Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 18 additions & 5 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,14 @@ jobs:
echo "$sum $file" > ${file#\*}.sha256
fi
done
-
name: List artifacts
run: |
tree -nh ./bin/release
-
name: Check artifacts
run: |
find bin/release -type f -exec file -e ascii -- {} +
-
name: Upload artifacts
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
Expand Down Expand Up @@ -304,8 +312,9 @@ jobs:
files: ./coverage.txt

release:
if: startsWith(github.ref, 'refs/tags/v')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Moving job-level if skips artifact verification steps on non-tag pushes

Previously the if: startsWith(github.ref, 'refs/tags/v') guard was only on the final ncipollo/release-action step. That meant on every push to main (non-tag), the job still ran:

  1. actions/download-artifact — fetches the release artifact
  2. tree -nh ./bin/release — lists artifacts
  3. find bin/release -type f -exec file … — checks binary types

…but skipped only the actual GitHub Release creation. These steps acted as a post-build artifact sanity check for every push.

After this PR, the entire release job is skipped on non-tag pushes, so those sanity checks no longer run on main branch pushes. If this is intentional (just avoiding unnecessary work), the PR description doesn't mention it and it's worth a comment to confirm. If the artifact verification was considered useful, consider keeping those steps outside the tag guard:

  release:
    runs-on: ubuntu-latest
    needs:
      - build
    steps:
      - name: Artifacts
        uses: actions/download-artifact@...
      - name: List artifacts
        run: tree -nh ./bin/release
      - name: Check artifacts
        run: find bin/release -type f -exec file -e ascii -- {} +
      - name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
        uses: ncipollo/release-action@...

permissions:
contents: write # to create a release (ncipollo/release-action)
contents: write # to create a release (softprops/action-gh-release)
runs-on: ubuntu-latest
needs:
- binary-finalize
Expand All @@ -320,6 +329,8 @@ jobs:
path: ./bin/release
name: release
-
# inspect what was actually downloaded from the artifact store —
# this is what gets attached to the release
name: List artifacts
run: |
tree -nh ./bin/release
Expand All @@ -329,10 +340,12 @@ jobs:
find bin/release -type f -exec file -e ascii -- {} +
-
name: GitHub Release
if: startsWith(github.ref, 'refs/tags/v')
uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
with:
artifacts: ./bin/release/*
generateReleaseNotes: true
files: ./bin/release/*
generate_release_notes: true
draft: true
# never replace assets already uploaded to an existing release
# (softprops updates an existing release for the tag instead of failing)
overwrite_files: false
token: ${{ secrets.GITHUB_TOKEN }}
2 changes: 1 addition & 1 deletion .github/workflows/merge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
cache: true
cache-scope: bin-image
output: image
push: ${{ github.event_name != 'pull_request' }}
push: true # this workflow only triggers on push (main and tags)
sbom: true
set-meta-labels: true
meta-images: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,6 @@ jobs:

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
uses: github/codeql-action/upload-sarif@411c4c9a36b3fca4d674f06b6396b2c6d23522c6 # v3.36.3
with:
sarif_file: results.sarif
Loading