setup-terraform/.github/workflows/release.yml

name: release

on:
  workflow_dispatch:
    inputs:
      versionNumber:
        description: 'Release version number (v#.#.#)'
        type: string
        required: true

permissions:
  contents: read # Changelog commit operations use service account PAT

env:
  CI_COMMIT_AUTHOR: hc-github-team-tf-provider-devex
  CI_COMMIT_EMAIL: github-team-tf-provider-devex@hashicorp.com

jobs:
  major-version:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.major-version.outputs.version }}
    steps:
      - id: major-version
        run: echo "version=$(echo "${{ inputs.versionNumber }}" | cut -d. -f1)" >> "$GITHUB_OUTPUT"

  changelog-version:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.changelog-version.outputs.version }}
    steps:
      - id: changelog-version
        run: echo "version=$(echo "${{ inputs.versionNumber }}" | cut -c 2-)" >> "$GITHUB_OUTPUT"

  changelog:
    needs: changelog-version
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          fetch-depth: 0
          # Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations
          # More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials
          persist-credentials: false
      - name: Batch changes
        uses: miniscruff/changie-action@b6d52c80deb236a5b548f8774cd5a18b87da9e9a # v1.0.1
        with:
          version: latest
          args: batch ${{ needs.changelog-version.outputs.version }}
      - name: Merge changes
        uses: miniscruff/changie-action@b6d52c80deb236a5b548f8774cd5a18b87da9e9a # v1.0.1
        with:
          version: latest
          args: merge
      - name: Git push changelog
        run: |
          git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
          git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
          git add .
          git commit -a -m "Update changelog"
          git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"

  update-package-version:
    needs: changelog
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          fetch-depth: 0
          # Default input is the SHA that initially triggered the workflow. As we created a new commit in the previous job,
          # to ensure we get the latest commit we use the ref for checkout: 'refs/heads/<branch_name>'
          ref: ${{ github.ref }}
          # Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations
          # More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials
          persist-credentials: false

      - name: Set up Node.js
        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
        with:
          node-version: 18
      - name: Update package version
        run: npm version "${{ inputs.versionNumber }}" --git-tag-version false
      - name: Git push
        run: |
          git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
          git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
          git add .
          git commit -a -m "Update package version"
          git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"

  release-tag:
    needs: [ update-package-version, major-version ]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          fetch-depth: 0
          # Default input is the SHA that initially triggered the workflow. As we created a new commit in the previous job,
          # to ensure we get the latest commit we use the ref for checkout: 'refs/heads/<branch_name>'
          ref: ${{ github.ref }}
          # Avoid persisting GITHUB_TOKEN credentials as they take priority over our service account PAT for `git push` operations
          # More details: https://github.com/actions/checkout/blob/b4626ce19ce1106186ddf9bb20e706842f11a7c3/adrs/0153-checkout-v2.md#persist-credentials
          persist-credentials: false

      - name: Git push release tag
        run: |
          git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
          git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
          
          git tag "${{ inputs.versionNumber }}"
          git tag -f "${{ needs.major-version.outputs.version }}" 
          git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" "${{ inputs.versionNumber }}"
          git push "https://${{ env.CI_COMMIT_AUTHOR }}:${{ secrets.TF_DEVEX_COMMIT_GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" -f "${{ needs.major-version.outputs.version }}"

  release:
    needs: [ changelog-version, release-tag ]
    runs-on: ubuntu-latest
    permissions:
      contents: write # Needed to create GitHub release
    steps:
      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ inputs.versionNumber }}
          fetch-depth: 0

      - name: Generate Release Notes
        run: |
          cd .changes
          sed -e "1{/# /d;}" -e "2{/^$/d;}" ${{ needs.changelog-version.outputs.version }}.md > /tmp/release-notes.txt

      - name: GH Release
        run: |
          gh release create "${{ inputs.versionNumber }}" --notes-file /tmp/release-notes.txt --title "${{ inputs.versionNumber }}"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}