| name: Release (Bazel) |
| on: |
| # Allow manual triggering from GH UI |
| workflow_dispatch: |
| inputs: |
| tag_name: |
| required: true |
| type: string |
| # Automated trigger from the release.yaml workflow |
| workflow_call: |
| inputs: |
| tag_name: |
| required: true |
| type: string |
| secrets: |
| BCR_PUBLISH_TOKEN: |
| description: 'Token for pushing to re2-machine/bazel-central-registry' |
| required: true |
| jobs: |
| release: |
| uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v0.2.2 |
| with: |
| draft: false |
| tag_name: ${{ inputs.tag_name }} |
| registry_fork: re2-machine/bazel-central-registry |
| # NOTE: To use attest: true, we need a signed intoto.jsonl file, |
| # but that appears to require using |
| # the release_ruleset support described on |
| # https://github.com/bazel-contrib/publish-to-bcr?tab=readme-ov-file#attesation-support |
| # but that requires a release_prep.sh file, |
| # and an override on the test command, |
| # and may insist on doing the release upload of the source zip |
| # (which we do ourselves separately), |
| # and possibly more problems I didn't hit because I gave up. |
| attest: false # too hard to generate the intoto.jsonl file |
| permissions: |
| contents: write |
| id-token: write |
| attestations: write |
| secrets: |
| # Necessary to push to the BCR fork, and to open a pull request against a registry |
| publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }} |
