This repository is an example of a release workflow using GitHub Actions and branches protection. The Action uses deploy keys to merge and tag releases on the protected main branch.
It has 2 permanent branches:
main, the default branch, protected with the following rulesets:- Restrict updates
- Restrict deletions
develop, the development branch against PRs are opened, protected with the following rulesets:- Restrict deletions
- Require a pull request before merging
It's important to use rulesets instead of the legacy branch protection feature.
After some PRs have been merged into develop, a GitHub Action is responsible to:
- Bump the version in
package.json - Commit the change on
develop - Merge
developintomain - Draft a release, ready to be reviewed and published
To bypass rulesets protection from a GitHub action:
- Create a deploy key with write permissions
- The SSH Key has to be created with an empty passphrase:
ssh-keygen -t ed25519 -C "github-actions@github.com" -N ""
- The SSH Key has to be created with an empty passphrase:
- Save the private SSH key in a
DEPLOY_KEYsecret - Add
Deploy keysto the Bypass list of the rulesets (Bypass list > Add bypass > Deploy keys) - Make your action checkouts the repo using the SSH key from the secret
- Create a deploy key with write permissions.
- Update the
DEPLOY_KEYsecret with the new SSH private key - Remove the old deploy key
Prerequisites:
- Node.js
jq- GitHub CLI
./rotate-deploy-key.sh <owner> <repo>