From 3dede3d8db8b26ec223cb05e2e32ad64e71f56a0 Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Tue, 28 Jan 2025 18:31:38 +0000
Subject: [PATCH] ci: fix potential drift between release tag and binaries
 (#7902)

Recently, we changed that we only upload binaries to the draft releases
when we actively call the workflow. This means that we may potentially
have a drift between:

- The commit that gets tagged as the release.
- The commit from which the binaries got built.

To ensure that this doesn't drift, we only update the draft releases
whenever we actually uploaded new binaries to them. In addition, we
instruct `release-drafter` to set the target of the release to the
commit SHA from when it was triggered. As a result, it is much less
error prone that these may drift apart. I believe the only race
condition here could be if somebody publishes a release between the time
the binaries get uploaded and we update the release draft, i.e. when
GitHub hasn't fully finished CI yet.

---------

Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
---
 .github/workflows/_kotlin.yml | 20 ++++++++++++++++++++
 .github/workflows/_swift.yml  | 20 ++++++++++++++++++++
 .github/workflows/_tauri.yml  | 20 ++++++++++++++++++++
 .github/workflows/ci.yml      | 10 +---------
 4 files changed, 61 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/_kotlin.yml b/.github/workflows/_kotlin.yml
index 0e060df16..129a30dc9 100644
--- a/.github/workflows/_kotlin.yml
+++ b/.github/workflows/_kotlin.yml
@@ -82,6 +82,26 @@ jobs:
           echo -n "$FIREBASE_APP_DISTRIBUTION_CREDENTIALS" > $FIREBASE_CREDENTIALS_PATH
           ./gradlew appDistributionUploadRelease uploadCrashlyticsSymbolFileRelease
 
+  update-release-draft:
+    name: update-release-draft
+    needs: build_release
+    runs-on: ubuntu-22.04
+    env:
+      # mark:next-android-version
+      RELEASE_NAME: android-client-1.4.1
+    steps:
+      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+        if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}"
+        id: update-release-draft
+        with:
+          config-name: release-drafter-android-client.yml
+          tag: ${{ env.RELEASE_NAME }}
+          version: ${{ env.RELEASE_NAME }}
+          name: ${{ env.RELEASE_NAME }}
+          commitish: ${{ github.sha }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   build_debug:
     # Android SDK tools hardware accel is available only on Linux runners
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/_swift.yml b/.github/workflows/_swift.yml
index 98c6a10eb..808d89f08 100644
--- a/.github/workflows/_swift.yml
+++ b/.github/workflows/_swift.yml
@@ -104,3 +104,23 @@ jobs:
           # Swift benefits heavily from build cache, so aggressively write a new one
           # on each build on `main` and attempt to restore it in PR builds with broader restore-key.
           key: ${{ steps.cache.outputs.cache-primary-key }}
+
+  update-release-draft:
+    name: update-release-draft
+    needs: build
+    runs-on: ubuntu-22.04
+    env:
+      # mark:next-apple-version
+      RELEASE_NAME: macos-client-1.4.1
+    steps:
+      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+        if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}"
+        id: update-release-draft
+        with:
+          config-name: release-drafter-macos-client.yml
+          tag: ${{ env.RELEASE_NAME}}
+          version: ${{ env.RELEASE_NAME}}
+          name: ${{ env.RELEASE_NAME}}
+          commitish: ${{ github.sha }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/_tauri.yml b/.github/workflows/_tauri.yml
index 454f94538..1e6e4d034 100644
--- a/.github/workflows/_tauri.yml
+++ b/.github/workflows/_tauri.yml
@@ -125,3 +125,23 @@ jobs:
           TAG_NAME: gui-client-${{ env.FIREZONE_GUI_VERSION }}
         shell: bash
         run: ${{ env.UPLOAD_SCRIPT }}
+
+  update-release-draft:
+    name: update-release-draft
+    needs: build-gui
+    runs-on: ubuntu-22.04
+    env:
+      # mark:next-gui-version
+      RELEASE_NAME: gui-client-1.4.2
+    steps:
+      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+        if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}"
+        id: update-release-draft
+        with:
+          config-name: release-drafter-gui-client.yml
+          tag: ${{ env.RELEASE_NAME }}
+          version: ${{ env.RELEASE_NAME }}
+          name: ${{ env.RELEASE_NAME }}
+          commitish: ${{ github.sha }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6b7a4f14b..472c98c83 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -52,15 +52,6 @@ jobs:
           # mark:next-headless-version
           - release_name: headless-client-1.4.2
             config_name: release-drafter-headless-client.yml
-          # mark:next-gui-version
-          - release_name: gui-client-1.4.2
-            config_name: release-drafter-gui-client.yml
-          # mark:next-apple-version
-          - release_name: macos-client-1.4.1
-            config_name: release-drafter-macos-client.yml
-          # mark:next-android-version
-          - release_name: android-client-1.4.1
-            config_name: release-drafter-android-client.yml
 
     steps:
       - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
@@ -72,6 +63,7 @@ jobs:
           tag: ${{ matrix.release_name }}
           version: ${{ matrix.release_name }}
           name: ${{ matrix.release_name }}
+          commitish: ${{ github.sha }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}