.github/workflows/api-release.yml - third_party/containerd - Git at Google

 on:
   push:
     tags:
       - "api/v*" # Push events to matching api/v*, i.e. api/v1.0, api/v20.15.10

 name: API Release

 env:
   GO_VERSION: "1.24.11"

 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read

 jobs:
   check:
     name: Check Signed Tag
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/api/v')
     runs-on: ubuntu-24.04
     timeout-minutes: 5
     outputs:
       stringver: ${{ steps.contentrel.outputs.stringver }}

     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.ref }}
           path: src/github.com/containerd/containerd

       - name: Check signature
         run: |
           releasever=${{ github.ref }}
           releasever="${releasever#refs/tags/}"
           TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||
           echo "${TAGCHECK}" | grep -q "error" && {
               echo "::error::tag ${releasever} is not a signed tag. Failing release process."
               exit 1
           } || {
               echo "Tag ${releasever} is signed."
               exit 0
           }
         working-directory: src/github.com/containerd/containerd

       - name: Release content
         id: contentrel
         run: |
           RELEASEVER=${{ github.ref }}
           echo "stringver=${RELEASEVER#refs/tags/api/v}" >> $GITHUB_OUTPUT
           git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md
         working-directory: src/github.com/containerd/containerd

       - name: Save release notes
         uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: containerd-release-notes
           path: src/github.com/containerd/containerd/release-notes.md

   release:
     name: Create containerd Release
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/api/v')
     permissions:
       contents: write
     runs-on: ubuntu-24.04
     timeout-minutes: 10
     needs: [check]
     steps:
       - name: Download release notes
         uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           path: builds
       - name: Create Release
         uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           fail_on_unmatched_files: true
           name: containerd API ${{ needs.check.outputs.stringver }}
           draft: false
           make_latest: false
           prerelease: ${{ contains(github.ref, 'beta') || contains(github.ref, 'rc') }}
           body_path: ./builds/release-notes.md
	on:
	push:
	tags:
	- "api/v" # Push events to matching api/v, i.e. api/v1.0, api/v20.15.10

	name: API Release

	env:
	GO_VERSION: "1.24.11"

	permissions: # added using https://github.com/step-security/secure-workflows
	contents: read

	jobs:
	check:
	name: Check Signed Tag
	if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/api/v')
	runs-on: ubuntu-24.04
	timeout-minutes: 5
	outputs:
	stringver: ${{ steps.contentrel.outputs.stringver }}

	steps:
	- name: Checkout code
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	ref: ${{ github.ref }}
	path: src/github.com/containerd/containerd

	- name: Check signature
	run: \|
	releasever=${{ github.ref }}
	releasever="${releasever#refs/tags/}"
	TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) \|\|
	echo "${TAGCHECK}" \| grep -q "error" && {
	echo "::error::tag ${releasever} is not a signed tag. Failing release process."
	exit 1
	} \|\| {
	echo "Tag ${releasever} is signed."
	exit 0
	}
	working-directory: src/github.com/containerd/containerd

	- name: Release content
	id: contentrel
	run: \|
	RELEASEVER=${{ github.ref }}
	echo "stringver=${RELEASEVER#refs/tags/api/v}" >> $GITHUB_OUTPUT
	git tag -l ${RELEASEVER#refs/tags/} -n20000 \| tail -n +3 \| cut -c 5- >release-notes.md
	working-directory: src/github.com/containerd/containerd

	- name: Save release notes
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: containerd-release-notes
	path: src/github.com/containerd/containerd/release-notes.md

	release:
	name: Create containerd Release
	if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/api/v')
	permissions:
	contents: write
	runs-on: ubuntu-24.04
	timeout-minutes: 10
	needs: [check]
	steps:
	- name: Download release notes
	uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
	with:
	path: builds
	- name: Create Release
	uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	fail_on_unmatched_files: true
	name: containerd API ${{ needs.check.outputs.stringver }}
	draft: false
	make_latest: false
	prerelease: ${{ contains(github.ref, 'beta') \|\| contains(github.ref, 'rc') }}
	body_path: ./builds/release-notes.md