flowthru/.github/workflows/release.yml at main · chaoticgoodcomputing/flowthru · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
name: CI

on:
  push:
    branches: [ main ]
    paths-ignore:
      - "**.md"
      - "docs/**"
      - ".github/instructions/**"
  workflow_dispatch:
    inputs:
      force_bump:
        description: "Force a version bump type (bypasses conventional commits).
          Defaults to 'minor' on manual dispatch."
        required: false
        default: minor
        type: choice
        options:
          - minor
          - patch
          - major

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  ci:
    runs-on: ubuntu-latest
    if: "!contains(github.event.head_commit.message, '[skip ci]') &&
      !contains(github.event.head_commit.message, 'chore(release)')"

    permissions:
      contents: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup CI environment
        uses: ./.github/actions/setup

      - name: Compute affected projects
        id: affected
        run: |
          NX_BASE=$(git describe --tags --abbrev=0 2>/dev/null || git rev-list --max-parents=0 HEAD)
          echo "nx-base=${NX_BASE}" >> "$GITHUB_OUTPUT"
          AFFECTED=$(pnpm nx show projects --affected --base="${NX_BASE}" --json 2>/dev/null \
            | node -e "process.stdout.write(JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')).join(' '))")
          echo "NX_AFFECTED_PROJECTS=${AFFECTED}" >> "$GITHUB_ENV"
          # Write JSON for debugging artifact
          pnpm nx show projects --affected --base="${NX_BASE}" --json 2>/dev/null > dist/nx-affected.json || true
          # Print to step summary for visibility
          {
            echo "## Affected Projects (base: \`${NX_BASE}\`)"
            echo '```'
            echo "${AFFECTED}" | tr ' ' '\n'
            echo '```'
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Run tests
        env:
          CI: "true"
        run: |
          pnpm nx affected -t test \
            --base="${{ steps.affected.outputs.nx-base }}" --head=HEAD \
            --output-style=stream \
            --logger "console;verbosity=minimal" \
            --nxBail


      - name: Sync Codecov flags
        run: pnpm nx run tests:coverage:sync

      - name: Configure Git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

      - name: Determine last published release tag
        id: last-published
        run: |
          # Find the most recent vX.Y.Z tag reachable from HEAD.
          # --merged HEAD ensures we never resolve to a tag on an orphaned branch,
          # which can happen when a release commit is pushed concurrently with other
          # work and the merge produces a non-linear ancestry.
          BASE_TAG=$(git tag --sort=-v:refname --merged HEAD \
            | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -1)
          if [ -z "$BASE_TAG" ]; then
            # No release tag yet — start from the initial commit.
            BASE_TAG=$(git rev-list --max-parents=0 HEAD)
          fi
          echo "tag=${BASE_TAG}" >> "$GITHUB_OUTPUT"
          echo "Base tag for release: ${BASE_TAG}"

      - name: Run NX Release (version + changelog + commit + tag)
        id: release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CI: "true"
        run: |
          OLD_VERSION=$(node -p "require('./package.json').version")
          FORCE_BUMP_FLAG=${{ inputs.force_bump && format('--force-bump={0}', inputs.force_bump) || '' }}
          node scripts/release.mjs --from="${{ steps.last-published.outputs.tag }}" ${FORCE_BUMP_FLAG}
          NEW_VERSION=$(node -p "require('./package.json').version")
          echo "version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
          if [ "$OLD_VERSION" != "$NEW_VERSION" ]; then
            echo "changed=true" >> "$GITHUB_OUTPUT"
            echo "Version bumped from $OLD_VERSION to $NEW_VERSION"
          else
            echo "changed=false" >> "$GITHUB_OUTPUT"
            echo "No version bump — skipping release."
          fi

      - name: Push release commit and tag
        if: steps.release.outputs.changed == 'true'
        run: git push --follow-tags

      - name: Create GitHub Release Draft
        if: steps.release.outputs.changed == 'true'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          VERSION="v${{ steps.release.outputs.version }}"
          # Extract the changelog entry for this version
          NOTES=$(awk "/^## ${{ steps.release.outputs.version }}/{found=1;next} /^## /{if(found)exit} found{print}" CHANGELOG.md)
          gh release create "${VERSION}" \
            --title "${VERSION}" \
            --notes "${NOTES}" \
            --draft

      - name: Pack NuGet packages (release version)
        if: steps.release.outputs.changed == 'true'
        run: |
          # Remove any nupkgs left in dist/packages from the test run (e.g. Flowthru.Tests.Templates)
          # before packing to ensure only the newly-versioned packages are uploaded.
          rm -f dist/packages/*.nupkg
          pnpm nx run-many -t pack

      - name: Upload packages to GitHub release
        if: steps.release.outputs.changed == 'true'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          VERSION="v${{ steps.release.outputs.version }}"
          gh release upload "${VERSION}" dist/packages/*.nupkg

      # - name: Install Copilot CLI
      #   if: steps.release.outputs.changed == 'true'
      #   run: npm install -g @github/copilot

      # - name: Generate release summary
      #   if: steps.release.outputs.changed == 'true'
      #   env:
      #     COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_CLI_TOKEN }}
      #   run: |
      #     HEAD_TAG="v${{ steps.release.outputs.version }}"
      #     BASE_TAG="${{ steps.last-published.outputs.tag }}"
      #     copilot -p "Generate a release summary. Base tag: ${BASE_TAG}, head tag: ${HEAD_TAG}. Summarize all changes between these two tags." \
      #       --agent=dev-relations \
      #       --model=claude-haiku-4.5 \
      #       --available-tools='view,create,edit,bash' \
      #       --allow-tool='shell(git:*)' \
      #       --allow-tool='write' \
      #       --allow-tool='view' \
      #       --add-dir=. \
      #       --deny-tool='shell(git push)' \
      #       --deny-tool='shell(git reset)' \
      #       --deny-tool='shell(git checkout)' \
      #       --deny-tool='shell(git commit)' \
      #       --deny-tool='shell(git merge)' \
      #       --deny-tool='shell(git rebase)' \
      #       --deny-tool='shell(git branch -d)' \
      #       --deny-tool='shell(git tag -d)' \
      #       --no-ask-user

      # - name: Prepend summary to draft release
      #   if: steps.release.outputs.changed == 'true'
      #   env:
      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      #   run: |
      #     VERSION="v${{ steps.release.outputs.version }}"
      #     SUMMARY_FILE="docs/scratch/release-${{ steps.release.outputs.version }}.md"
      #     if [ -f "$SUMMARY_FILE" ]; then
      #       EXISTING_NOTES=$(gh release view "${VERSION}" --json body -q '.body')
      #       {
      #         cat "$SUMMARY_FILE"
      #         echo ""
      #         echo "---"
      #         echo ""
      #         echo "$EXISTING_NOTES"
      #       } > /tmp/combined-notes.md
      #       gh release edit "${VERSION}" --notes-file /tmp/combined-notes.md
      #     fi

      - name: Publish preview to NuGet
        if: steps.release.outputs.changed == 'true'
        env:
          FLOWTHRU_NUGET_API_KEY: ${{ secrets.FLOWTHRU_NUGET_API_KEY }}
        run: |
          VERSION="${{ steps.release.outputs.version }}"
          PRERELEASE_VERSION="${VERSION}-preview.${{ github.run_number }}"
          rm dist/packages/*.nupkg
          # Scope to src/ only — examples and tests are not NuGet artifacts.
          # Directory.Build.props already restricts Version and PackageOutputPath
          # to src/ projects; this find mirrors that boundary explicitly.
          find src/ -name "*.csproj" -print0 | while IFS= read -r -d '' csproj; do
            dotnet pack "$csproj" \
              --no-build \
              -c Release \
              /p:Version="${PRERELEASE_VERSION}"
          done
          dotnet nuget push "dist/packages/*.nupkg" \
            --api-key "${FLOWTHRU_NUGET_API_KEY}" \
            --source https://api.nuget.org/v3/index.json \
            --skip-duplicate

      - name: Install Codecov CLI
        if: always()
        run: |
          curl https://keybase.io/codecovsecurity/pgp_keys.asc \
            | gpg --no-default-keyring --keyring trustedkeys.gpg --import
          curl -Os https://cli.codecov.io/latest/linux/codecov
          curl -Os https://cli.codecov.io/latest/linux/codecov.SHA256SUM
          curl -Os https://cli.codecov.io/latest/linux/codecov.SHA256SUM.sig
          gpg --no-default-keyring --keyring trustedkeys.gpg \
            --verify codecov.SHA256SUM.sig codecov.SHA256SUM
          shasum -a 256 -c codecov.SHA256SUM
          sudo chmod +x codecov
          sudo mv codecov /usr/local/bin/codecov

      - name: Upload coverage to Codecov
        if: always()
        continue-on-error: true
        env:
          CODECOV_TOKEN: ${{ secrets.FLOWTHRU_CODECOV_TOKEN }}
        run: pnpm nx run tests:coverage:upload