From 02846d5868bc45e626660c09295e5c0838a41395 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Wed, 10 Jun 2026 15:35:30 -0400 Subject: [PATCH 1/2] Build and tag release assets in CI instead of composer-dist-plugin Replaces the pixelfear/composer-dist-plugin install-time dist fetch with a workflow_dispatch release that builds the assets into an off-branch commit and tags it, so the compiled dist ships inside the Packagist zip. Co-Authored-By: Claude Opus 4.8 --- .gitattributes | 12 +++++ .github/workflows/release.yml | 85 ++++++++++++++++++++++++++++------- composer.json | 22 +-------- scripts/build-release.sh | 13 +----- 4 files changed, 85 insertions(+), 47 deletions(-) diff --git a/.gitattributes b/.gitattributes index 4082132ee33..4b6ebdc754e 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,5 +1,17 @@ * text=auto *.php eol=lf + +# Compiled CP assets — shipped in the Composer zip, but marked generated for GitHub tooling +/resources/dist/**/* linguist-generated=true +/resources/dist-dev/**/* linguist-generated=true +/resources/dist-frontend/**/* linguist-generated=true +/resources/dist-package/**/* linguist-generated=true + +# Source JS/CSS/TS — not needed by consumers; export-ignore keeps the Composer zip lean +/resources/js export-ignore +/resources/css export-ignore +/packages export-ignore + /.github export-ignore /tests export-ignore .babelrc export-ignore diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 25dbfc50015..1fa961b8626 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,22 +1,61 @@ name: Create Release on: # zizmor: ignore[concurrency-limits] - push: - tags: - - 'v*' + workflow_dispatch: + inputs: + version: + description: 'Release version (e.g. v6.2.0)' + required: true + type: string + source-ref: + description: 'Branch to build and tag from' + required: true + default: '6.x' + type: choice + options: + - 6.x + - 5.x + - master permissions: {} jobs: - build: # zizmor: ignore[anonymous-definition] + release: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest - permissions: - contents: write # create GitHub release and upload assets + environment: release + permissions: {} # all writes go through the App token; GITHUB_TOKEN needs no scopes steps: - - name: Checkout code + - name: Validate version format + env: + VERSION: ${{ inputs.version }} + run: | + if ! printf '%s' "$VERSION" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+'; then + echo "::error::Version must match v#.#.# format (got: $VERSION)" + exit 1 + fi + + - name: Get release bot token + id: app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + app-id: ${{ secrets.RELEASE_APP_ID }} + private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} + + - name: Checkout source ref uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: false + ref: ${{ inputs.source-ref }} + token: ${{ steps.app-token.outputs.token }} + persist-credentials: true # zizmor: ignore[artipacked] App token is needed to push the tag + + - name: Assert tag does not already exist + env: + VERSION: ${{ inputs.version }} + run: | + if git ls-remote --tags origin "$VERSION" | grep -q .; then + echo "::error::Tag $VERSION already exists on remote. Aborting." + exit 1 + fi - name: Use Node.js 20.19.0 uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 @@ -30,25 +69,41 @@ jobs: - name: Build release assets run: bash ./scripts/build-release.sh + - name: Create the build commit + env: + VERSION: ${{ inputs.version }} + run: | + git config user.name "statamic-release-bot[bot]" + git config user.email "statamic-release-bot[bot]@users.noreply.github.com" + git add --force \ + resources/dist \ + resources/dist-dev \ + resources/dist-frontend \ + resources/dist-package + git commit -m "Build assets for $VERSION" + + - name: Tag and push the build commit + env: + VERSION: ${{ inputs.version }} + run: | + git tag "$VERSION" + git push origin "$VERSION" + - name: Get Changelog id: changelog uses: statamic/changelog-action@5d112d0d790cdeeb5adca3e584e37edc474ab51b # v1.0.2 with: - version: ${{ github.ref }} + version: ${{ inputs.version }} - name: Create release env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} RELEASE_VERSION: ${{ steps.changelog.outputs.version }} RELEASE_NOTES: ${{ steps.changelog.outputs.text }} run: | gh release create "$RELEASE_VERSION" \ --title "$RELEASE_VERSION" \ - --notes "$RELEASE_NOTES" \ - ./resources/dist.tar.gz \ - ./resources/dist-dev.tar.gz \ - ./resources/dist-frontend.tar.gz \ - ./resources/dist-package.tar.gz + --notes "$RELEASE_NOTES" - name: Deploy Storybook to Forge continue-on-error: true diff --git a/composer.json b/composer.json index b287fe28eb7..910d28b14e1 100644 --- a/composer.json +++ b/composer.json @@ -24,7 +24,6 @@ "maennchen/zipstream-php": "^3.1", "michelf/php-smartypants": "^1.8.1", "nesbot/carbon": "^3.0", - "pixelfear/composer-dist-plugin": "^0.1.4", "pragmarx/google2fa": "^8.0 || ^9.0", "rebing/graphql-laravel": "^9.15", "rhukster/dom-sanitizer": "^1.0.10", @@ -63,29 +62,10 @@ "preferred-install": "dist", "sort-packages": true, "allow-plugins": { - "composer/package-versions-deprecated": true, - "pixelfear/composer-dist-plugin": true + "composer/package-versions-deprecated": true } }, "extra": { - "download-dist": [ - { - "url": "https://github.com/statamic/cms/releases/download/{$version}/dist.tar.gz", - "path": "resources/dist" - }, - { - "url": "https://github.com/statamic/cms/releases/download/{$version}/dist-dev.tar.gz", - "path": "resources/dist-dev" - }, - { - "url": "https://github.com/statamic/cms/releases/download/{$version}/dist-frontend.tar.gz", - "path": "resources/dist-frontend" - }, - { - "url": "https://github.com/statamic/cms/releases/download/{$version}/dist-package.tar.gz", - "path": "resources/dist-package" - } - ], "laravel": { "providers": [ "Statamic\\Providers\\StatamicServiceProvider" diff --git a/scripts/build-release.sh b/scripts/build-release.sh index dc9f6cacad8..e3af82e2c51 100644 --- a/scripts/build-release.sh +++ b/scripts/build-release.sh @@ -10,16 +10,7 @@ npm run build npm run build-dev npm run frontend-build -# Create tarballs for the Laravel package -cd resources -tar -czvf dist.tar.gz dist -tar -czvf dist-dev.tar.gz dist-dev -tar -czvf dist-frontend.tar.gz dist-frontend -cd .. - -# Create a tarball for @statamic/cms +# Populate resources/dist-package from packages/cms cp resources/css/ui.css packages/cms/src/ui.css -cd packages/cms -tar -czvf ../../resources/dist-package.tar.gz * -cd ../.. +rsync -a --delete packages/cms/ resources/dist-package/ From c583b4eb243f03054cd880bad4806b71db3943da Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Wed, 10 Jun 2026 15:44:57 -0400 Subject: [PATCH 2/2] Scope the release bot token to contents Narrows the minted App installation token to only the contents permission it needs, instead of inheriting all installation permissions. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1fa961b8626..5a58b984e37 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,6 +40,7 @@ jobs: with: app-id: ${{ secrets.RELEASE_APP_ID }} private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} + permission-contents: write - name: Checkout source ref uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2