From 96e4a1eaa22fcf7ba14549476e1b7524b660b10c Mon Sep 17 00:00:00 2001 From: GitButler Date: Thu, 8 Jan 2026 19:30:48 +0100 Subject: [PATCH 1/3] GitButler Workspace Commit This is placeholder commit and will be replaced by a merge of your virtual branches. Due to GitButler managing multiple virtual branches, you cannot switch back and forth between git branches and virtual branches easily. If you switch to another branch, GitButler will need to be reinitialized. If you commit on this branch, GitButler will throw it away. For more information about what we're doing here, check out our docs: https://docs.gitbutler.com/features/branch-management/integration-branch -- 2.52.0 From 0ab0aa8bbade2d7a49eb446e4e44a1c8f60976f9 Mon Sep 17 00:00:00 2001 From: Joakim Olsson Date: Thu, 8 Jan 2026 20:57:06 +0100 Subject: [PATCH 2/3] feat: use file-based release token instead of secret --- .gitea/workflows/Release.yml | 28 ++++++++++++++-------------- README.md | 8 +++----- 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/.gitea/workflows/Release.yml b/.gitea/workflows/Release.yml index 2d7a7fc..03614fa 100644 --- a/.gitea/workflows/Release.yml +++ b/.gitea/workflows/Release.yml @@ -8,13 +8,10 @@ on: required: false default: false type: boolean - secrets: - UNBOUND_RELEASE_TOKEN: - description: 'Token with API access to create PRs and releases' - required: true env: GITEA_URL: https://git.unbound.se + RELEASE_TOKEN_FILE: /runner-secrets/release-token jobs: preconditions: @@ -24,14 +21,17 @@ jobs: image: amd64/alpine:3.22.2@sha256:b687e78c6e2785808446f45b52f1540a1e58adc07bdcffea354933b18c613d90 steps: - name: Validate token - if: ${{ secrets.UNBOUND_RELEASE_TOKEN == '' }} run: | - echo "To use Unbound Release, a UNBOUND_RELEASE_TOKEN secret needs to be defined." - echo "It needs API access to write repository files, create PRs and releases." - echo " " - echo "Create a token in Gitea: Settings -> Applications -> Generate New Token" - echo "Required scopes: repository (read/write), issue (read/write)" - exit 1 + if [ ! -r "${RELEASE_TOKEN_FILE}" ]; then + echo "Release token file not found at ${RELEASE_TOKEN_FILE}" + echo "This workflow requires the runner to have RELEASE_TOKEN configured." + exit 1 + fi + if [ ! -s "${RELEASE_TOKEN_FILE}" ]; then + echo "Release token file is empty" + exit 1 + fi + echo "Release token found" changelog: name: Generate Changelog @@ -99,10 +99,10 @@ jobs: - name: Create or update release PR env: - TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }} REPOSITORY: ${{ github.repository }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} run: | + TOKEN=$(cat "${RELEASE_TOKEN_FILE}") VERSION=$(cat VERSION) OWNER=$(echo "${REPOSITORY}" | cut -d'/' -f1) REPO=$(echo "${REPOSITORY}" | cut -d'/' -f2) @@ -312,10 +312,10 @@ jobs: - name: Create release env: - TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }} REPOSITORY: ${{ github.repository }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} run: | + TOKEN=$(cat "${RELEASE_TOKEN_FILE}") if [ ! -r .version ]; then echo "Version file not found" exit 0 @@ -375,10 +375,10 @@ jobs: - name: Create tag env: - TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }} REPOSITORY: ${{ github.repository }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} run: | + TOKEN=$(cat "${RELEASE_TOKEN_FILE}") if [ ! -r .version ]; then echo "Version file not found" exit 0 diff --git a/README.md b/README.md index efbe18f..42bce87 100644 --- a/README.md +++ b/README.md @@ -20,21 +20,19 @@ on: jobs: release: uses: unboundsoftware/shared-workflows/.gitea/workflows/Release.yml@main - secrets: - UNBOUND_RELEASE_TOKEN: ${{ secrets.GIT_API_TOKEN }} ``` **Inputs:** - `tag_only` (boolean, default: `false`): Set to `true` to only create tags without full releases -**Secrets:** +**Requirements:** -- `UNBOUND_RELEASE_TOKEN` (required): Token with API access to create PRs and releases. Required scopes: `repository` (read/write), `issue` (read/write) +This workflow reads the release token from `/runner-secrets/release-token`, which is automatically available on Unbound's Gitea runners. No repository secrets need to be configured. **How it works:** 1. On each push to the default branch, generates a changelog using git-cliff 2. Creates or updates a `next-release` branch with the updated CHANGELOG.md and .version file 3. Opens or updates a PR titled "chore(release): prepare for vX.Y.Z" -4. When the .version file exists (after merging the release PR), creates a GitHub release with the changelog +4. When the .version file exists (after merging the release PR), creates a Gitea release with the changelog -- 2.52.0 From 9ee341ecabbea20d791e4ae73d7d16a68ecc174d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 8 Jan 2026 20:11:00 +0000 Subject: [PATCH 3/3] chore(deps): update orhunp/git-cliff docker tag to v2.11.0 --- .gitea/workflows/Release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/Release.yml b/.gitea/workflows/Release.yml index 03614fa..40f5d5a 100644 --- a/.gitea/workflows/Release.yml +++ b/.gitea/workflows/Release.yml @@ -39,7 +39,7 @@ jobs: needs: preconditions if: github.ref_type == 'branch' && github.ref_name == github.event.repository.default_branch container: - image: orhunp/git-cliff:2.10.1@sha256:6ba0d1fcb051bd7b154cfb19c4b2b3bfa2c22c475f5285fc30606777b6573119 + image: orhunp/git-cliff:2.11.0@sha256:9a214cf1b62ed3bfe4071ec0442c71eac7a4efe462f79ffe62781df081387a24 outputs: version: ${{ steps.version.outputs.version }} has_changes: ${{ steps.check.outputs.has_changes }} @@ -254,7 +254,7 @@ jobs: (github.ref_type == 'branch' && github.ref_name == github.event.repository.default_branch) || github.ref_type == 'tag' container: - image: orhunp/git-cliff:2.10.1@sha256:6ba0d1fcb051bd7b154cfb19c4b2b3bfa2c22c475f5285fc30606777b6573119 + image: orhunp/git-cliff:2.11.0@sha256:9a214cf1b62ed3bfe4071ec0442c71eac7a4efe462f79ffe62781df081387a24 outputs: version: ${{ steps.version.outputs.version }} steps: -- 2.52.0