diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index f95a1e00..9488bc9c 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -34,3 +34,19 @@ jobs: env: TAG: ${{ inputs.tag }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + publish: + needs: create-release + uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v1.0.0 + with: + tag_name: ${{ inputs.tag }} + registry_fork: bazelbuild/bazel-central-registry + # TODO: Enable attestations once supported + # https://github.com/bazel-contrib/publish-to-bcr/issues/342 + attest: false + secrets: + publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }} + permissions: + attestations: write + contents: write + id-token: write diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml deleted file mode 100644 index 76467c4c..00000000 --- a/.github/workflows/publish.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Publish new releases to Bazel Central Registry. -# Uses reusable workflow from https://github.com/bazel-contrib/publish-to-bcr -name: Publish to BCR -on: - # Run the publish workflow after a successful release - # Will be triggered from the release.yaml workflow - workflow_call: - inputs: - tag_name: - required: true - type: string - # In case of problems, let release engineers retry by manually dispatching - # the workflow from the GitHub UI - workflow_dispatch: - inputs: - tag_name: - description: git tag being released - required: true - type: string -jobs: - publish: - uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v1.0.0 - with: - tag_name: ${{ inputs.tag_name }} - registry_fork: bazelbuild/bazel-central-registry - # We don't have a token that has permission to publish a pr to the bazelbuild GH org - open_pull_request: false - permissions: - attestations: write - contents: write - id-token: write