fix: manual full release workflow (#1763)

Signed-off-by: matttrach <[email protected]>
Co-authored-by: Matt Trachier <[email protected]>

Author: github-actions[bot]

.github/workflows/manual-rc-release.yml

@@ -7,6 +7,11 @@ on:
         description: 'The rc tag to create, e.g. v1.2.3-rc.1'
         required: true
 
+permissions:
+  contents: write
+  id-token: write
+  actions: read
+
 jobs:
   rc-release:
     runs-on: ubuntu-latest

.github/workflows/manual-release.yml

@@ -0,0 +1,73 @@
+name: Manually Create Full Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'The tag to create, make sure to select the correct branch.'
+        required: true
+      sha:
+        description: 'The commit SHA to create the tag from, defaults to HEAD of the selected branch.'
+        required: false
+
+permissions:
+  contents: write
+  id-token: write
+  actions: read
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 https://github.com/actions/checkout
+        with:
+          fetch-depth: 0
+      - name: Create and Push Tag with Git
+        id: create-push-tag
+        env:
+          TAG: ${{ inputs.tag }}
+          SHA: ${{ inputs.sha }}
+        run: |
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor }}@users.noreply.github.com"
+          if [ -n "${SHA}" ]; then
+            git checkout "$SHA"
+          fi
+          git tag "$TAG" -m "Release $TAG"
+          git push origin "$TAG"
+      - name: retrieve GPG Credentials
+        id: retrieve-gpg-credentials
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ;
+            secret/data/github/repo/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID ;
+            secret/data/github/repo/${{ github.repository }}/signing/gpg privateKey | GPG_KEY
+      - name: import_gpg_key
+        id: import-gpg-key
+        env:
+          GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
+          GPG_KEY: ${{ env.GPG_KEY }}
+        run: |
+          cleanup() {
+            # clear history just in case
+            history -c
+          }
+          trap cleanup EXIT TERM
+
+          # sanitize variables
+          if [ -z "${GPG_PASSPHRASE}" ]; then echo "gpg passphrase empty"; exit 1; fi
+          if [ -z "${GPG_KEY_ID}" ]; then echo "key id empty"; exit 1; fi
+          if [ -z "${GPG_KEY}" ]; then echo "key contents empty"; exit 1; fi
+
+          echo "Importing gpg key"
+          echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; }
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
+        with:
+          args: release --clean --config .goreleaser_rc.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
+          GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}

.github/workflows/release.yml

@@ -189,6 +189,9 @@ jobs:
     steps:
       # If the e2e tests pass we automatically generate an RC release
       #   this shouldn't happen when the release PR is merged, only when it's opened or updated
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 https://github.com/actions/checkout
+        with:
+          fetch-depth: 0
       - name: Create and Push RC Tag with Git
         id: create-push-rc-tag
         run: |

aspell_custom.txt

@@ -5,6 +5,7 @@ aws
 azure
 config
 eks
+globbing
 git
 github
 kubeconfig