From 3676b37d146cc4c4089e179284872473bc82797f Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Mon, 30 Mar 2026 16:24:20 -0400 Subject: [PATCH 1/3] Update release workflow to support re-publishing existing releases --- .github/workflows/release.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 84583fcb..fe0a65f5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,6 +2,12 @@ name: Release on: workflow_dispatch: + inputs: + version: + description: >- + Existing version tag to re-publish (e.g. v0.200.0). + Leave empty to bump and release a new version. + required: false jobs: release: @@ -22,16 +28,25 @@ jobs: git config user.name "planetscale-actions-bot" git config user.email "60239337+planetscale-actions-bot@users.noreply.github.com" + - name: Checkout existing tag + if: inputs.version != '' + run: git checkout "refs/tags/${{ inputs.version }}" + - name: Bump version and push tag + if: inputs.version == '' id: bump env: GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} run: script/bump-version.sh + - name: Resolve version + id: version + run: echo "tag=${{ inputs.version || steps.bump.outputs.RELEASE_VERSION }}" >> "$GITHUB_OUTPUT" + - name: Publish artifacts env: GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} - GORELEASER_CURRENT_TAG: ${{ steps.bump.outputs.RELEASE_VERSION }} + GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.tag }} DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} AUR_KEY: ${{ secrets.AUR_KEY }} From e30a968d7c01ea0abcb860e2d4f58d5c82a43e3d Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Mon, 30 Mar 2026 16:35:00 -0400 Subject: [PATCH 2/3] Document how to republish a release --- .github/workflows/release.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe0a65f5..ba9ab36c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,11 +11,17 @@ on: jobs: release: - if: github.ref == 'refs/heads/main' + # This workflow should always be run on main - this is enforced by the + # `release` environment directly but added here for visibility. + # If the workflow fails during publishing, run a new workflow + # with the `version` that needs to be published. + if: github.ref == 'refs/heads/main' && github.run_attempt == '1' + runs-on: ubuntu-latest environment: release permissions: contents: read + steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: From 1b78e725419c6a8446598908a48bd30142da20a2 Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Mon, 30 Mar 2026 16:36:45 -0400 Subject: [PATCH 3/3] Avoid potential script injections --- .github/workflows/release.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ba9ab36c..08bbc5f4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,7 +36,9 @@ jobs: - name: Checkout existing tag if: inputs.version != '' - run: git checkout "refs/tags/${{ inputs.version }}" + run: git checkout "refs/tags/$VERSION" + env: + VERSION: ${{ inputs.version }} - name: Bump version and push tag if: inputs.version == '' @@ -47,12 +49,15 @@ jobs: - name: Resolve version id: version - run: echo "tag=${{ inputs.version || steps.bump.outputs.RELEASE_VERSION }}" >> "$GITHUB_OUTPUT" + env: + INPUT_VERSION: ${{ inputs.version }} + BUMP_VERSION: ${{ steps.bump.outputs.RELEASE_VERSION }} + run: echo "TAG=${INPUT_VERSION:-$BUMP_VERSION}" >> "$GITHUB_OUTPUT" - name: Publish artifacts env: GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} - GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.tag }} + GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.TAG }} DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} AUR_KEY: ${{ secrets.AUR_KEY }}