.com/api/plugins/upload' }} | |
| VITO_UPLOAD_TOKEN: ${{ secrets.VITO_UPLOAD_TOKEN }} | |
| MINISIGN_SECRET_KEY: ${{ secrets.MINISIGN_SECRET_KEY }} | |
| run: node scripts/publish.mjs $NAMES |