Split release workflow into multiple dependent jobs

alcaeus · alcaeus · commit 3a2e1fe50976 · 2024-06-10T12:42:44.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -124,13 +124,54 @@ jobs:
       - name: "Push release tag"
         run: git push origin ${{ inputs.version }}
 
-      # Trigger a static analysis run to have up-to-date code scanning results for this tag
+      - name: "Set summary"
+        run: |
+          echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
+          echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY
+
+  static-analysis:
+    needs: prepare-release
+    environment: release
+    name: "Run Static Analysis"
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: read
+      id-token: write
+      contents: write
+
+    steps:
       - name: "Run static analysis"
         uses: ./.github/workflows/static-analysis.yml
         with:
-          ref: "refs/tags/${{ inputs.version }}"
+          ref: refs/tags/${{ inputs.version }}
+
+  publish-ssdlc-assets:
+    needs: static-analysis
+    environment: release
+    name: "Publish SSDLC Assets"
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: read
+      id-token: write
+      contents: write
+
+    steps:
+      - name: "Create temporary app token"
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: "Store GitHub token in environment"
+        run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
+        shell: bash
+
+      - uses: actions/checkout@v4
+        with:
+          ref: refs/tags/${{ inputs.version }}
+          token: ${{ env.GH_TOKEN }}
 
-      # SSDLC due diligence
       - name: "Generate authorized publication document"
         uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
         with:
@@ -165,8 +206,3 @@ jobs:
         with:
           version: ${{ inputs.version }}
           product_name: mongo-php-library
-
-      - name: "Set summary"
-        run: |
-          echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
-          echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY
