add release detection #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| - 'alpha*' | |
| - 'beta*' | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Tag to release (e.g., v0.58.8)' | |
| required: true | |
| type: string | |
| permissions: | |
| contents: write | |
| id-token: write | |
| actions: read | |
| jobs: | |
| # Build and sign all binaries (reuses build.yml workflow) | |
| build-and-sign: | |
| name: Build and Sign All Binaries | |
| uses: ./.github/workflows/build.yml | |
| secrets: inherit | |
| # Upload binaries to existing GitHub release | |
| upload-assets: | |
| name: Upload Release Assets | |
| needs: build-and-sign | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Get version | |
| id: version | |
| env: | |
| INPUT_TAG: ${{ inputs.tag }} | |
| EVENT_NAME: ${{ github.event_name }} | |
| run: | | |
| if [ "$EVENT_NAME" = "workflow_dispatch" ]; then | |
| VERSION="$INPUT_TAG" | |
| else | |
| VERSION="${GITHUB_REF#refs/tags/}" | |
| fi | |
| echo "version=$VERSION" >> "$GITHUB_OUTPUT" | |
| echo "Release version: $VERSION" | |
| - name: Check if release exists | |
| id: check_release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| echo "Checking if release exists for tag: $VERSION" | |
| # Try to get the release using gh CLI | |
| if ! gh release view "$VERSION" --json id,uploadUrl,isDraft > /dev/null 2>&1; then | |
| echo "exists=false" >> "$GITHUB_OUTPUT" | |
| echo "Release not found for tag $VERSION" | |
| exit 1 | |
| fi | |
| # Get release details | |
| RELEASE_JSON=$(gh release view "$VERSION" --json id,uploadUrl,isDraft) | |
| RELEASE_ID=$(echo "$RELEASE_JSON" | jq -r '.id') | |
| UPLOAD_URL=$(echo "$RELEASE_JSON" | jq -r '.uploadUrl') | |
| IS_DRAFT=$(echo "$RELEASE_JSON" | jq -r '.isDraft') | |
| echo "exists=true" >> "$GITHUB_OUTPUT" | |
| echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT" | |
| echo "upload_url=$UPLOAD_URL" >> "$GITHUB_OUTPUT" | |
| echo "is_draft=$IS_DRAFT" >> "$GITHUB_OUTPUT" | |
| echo "Found existing release:" | |
| echo " Release ID: $RELEASE_ID" | |
| echo " Draft: $IS_DRAFT" | |
| echo " Upload URL: ${UPLOAD_URL%\{*}" | |
| - name: Download pre-built signed binaries | |
| uses: actions/download-artifact@v6 | |
| with: | |
| name: all-signed-binaries | |
| path: bin/ | |
| - name: Verify binaries downloaded | |
| run: | | |
| echo "Downloaded binaries:" | |
| ls -lahrt bin/* | |
| # Count binaries | |
| binary_count=$(ls bin/ | wc -l) | |
| echo "Total binaries: $binary_count" | |
| # Should have 7 binaries (2 darwin, 3 linux, 2 windows) | |
| if [ "$binary_count" -lt 7 ]; then | |
| echo "Error: Expected at least 7 binaries, found $binary_count" | |
| exit 1 | |
| fi | |
| echo "All binaries present" | |
| - name: Set execution permissions on binaries | |
| run: | | |
| cd bin | |
| # Set execution permissions on all binaries | |
| chmod +x terragrunt_darwin_amd64 | |
| chmod +x terragrunt_darwin_arm64 | |
| chmod +x terragrunt_linux_386 | |
| chmod +x terragrunt_linux_amd64 | |
| chmod +x terragrunt_linux_arm64 | |
| chmod +x terragrunt_windows_386.exe | |
| chmod +x terragrunt_windows_amd64.exe | |
| echo "Execution permissions set on all binaries" | |
| - name: Create ZIP archive with executables | |
| run: | | |
| cd bin | |
| # Create ZIP with all executables (preserving permissions) | |
| zip -r ../terragrunt_all_platforms.zip terragrunt_* | |
| echo "ZIP archive created:" | |
| ls -lh ../terragrunt_all_platforms.zip | |
| # Move ZIP to bin directory | |
| mv ../terragrunt_all_platforms.zip . | |
| echo "Contents of ZIP:" | |
| unzip -l terragrunt_all_platforms.zip | |
| - name: Generate SHA256SUMS | |
| run: | | |
| cd bin | |
| # Generate checksums for all files including the ZIP | |
| sha256sum terragrunt_* > SHA256SUMS | |
| echo "SHA256SUMS generated:" | |
| cat SHA256SUMS | |
| - name: Verify signatures before upload | |
| run: | | |
| echo "Verifying required files..." | |
| # Check macOS binaries | |
| for file in terragrunt_darwin_amd64 terragrunt_darwin_arm64; do | |
| if [ -f "bin/$file" ]; then | |
| echo "$file present" | |
| else | |
| echo "$file missing" | |
| exit 1 | |
| fi | |
| done | |
| # Check Windows binaries | |
| for file in terragrunt_windows_amd64.exe terragrunt_windows_386.exe; do | |
| if [ -f "bin/$file" ]; then | |
| echo "$file present" | |
| else | |
| echo "$file missing" | |
| exit 1 | |
| fi | |
| done | |
| # Check Linux binaries | |
| for file in terragrunt_linux_386 terragrunt_linux_amd64 terragrunt_linux_arm64; do | |
| if [ -f "bin/$file" ]; then | |
| echo "$file present" | |
| else | |
| echo "$file missing" | |
| exit 1 | |
| fi | |
| done | |
| # Check SHA256SUMS | |
| if [ -f "bin/SHA256SUMS" ]; then | |
| echo "SHA256SUMS present" | |
| else | |
| echo "SHA256SUMS missing" | |
| exit 1 | |
| fi | |
| echo "All required files verified" | |
| - name: Upload assets to release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| echo "Uploading assets to existing release $VERSION..." | |
| # Upload all files using gh CLI | |
| cd bin | |
| for file in *; do | |
| echo "Uploading $file..." | |
| if gh release upload "$VERSION" "$file" --clobber; then | |
| echo "Uploaded $file" | |
| else | |
| echo "Upload failed for $file (will retry in verification)" | |
| fi | |
| done | |
| echo "Upload phase completed" | |
| - name: Verify all assets uploaded | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| MAX_RETRIES=10 | |
| echo "Verifying all assets are accessible..." | |
| # Get list of assets in the release | |
| ASSETS=$(gh release view "$VERSION" --json assets --jq '.assets[].name') | |
| asset_count=$(echo "$ASSETS" | wc -l) | |
| echo "Found $asset_count assets in release" | |
| # Expected files | |
| expected_files=( | |
| "terragrunt_darwin_amd64" | |
| "terragrunt_darwin_arm64" | |
| "terragrunt_linux_386" | |
| "terragrunt_linux_amd64" | |
| "terragrunt_linux_arm64" | |
| "terragrunt_windows_386.exe" | |
| "terragrunt_windows_amd64.exe" | |
| "SHA256SUMS" | |
| "terragrunt_all_platforms.zip" | |
| ) | |
| # Check each expected file | |
| for expected_file in "${expected_files[@]}"; do | |
| echo "Checking $expected_file..." | |
| # Check if file exists in release | |
| if ! echo "$ASSETS" | grep -q "^${expected_file}$"; then | |
| echo "$expected_file not found in release, uploading..." | |
| # Upload the missing file | |
| if [ -f "bin/$expected_file" ]; then | |
| for ((i=0; i<MAX_RETRIES; i++)); do | |
| if gh release upload "$VERSION" "bin/$expected_file" --clobber; then | |
| echo "Uploaded $expected_file" | |
| break | |
| else | |
| echo "Upload attempt $((i+1))/$MAX_RETRIES failed" | |
| sleep 5 | |
| fi | |
| done | |
| if (( i == MAX_RETRIES )); then | |
| echo "Failed to upload $expected_file after $MAX_RETRIES retries" | |
| exit 1 | |
| fi | |
| else | |
| echo "File bin/$expected_file not found locally" | |
| exit 1 | |
| fi | |
| else | |
| echo "$expected_file present" | |
| fi | |
| done | |
| # Verify we can download assets (spot check) | |
| echo "" | |
| echo "Verifying asset downloads (spot check)..." | |
| DOWNLOAD_URL=$(gh release view "$VERSION" --json assets --jq '.assets[0].url') | |
| if curl -sILf "$DOWNLOAD_URL" > /dev/null; then | |
| echo "Assets are downloadable" | |
| else | |
| echo "Warning: Could not verify asset download URL" | |
| fi | |
| echo "" | |
| echo "All required assets verified!" | |
| echo "Expected files: 9 (7 binaries + SHA256SUMS + ZIP archive)" | |
| echo "Actual files: $asset_count" | |
| if [ "$asset_count" -lt 8 ]; then | |
| echo "Warning: Expected 8 files, found $asset_count" | |
| fi | |
| - name: Upload summary | |
| if: always() | |
| env: | |
| VERSION: ${{ steps.version.outputs.version }} | |
| RELEASE_ID: ${{ steps.check_release.outputs.release_id }} | |
| IS_DRAFT: ${{ steps.check_release.outputs.is_draft }} | |
| run: | | |
| echo "## Release Asset Upload Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Version**: $VERSION" >> $GITHUB_STEP_SUMMARY | |
| echo "**Release ID**: $RELEASE_ID" >> $GITHUB_STEP_SUMMARY | |
| echo "**Was Draft**: $IS_DRAFT" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Assets Uploaded" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Platform | Architecture | Signed | Status |" >> $GITHUB_STEP_SUMMARY | |
| echo "|----------|--------------|--------|--------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| macOS | amd64 | Yes | Uploaded |" >> $GITHUB_STEP_SUMMARY | |
| echo "| macOS | arm64 | Yes | Uploaded |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Linux | 386 | No | Uploaded |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Linux | amd64 | No | Uploaded |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Linux | arm64 | No | Uploaded |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Windows | 386 | Yes | Uploaded |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Windows | amd64 | Yes | Uploaded |" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Additional Files**:" >> $GITHUB_STEP_SUMMARY | |
| echo "- **SHA256SUMS**: Uploaded" >> $GITHUB_STEP_SUMMARY | |
| echo "- **terragrunt_all_platforms.zip**: Uploaded (all executables with +x permissions)" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Total Files**: 9 (7 binaries + SHA256SUMS + ZIP)" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "All assets uploaded successfully to existing release!" >> $GITHUB_STEP_SUMMARY |