chore: automate tagging releases

Author: alexeagle

.github/workflows/publish.yaml

@@ -9,7 +9,7 @@ on:
                 required: true
                 type: string
         secrets:
-            publish_token:
+            BCR_PUBLISH_TOKEN:
                 required: true
     # In case of problems, let release engineers retry by manually dispatching
     # the workflow from the GitHub UI
@@ -20,8 +20,9 @@ on:
                 type: string
 jobs:
     publish:
-        uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v0.0.4
+        uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v1.0.0
         with:
+            draft: false
             tag_name: ${{ inputs.tag_name }}
             # GitHub repository which is a fork of the upstream where the Pull Request will be opened.
             registry_fork: aspect-build/bazel-central-registry
@@ -31,4 +32,4 @@ jobs:
             id-token: write
         secrets:
             # Necessary to push to the BCR fork, and to open a pull request against a registry
-            publish_token: ${{ secrets.publish_token || secrets.BCR_PUBLISH_TOKEN }}
+            publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}

.github/workflows/release.yml

@@ -4,24 +4,34 @@
 name: Release
 
 on:
-    push:
-        tags:
-            - 'v*.*.*'
+  # Can be triggered from the tag.yaml workflow
+  workflow_call:
+    inputs:
+      tag_name:
+        required: true
+        type: string
+    secrets:
+      BCR_PUBLISH_TOKEN:
+        required: true
+  # Or, developers can manually push a tag from their clone
+  push:
+    tags:
+      - "v*.*.*"
 permissions:
     id-token: write
     attestations: write
     contents: write
 jobs:
     release:
-        uses: bazel-contrib/.github/.github/workflows/[email protected].2
+        uses: bazel-contrib/.github/.github/workflows/[email protected].3
         with:
             release_files: rules_ts-*.tar.gz
             prerelease: false
-            tag_name: ${{ github.ref_name }}
+            tag_name: ${{ inputs.tag_name || github.ref_name }}
     publish:
         needs: release
         uses: ./.github/workflows/publish.yaml
         with:
-            tag_name: ${{ github.ref_name }}
+            tag_name: ${{ inputs.tag_name || github.ref_name }}
         secrets:
             publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}

.github/workflows/release_prep.sh

@@ -2,9 +2,9 @@
 
 set -o errexit -o nounset -o pipefail
 
-# Set by GH actions, see
-# https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
-TAG=${GITHUB_REF_NAME}
+# Argument provided by reusable workflow caller, see
+# https://github.com/bazel-contrib/.github/blob/d197a6427c5435ac22e56e33340dff912bc9334e/.github/workflows/release_ruleset.yaml#L72
+TAG=$1
 # Strip leading 'v'
 PREFIX="rules_ts-${TAG:1}"
 ARCHIVE="rules_ts-$TAG.tar.gz"

.github/workflows/tag.yaml

@@ -0,0 +1,45 @@
+# Tag a new release using https://github.com/marketplace/actions/conventional-commits-versioner-action
+#
+# This is easier than having to run manual `git` operations on a local clone.
+# It also runs on a schedule so we don't leave commits unreleased indefinitely
+# (avoiding users having to ping "hey could someone cut a release").
+
+name: Tag a Release
+on:
+  # Allow devs to tag manually through the GitHub UI.
+  # For example after landing a fix that customers are waiting for.
+  workflow_dispatch:
+  # Run twice a month, on the 1rst and 15th at 3PM UTC (8AM PST)
+  # This is a trade-off between making too many releases,
+  # which overwhelms BCR maintainers and over-notifies users,
+  # and releasing too infrequently which delays delivery of bugfixes and features.
+  schedule:
+    - cron: "0 15 1,15 * *"
+jobs:
+  tag:
+    permissions:
+      contents: write # allow create tag
+    runs-on: ubuntu-latest
+    outputs:
+      new-tag: ${{ steps.ccv.outputs.new-tag }}
+      new-tag-version: ${{steps.ccv.outputs.new-tag-version}}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          # Need enough history to find the prior release tag
+          fetch-depth: 0
+      - name: Bump tag if necessary
+        id: ccv
+        uses: smlx/ccv@7318e2f25a52dcd550e75384b84983973251a1f8 # v0.10.0
+  release:
+    needs: tag
+    uses: ./.github/workflows/release.yml
+    with:
+      tag_name: ${{ needs.tag.outputs.new-tag-version }}
+    secrets:
+      BCR_PUBLISH_TOKEN: ${{ secrets.BCR_PUBLISH_TOKEN }}
+    if: needs.tag.outputs.new-tag == 'true' && needs.tag.outputs.new-tag-version-type != 'major'
+    permissions:
+      id-token: write
+      attestations: write
+      contents: write