tag.yml

name: Tag

on:
  push:
    branches:
      - master
    paths:
      - CHANGELOG.md

permissions:
  contents: write # needed to run `git push`
  actions: write # needed to trigger other workloads

jobs:
  tag:
    runs-on: ubuntu-latest
    steps:
      - name: Clone project
        uses: actions/checkout@v4

      - name: Get latest version from changelog header
        run: |
          echo "tag=$(grep -oPm 1 '(?<=### Changes in )(.*)(?=:)' CHANGELOG.md)" >> "$GITHUB_OUTPUT"
        id: changelog

      - name: Bail if tag exists
        run: |
          ! git show-ref -q --tags "${{ steps.changelog.outputs.tag }}" || {
            echo "Tag ${{ steps.changelog.outputs.tag }} already exists"
            exit 1
          }

      - name: Setup Git
        run: |
          git config user.name 'github-actions[bot]'
          git config user.email "<41898282+github-actions[bot]@users.noreply.github.com>"

      - name: Tag and push
        run: |
          git tag -a -m "Tag ${{ steps.changelog.outputs.tag }}" ${{ steps.changelog.outputs.tag }}
          git push origin ${{ steps.changelog.outputs.tag }}

      - name: Trigger release workflow
        # workflows won't trigger when other workflows do git actions, so we need to do this
        # https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication
        run: |
          gh workflow run release.yml --ref ${{ steps.changelog.outputs.tag }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}