Each run of releaser-pleaser acts on the same global state in the
forge. Therefore, parallel runs are unnecessary.
This commit also communicates to the GitHub and GitLab CI pipelines that
the releaser-pleaser jobs can be cancelled as early as possible.
- On GitHub Actions this can be guaranteed through the workflow
settings. These settings are copied into each repository that uses
releaser-pleaser, so users need to update this manually. I will add a
note to the release notes for this.
- On GitLab CI/CD this requires the user to configure a project level setting to
"auto-cancel redundant pipelines". We will not recommend user to set
this, as it is quite invasive and can break their regular CI pipelines.
The current value caused the following error when running the action in
a different repository:
Error: 'ghcr.io/apricote/releaser-pleaser:v0.4.1' should be either '[path]/Dockerfile' or 'docker://image[:tag]'.
Not sure why this did not come up before, as we are also using the same
format for the CI in this repository, even if we use another tag.
With `pull_request`, we run in the context of the pull request branch.
- This means we run with the code from the PR branch, possibly breaking
the current release PR for this repo with in-progress, unreviewed changes.
- This means that the secret is not available on Pull Requests from
forks.
Switching to `pull_request_target` means we always run in the scope of
the original repository. The secret is available and the code is checked
out from our main branch.
`pull_request_target` has security considerations, but they do not apply
here as we do not check out or run code from the (external, malicious) PR.
The previous job always used the last release version of
releaser-pleaser. This caused two issues:
- if new flags were added to `action.yml` since the last release, the
program errored because the flags are unknown.
- right after merging a release pr, the image reference was already
updated, but no new container image was built yet.
This fixes both issues, by using a locally built version of
releaser-pleaser, which is always up-to-date and available.
