Skip to content

Replace release workflows with scripts (v2.55 version)#953

Merged
dscho merged 6 commits into
vfs-2.55.0from
replace-release-workflows-with-scripts-2.55
Jul 9, 2026
Merged

Replace release workflows with scripts (v2.55 version)#953
dscho merged 6 commits into
vfs-2.55.0from
replace-release-workflows-with-scripts-2.55

Conversation

@dscho

@dscho dscho commented Jul 9, 2026

Copy link
Copy Markdown
Member

This PR simply ports #952 to the vfs-2.55.0 branch.

It intentionally collapses the commits to make future rebases quicker.

dscho added 6 commits July 9, 2026 10:48
Promoting a microsoft/git release into the microsoft/homebrew-git tap
used to be handled by `release-homebrew.yml`, which authenticated to
Azure via OIDC, pulled a GitHub PAT from an Azure Key Vault, and
pushed to the tap. That plumbing existed because the prior internal
guidance mandated GitHub-Actions-native federated identity to Azure
and deprecated the Azure Pipelines automation this workflow had
originally replaced.

That guidance has now reversed: federated identity from GitHub
Actions to Azure has been turned off. Rather than migrate the
automation a third time (and rebuild the full plumbing needed to
fetch a PAT via Azure Pipelines with workload identity into Key
Vault under the new rules), replace the workflow with a script the
operator runs by hand while promoting a pre-release to a full
release. The operator's own `gh auth login` session already has push
access to microsoft/homebrew-git, so the entire OIDC-to-Key-Vault
chain disappears.

The script reproduces the behaviour of the previously-used
`mjcheetham/update-homebrew@v1.5.1` action invoked with `type:
cask, alwaysUsePullRequest: false`: it locates the single
`git-*.pkg` asset for the tag, rewrites `version` and `sha256` in
the cask, commits, and pushes to the tap's default branch. The
`sha256` is taken from the asset's API-reported `digest` field
rather than recomputed locally, because microsoft/homebrew-git#102
documented cases where GitHub occasionally served the "unicorn" 500
page with a 200 status for an asset download, which then poisons
any locally computed hash.

This is the first of three such scripts (homebrew, vfsforgit,
winget) that will supersede the corresponding workflows; a
follow-up commit will delete those workflows and the local
`.github/actions/akv-secret/` composite action once all three
replacements are in place.

Assisted-by: Opus 4.7
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
For the same rationale as the preceding release-homebrew commit,
port the body of `.github/workflows/release-vfsforgit.yml` into a
POSIX-sh script that the operator invokes by hand while promoting a
pre-release to a full release. Given a release tag on microsoft/git,
the script opens a pull request against microsoft/VFSForGit that
bumps the `GIT_VERSION` default in `.github/workflows/build.yaml` so
that VFSForGit builds pick up the newly promoted release by default.

The operator's own `gh auth login` session already has push access
to microsoft/VFSForGit, so no PAT and no Key Vault-backed secret are
needed. The commit and the pull request are attributed to that user
rather than to `github-actions[bot]`, which also makes the change to
the downstream repository traceable to an identifiable human who can
be pinged for follow-up.

One portability wart worth calling out: the version bump uses the
`<in >out && mv -f out in` idiom rather than `sed -i`, because the
`-i` flag has incompatible spellings between GNU sed on Linux (which
accepts `-i` with no argument) and BSD sed on macOS (which requires
an explicit empty suffix, `-i ''`). The script is expected to run
from either platform, so it sticks to the portable form and stays
plain POSIX sh throughout.

Assisted-by: Opus 4.7
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Same rationale as the two prior scripts (release-homebrew.sh,
release-vfsforgit.sh): replace a CI-driven fan-out step with a
hand-run script that reads its GitHub token from `gh auth token`,
sidestepping the PAT/Azure Key Vault dance.

This one _must_ be run on Windows (or in WSL) because
`wingetcreate.exe`, the tool that authors the manifest and opens
the PR against microsoft/winget-pkgs, is Windows-only; the
superseded workflow already ran on `windows-latest` for that
reason, and neither the operator nor the automation ever invoked
this step from macOS or Linux.

microsoft/git tags look like `vX.Y.Z.vfs.N.M`, but winget wants a
purely dotted numeric version, so the script strips the leading
`v` and the `vfs.` segment to produce `X.Y.Z.N.M` (for example,
`v2.54.0.vfs.0.4` becomes `2.54.0.0.4`), matching what the
previous workflow emitted.

The tag is parsed with `-not ($tag -match ...)` rather than the
seemingly equivalent `-notmatch`, because PowerShell's `-notmatch`
operator does not populate the `$Matches` automatic variable, yet
the two capture groups are read as `$Matches[1]` and `$Matches[2]`
immediately afterwards. See
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comparison_operators
for the documented behaviour.

`wingetcreate submit` pushes to the operator's personal fork of
microsoft/winget-pkgs and opens a PR from there; if that fork is
stale, submit fails with "The forked repository could not be
synced". The script therefore issues a
`POST /repos/<user>/winget-pkgs/merge-upstream` first, and treats
a 404 as fine, since wingetcreate creates the fork on demand at
submit time when none exists.

Assisted-by: Opus 4.7
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
@dscho dscho requested a review from mjcheetham July 9, 2026 08:49
@dscho dscho self-assigned this Jul 9, 2026
@dscho dscho enabled auto-merge July 9, 2026 08:51
@dscho dscho merged commit f5917cf into vfs-2.55.0 Jul 9, 2026
152 of 153 checks passed
@dscho dscho deleted the replace-release-workflows-with-scripts-2.55 branch July 9, 2026 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants