mozjs/.github/workflows/publish.yml at 125b5ab406e12a66d4dc6456c6d8b51eee7c7273 · servo/mozjs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Workflow to publish crates.io and GitHub releases
# Changes to this workflow must be reviewed carefully!
name: Publish

# Workflow triggers should be strictly controlled,
# as this will trigger publishing to crates.io.
# We only want to publish on the main branch.
on:
  push:
    branches: [main]

# dispatches build workflow with different permissions
jobs:
  build:
    uses: ./.github/workflows/build.yml
    with:
      # We verify in this workflow after creating the github release.
      verify_artifacts: false

  publish-github-release:
    name: Check version and publish release
    runs-on: ubuntu-latest
    needs: ["build"]
    permissions:
      contents: write
      id-token: write
      attestations: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          merge-multiple: true
      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v3
        with:
          subject-path: libmozjs-*.tar.gz
      - run: ls -l ./*.tar.gz
      - name: Publish release if tag doesn't exist
        id: check-tag
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          RELEASE_TAG=mozjs-sys-v$(cargo metadata --format-version=1 --no-deps | jq -r '.packages[] | select(.name == "mozjs_sys") | .version')
          git fetch --tags --quiet
          if ! git show-ref --tags --verify --quiet "refs/tags/${RELEASE_TAG}" ; then
            echo "Making release ${RELEASE_TAG}"
            gh release create ${RELEASE_TAG} ./*.tar.gz
          fi
          echo "RELEASE_TAG=${RELEASE_TAG}" >> ${GITHUB_OUTPUT}
    outputs:
      release-tag: ${{ steps.check-tag.outputs.RELEASE_TAG }}

  verify-release:
    name: Verify release
    needs: publish-github-release
    if: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
    uses: ./.github/workflows/release-check.yml
    with:
      release-tag: ${{ needs.publish-github-release.outputs.release-tag }}
      rust_version: stable

  # Our CI testing ensures that mozjs-sys and mozjs are always bumped together.
  # We always publish both versions, since mozjs depends on a specific version
  # of mozjs-sys
  publish-crates-io:
    name: Publish to crates.io
    runs-on: ubuntu-latest
    needs:
      - publish-github-release
      - verify-release
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@v6
      - uses: rust-lang/crates-io-auth-action@v1
        id: auth
      # publish mozjs-sys. We ignore the error if the version is already published, but abort the workflow
      # on other errors.
      - run: |
          cargo publish -p mozjs_sys --no-verify 2> err.log || grep "already exists on crates.io" err.log || ( cat err.log ; exit 1)
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
      # Wait a bit to ensure the release is published
      - run: sleep 5
      - run: |
          rm -f err.log
          cargo publish -p mozjs --no-verify 2> err.log || grep "already exists on crates.io" err.log || ( cat err.log ; exit 1)
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}