1919 tag :
2020 required : true
2121 type : string
22- description : " The core SDK tag. Must be of the form 'v<MAJOR>.<MINOR>.<PATCH>'. Required for core, cli, and all."
23- symcc_tag :
22+ description : " The tag to release from."
23+ core_version :
24+ required : true
25+ type : string
26+ description : " The core crate version. Must be of the form '<MAJOR>.<MINOR>.<PATCH>'. Required for all targets."
27+ symcc_version :
28+ required : false
29+ type : string
30+ description : " The symcc crate version. Must be of the form '<MAJOR>.<MINOR>.<PATCH>'. Required for symcc and all."
31+ # For now, cli_version is the same as core_version (they share the workspace version).
32+ cli_version :
2433 required : false
2534 type : string
26- description : " The symcc tag . Must be of the form 'cedar-policy-symcc-v <MAJOR>.<MINOR>.<PATCH>'. Required for symcc and all."
35+ description : " The CLI crate version . Must be of the form '<MAJOR>.<MINOR>.<PATCH>'. Required for cli and all."
2736# Declare default permissions as read only.
2837permissions : read-all
2938jobs :
30- validate-core :
31- if : inputs.target == 'core' || inputs.target == 'cli' || inputs.target == 'all'
32- uses : ./.github/workflows/publish_reusable.yml
33- with :
34- tag : ${{ inputs.tag }}
35- tag_prefix : " v"
36- version_toml_path : " Cargo.toml"
37- version_toml_key : " workspace.package.version"
38- validate-symcc :
39- if : inputs.target == 'symcc'
40- uses : ./.github/workflows/publish_reusable.yml
41- with :
42- tag : ${{ inputs.symcc_tag }}
43- tag_prefix : " cedar-policy-symcc-v"
44- version_toml_path : " ./cedar-policy-symcc/Cargo.toml"
45- version_toml_key : " package.version"
46- validate-symcc-version :
47- if : inputs.target == 'all'
48- needs : [validate-core]
39+ validate :
4940 runs-on : ubuntu-latest
5041 steps :
51- - name : Validate symcc_tag input
42+ # Check that this workflow was triggered from the 'main' branch.
43+ - name : Validate branch
44+ if : github.ref != 'refs/heads/main'
45+ uses : actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
46+ with :
47+ script : core.setFailed('This workflow must be triggered from the "main" branch.')
48+ # Check that the input tag is well-formed.
49+ # For core, cli and all, we expect a tag "v<MAJOR>.<MINOR>.<PATCH>"
50+ # For symcc, we expect a tag "cedar-policy-symcc-v0.<MINOR>.<PATCH>"
51+ # Note the explicit 0: the process will need changing once symcc is stable.
52+ - name : Validate tag
5253 run : |
53- REGEX_PATTERN="^cedar-policy-symcc-v[0-9]+\.[0-9]+\.[0-9]+$"
54- if [[ ! "$TAG_NAME" =~ $REGEX_PATTERN ]]; then
55- echo "symcc_tag must match $REGEX_PATTERN"
56- exit 1
57- fi
54+ CORE_TAG_PATTERN="^v[0-9]+\.[0-9]+\.[0-9]+$"
55+ SYMCC_TAG_PATTERN="^cedar-policy-symcc-v0\.[0-9]+\.[0-9]+$"
56+ case "$TARGET" in
57+ # For now, cli tag format is the same as core.
58+ # This should change if we want independent cli releases,
59+ # in which case we can match against two possibilities.
60+ core|cli|all)
61+ if [[ ! "$TAG" =~ $CORE_TAG_PATTERN ]]; then
62+ echo "::error::tag must match $CORE_TAG_PATTERN for target '$TARGET'"
63+ exit 1
64+ fi
65+ ;;
66+ symcc)
67+ if [[ ! "$TAG" =~ $SYMCC_TAG_PATTERN ]]; then
68+ echo "::error::tag must match $SYMCC_TAG_PATTERN for target '$TARGET'"
69+ exit 1
70+ fi
71+ ;;
72+ esac
5873env :
59- TAG_NAME : ${{ inputs.symcc_tag }}
74+ TARGET : ${{ inputs.target }}
75+ TAG : ${{ inputs.tag }}
76+ # Check the combination of inputs given is valid:
77+ # - core version is always required, and must match semver. We use core to either
78+ # . validate the branch is in a good state with the expected core version dependency,
79+ # . or for actually checking the core version we are releasing.
80+ # - symcc version is required for symcc and all targets, and must match semver pattern.
81+ # - cli version is required for cli and all, and must match semver pattern.
82+ - name : Validate inputs
83+ run : |
84+ SEMVER_PATTERN="^[0-9]+\.[0-9]+\.[0-9]+$"
85+ errors=()
86+
87+ # core_version is always required and must be semver.
88+ if [[ -z "$CORE_VERSION" ]]; then
89+ errors+=("core_version is required for all targets.")
90+ elif [[ ! "$CORE_VERSION" =~ $SEMVER_PATTERN ]]; then
91+ errors+=("core_version must match $SEMVER_PATTERN")
92+ fi
93+
94+ # symcc_version is required for symcc and all.
95+ if [[ "$TARGET" == "symcc" || "$TARGET" == "all" ]]; then
96+ if [[ -z "$SYMCC_VERSION" ]]; then
97+ errors+=("symcc_version is required for target '$TARGET'.")
98+ elif [[ ! "$SYMCC_VERSION" =~ $SEMVER_PATTERN ]]; then
99+ errors+=("symcc_version must match $SEMVER_PATTERN")
100+ fi
101+ fi
102+
103+ # cli_version is required for cli and all.
104+ if [[ "$TARGET" == "cli" || "$TARGET" == "all" ]]; then
105+ if [[ -z "$CLI_VERSION" ]]; then
106+ errors+=("cli_version is required for target '$TARGET'.")
107+ elif [[ ! "$CLI_VERSION" =~ $SEMVER_PATTERN ]]; then
108+ errors+=("cli_version must match $SEMVER_PATTERN")
109+ fi
110+ fi
111+
112+ if [[ ${#errors[@]} -gt 0 ]]; then
113+ for err in "${errors[@]}"; do
114+ echo "::error::$err"
115+ done
116+ exit 1
117+ fi
118+ env :
119+ TARGET : ${{ inputs.target }}
120+ CORE_VERSION : ${{ inputs.core_version }}
121+ SYMCC_VERSION : ${{ inputs.symcc_version }}
122+ CLI_VERSION : ${{ inputs.cli_version }}
60123 - name : Checkout tag
61124 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
62125 with :
63- ref : refs/tags/${{ inputs.tag }}
126+ ref : refs/tags/${{ inputs.tag }}
64127 - name : Configure rust toolchain
65128 run : rustup update stable && rustup default stable
66129 - name : Install toml-cli
67130 run : cargo install toml-cli --locked
68- - name : Validate symcc version
69- run : test "cedar-policy-symcc-v$(toml get --raw ./cedar-policy-symcc/Cargo.toml package.version)" = "$SYMCC_TAG"
131+
132+ # For all targets, we validate the core version in the code for the given tag
133+ - name : Validate core version against Cargo.toml for given tag
134+ run : |
135+ ACTUAL=$(toml get --raw Cargo.toml workspace.package.version)
136+ if [[ "$ACTUAL" != "$CORE_VERSION" ]]; then
137+ echo "::error::core_version mismatch: input '$CORE_VERSION' but Cargo.toml has '$ACTUAL'"
138+ exit 1
139+ fi
140+ env :
141+ CORE_VERSION : ${{ inputs.core_version }}
142+
143+ # For symcc and all targets, we validate the symcc version for the given tag
144+ - name : Validate symcc version against Cargo.toml for given tag
145+ if : inputs.target == 'symcc' || inputs.target == 'all'
146+ run : |
147+ ACTUAL=$(toml get --raw ./cedar-policy-symcc/Cargo.toml package.version)
148+ if [[ "$ACTUAL" != "$SYMCC_VERSION" ]]; then
149+ echo "::error::symcc_version mismatch: input '$SYMCC_VERSION' but Cargo.toml has '$ACTUAL'"
150+ exit 1
151+ fi
70152env :
71- SYMCC_TAG : ${{ inputs.symcc_tag }}
153+ SYMCC_VERSION : ${{ inputs.symcc_version }}
154+
155+ # For now, cli_version is the same as core_version (they share the workspace version).
156+ # We still additionally validate the cli version for the given tag.
157+ # Note: cedar-policy-cli inherits its version from the workspace (version.workspace = true),
158+ # so we validate against the workspace version in the root Cargo.toml.
159+ - name : Validate cli version against Cargo.toml
160+ if : inputs.target == 'cli' || inputs.target == 'all'
161+ run : |
162+ ACTUAL=$(toml get --raw Cargo.toml workspace.package.version)
163+ if [[ "$ACTUAL" != "$CLI_VERSION" ]]; then
164+ echo "::error::cli_version mismatch: input '$CLI_VERSION' but workspace version is '$ACTUAL'"
165+ exit 1
166+ fi
167+ env :
168+ CLI_VERSION : ${{ inputs.cli_version }}
72169 publish-core :
73170 if : inputs.target == 'core'
74- needs : [validate-core]
171+ needs : [validate]
172+ # Validate succeeded for core:
173+ # - the given tag matches the core tag format (i.e. tag is v<MAJOR>.<MINOR>.<PATCH>)
174+ # - the workspace version in the root Cargo.toml is the provided core version
75175 runs-on : ubuntu-latest
76- environment : release
176+ environment : release # See https://github.com/cedar-policy/cedar/settings/environments
77177 permissions :
78- id-token : write
178+ id-token : write # Required for OIDC token exchange
79179 steps :
80180 - name : Checkout tag
81181 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
82182 with :
83- ref : refs/tags/${{ inputs.tag }}
183+ ref : refs/tags/${{ inputs.tag }}
84184 - name : Configure rust toolchain
85185 run : rustup update stable && rustup default stable
86186 - name : Authenticate with crates.io
87187 id : auth
88188 uses : rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
89189 - name : Publish to crates.io
90190 # Order matters: dependencies must be listed before dependents.
91- run : cargo publish -p cedar-policy-core -p cedar-policy-formatter -p cedar-policy
191+ # cedar-policy-validator is conditionally published for backwards compatibility.
192+ # If we ever need to publish it again, use the core target.
193+ run : |
194+ if [ -f "cedar-policy-validator/Cargo.toml" ]; then
195+ cargo publish -p cedar-policy-core -p cedar-policy-validator -p cedar-policy-formatter -p cedar-policy
196+ else
197+ cargo publish -p cedar-policy-core -p cedar-policy-formatter -p cedar-policy
198+ fi
92199env :
93- CARGO_REGISTRY_TOKEN : ${{ steps.auth.outputs.token }}
200+ CARGO_REGISTRY_TOKEN : ${{ steps.auth.outputs.token }}
94201 publish-symcc :
95202 if : inputs.target == 'symcc'
96- needs : [validate-symcc]
203+ needs : [validate]
204+ # Validate succeeded for symcc:
205+ # - the given tag matches the symcc tag format (i.e. tag is cedar-policy-symcc-v0.<MINOR>.<PATCH>)
206+ # - the workspace version in the root Cargo.toml is the provided core version
207+ # - the version of the symcc package in its Cargo.toml is the provided symcc version
97208 runs-on : ubuntu-latest
98- environment : release
209+ environment : release # See https://github.com/cedar-policy/cedar/settings/environments
99210 permissions :
100- id-token : write
211+ id-token : write # Required for OIDC token exchange
101212 steps :
102213 - name : Checkout tag
103214 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
104215 with :
105- ref : refs/tags/${{ inputs.symcc_tag }}
216+ ref : refs/tags/${{ inputs.tag }}
106217 - name : Configure rust toolchain
107218 run : rustup update stable && rustup default stable
108219 - name : Authenticate with crates.io
@@ -111,19 +222,23 @@ jobs:
111222 - name : Publish to crates.io
112223 run : cargo publish -p cedar-policy-symcc
113224 env :
114- CARGO_REGISTRY_TOKEN : ${{ steps.auth.outputs.token }}
225+ CARGO_REGISTRY_TOKEN : ${{ steps.auth.outputs.token }}
115226 publish-cli :
116227 if : inputs.target == 'cli'
117- needs : [validate-core]
228+ needs : [validate]
229+ # Validate succeeded for cli:
230+ # - the given tag matches the core tag format (i.e. tag is v<MAJOR>.<MINOR>.<PATCH>)
231+ # - the workspace version in the root Cargo.toml is the provided core version
232+ # - the workspace version in the root Cargo.toml is the provided cli version
118233 runs-on : ubuntu-latest
119- environment : release
234+ environment : release # See https://github.com/cedar-policy/cedar/settings/environments
120235 permissions :
121- id-token : write
236+ id-token : write # Required for OIDC token exchange
122237 steps :
123238 - name : Checkout tag
124239 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
125240 with :
126- ref : refs/tags/${{ inputs.tag }}
241+ ref : refs/tags/${{ inputs.tag }}
127242 - name : Configure rust toolchain
128243 run : rustup update stable && rustup default stable
129244 - name : Authenticate with crates.io
@@ -132,19 +247,24 @@ jobs:
132247 - name : Publish to crates.io
133248 run : cargo publish -p cedar-policy-cli
134249 env :
135- CARGO_REGISTRY_TOKEN : ${{ steps.auth.outputs.token }}
250+ CARGO_REGISTRY_TOKEN : ${{ steps.auth.outputs.token }}
136251 publish-all :
137252 if : inputs.target == 'all'
138- needs : [validate-core, validate-symcc-version]
253+ needs : [validate]
254+ # Validate succeeded for all:
255+ # - the given tag matches the core tag format (i.e. tag is v<MAJOR>.<MINOR>.<PATCH>)
256+ # - the workspace version in the root Cargo.toml is the provided core version
257+ # - the version of the symcc package in its Cargo.toml is the provided symcc version
258+ # - the workspace version in the root Cargo.toml is the provided cli version
139259 runs-on : ubuntu-latest
140- environment : release
260+ environment : release # See https://github.com/cedar-policy/cedar/settings/environments
141261 permissions :
142- id-token : write
262+ id-token : write # Required for OIDC token exchange
143263 steps :
144264 - name : Checkout tag
145265 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
146266 with :
147- ref : refs/tags/${{ inputs.tag }}
267+ ref : refs/tags/${{ inputs.tag }}
148268 - name : Configure rust toolchain
149269 run : rustup update stable && rustup default stable
150270 - name : Authenticate with crates.io
@@ -154,4 +274,4 @@ jobs:
154274 # Order matters: dependencies must be listed before dependents.
155275 run : cargo publish -p cedar-policy-core -p cedar-policy-formatter -p cedar-policy -p cedar-policy-symcc -p cedar-policy-cli
156276 env :
157- CARGO_REGISTRY_TOKEN : ${{ steps.auth.outputs.token }}
277+ CARGO_REGISTRY_TOKEN : ${{ steps.auth.outputs.token }}
0 commit comments