chore: update GitHub Actions workflows for improved tagging and release process

- Changed GITHUB_TOKEN reference in auto-tag.yml to use the standard token for better security. - Added debug steps in both workflows to enhance visibility into the release process and check permissions. - Updated permissions in release.yml to explicitly define required access levels for contents, packages, and actions. - Refined the conditional execution for the release job to ensure it only runs when a valid version is generated.
5 months ago · 84cd8c15c7
2 changed files with 38 additions and 4 deletions
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@ -64,7 +64,7 @@ jobs:

      - name: Create new tag
        env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          new_tag=${{ steps.get_latest_tag.outputs.version }}
          git config --global user.name 'github-actions[bot]'
@ -90,13 +90,27 @@ jobs:
          echo "---"
          echo "Direct version value: ${{ steps.get_latest_tag.outputs.version }}"

+      - name: Debug Release Trigger
+        run: |
+          echo "Auto-tag completed successfully"
+          echo "Version to be released: ${{ steps.get_latest_tag.outputs.version }}"
+          echo "Checking release conditions:"
+          echo "  - Version not empty: ${{ steps.get_latest_tag.outputs.version != '' }}"
+          echo "  - Current job status: ${{ job.status }}"
+
  release:
    needs: auto-tag
+    permissions:
+      contents: write
+      packages: write
+      actions: write
    if: |
-      always() &&
      needs.auto-tag.result == 'success' &&
      needs.auto-tag.outputs.version != ''
    uses: ./.github/workflows/release.yml
    with:
      version: ${{ needs.auto-tag.outputs.version }}
-    secrets: inherit
+    secrets:
+      RELEASE_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      PASSPHRASE: ${{ secrets.PASSPHRASE }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -21,7 +21,10 @@ on:
    tags:
      - "v*"

-permissions: write-all
+permissions:
+  contents: write
+  packages: write
+  actions: write

 jobs:
  goreleaser:
@ -29,6 +32,23 @@ jobs:
    runs-on: ubuntu-22.04
    timeout-minutes: 15
    steps:
+      - name: Check Permissions
+        run: |
+          echo "Checking required permissions..."
+          TOKEN="${{ secrets.RELEASE_TOKEN }}"
+          if [ -z "$TOKEN" ]; then
+            echo "::error::RELEASE_TOKEN is not set"
+            exit 1
+          fi
+          echo "Token permissions check passed"
+
+      - name: Debug Workflow Trigger
+        run: |
+          echo "Event name: ${{ github.event_name }}"
+          echo "Ref: ${{ github.ref }}"
+          echo "Version input: ${{ inputs.version }}"
+          echo "Token exists: ${{ secrets.RELEASE_TOKEN != '' }}"
+
      - name: Checkout
        uses: actions/checkout@v3
        with: