Fix release automation

.github/workflows/release.yaml

@@ -8,26 +8,32 @@ on:
       - closed
     branches:
       - main
+  workflow_dispatch:
 
 name: Build and publish a release
 
 jobs:
   # We make `if_merged` a `needs:` of the other jobs here to only run this
   # workflow on merged PRs.
   if_merged:
-    name: Check that PR was merged and not closed
-    if: github.event.pull_request.merged == true
-      && contains(github.event.pull_request.labels.*.name, 'release')
-    runs-on: ubuntu-latest
     permissions:
+      issues: write
       pull-requests: write
+    name: Check that PR was merged and not closed
+    if: github.event_name == 'workflow_dispatch'
+      || (
+        github.event.pull_request.merged == true
+        && contains(github.event.pull_request.labels.*.name, 'release')
+      )
+    runs-on: ubuntu-latest
     steps:
       - run: |
           echo "This is a canonical hack to run GitHub Actions on merged PRs"
           echo "See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-pull_request-workflow-when-a-pull-request-merges"
 
       - name: Comment on PR with link to this action
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        if: github.event_name == 'pull_request'
         with:
           issue-number: ${{ github.event.pull_request.number }}
           body: |
@@ -40,21 +46,17 @@ jobs:
     needs: if_merged
     runs-on: ubuntu-latest
     outputs:
-      version: ${{ steps.get_cargo_metadata.outputs.version }}
+      version: ${{ steps.get_version_number.outputs.version }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
 
-      - uses: cachix/install-nix-action@v22
-        with:
-          github_access_token: ${{ secrets.GITHUB_TOKEN }}
-          extra_nix_config: |
-            extra-experimental-features = nix-command flakes
-            accept-flake-config = true
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
 
       - name: Get version number
-        id: get_cargo_metadata
-        run: echo "version=$(nix run .#get-crate-version)" >> "$GITHUB_OUTPUT"
+        id: get_version_number
+        run: |
+          echo "version=$(nix eval --raw ".#packages.x86_64-linux.default.version")" >> "$GITHUB_OUTPUT"
 
   build:
     name: Release Build
@@ -68,22 +70,22 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest]
+    environment: release
+    permissions:
+      id-token: write  # See: rust-lang/crates-io-auth-action
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
 
+        # TODO: What am I doing here? Is there a reason I'm not using Nix? Is
+        # it for `x86_64-darwin` builds? It must be. Does anyone even use those?
       - name: Install rustup
         uses: dtolnay/rust-toolchain@stable
         if: runner.os == 'macOS'
         with:
           target: x86_64-apple-darwin, aarch64-apple-darwin
 
-      - uses: cachix/install-nix-action@v22
-        with:
-          github_access_token: ${{ secrets.GITHUB_TOKEN }}
-          extra_nix_config: |
-            extra-experimental-features = nix-command flakes
-            accept-flake-config = true
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
 
       - name: Log versions
         if: runner.os == 'macOS'
@@ -138,26 +140,29 @@ jobs:
              target/release/git-gr-aarch64-linux
 
       - name: Upload macOS executable
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         if: runner.os == 'macOS'
         with:
           name: macos
           path: |
             target/release/git-gr-macos
 
       - name: Upload Linux executables
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         if: runner.os == 'Linux'
         with:
           name: linux
           path: |
             target/release/git-gr-x86_64-linux
             target/release/git-gr-aarch64-linux
 
+      - uses: rust-lang/crates-io-auth-action@v1
+        id: auth
+
       - name: Publish to crates.io
         if: runner.os == 'Linux'
         env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
         run: |
           nix run .#cargo -- publish --no-verify
 
@@ -170,13 +175,22 @@ jobs:
       - version
     permissions:
       contents: write
+      issues: write
       pull-requests: write
     steps:
+      # See: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: generate_token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Tag the release
-        uses: mathieudutour/github-tag-action@v6.2
+        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          commit_sha: ${{ github.event.pull_request.merge_commit_sha }}
+          github_token: ${{ steps.generate_token.outputs.token }}
+          commit_sha: ${{ github.sha }}
+          # Note: This action automatically applies a prefix for us!
           custom_tag: ${{ needs.version.outputs.version }}
 
       - name: Download artifacts
@@ -186,31 +200,33 @@ jobs:
         #
         # For example, the following artifact:
         #
-        #     - uses: actions/upload-artifact@v4
+        #     - uses: actions/upload-artifact@v5
         #       with:
         #         name: linux
-        #         path: target/release/ghciwatch-aarch64-linux
+        #         path: target/release/git-gr-aarch64-linux
         #
-        # will be downloaded to `linux/ghciwatch-aarch64-linux`.
-        uses: actions/download-artifact@v4
+        # will be downloaded to `linux/git-gr-aarch64-linux`.
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
 
       - name: Create release
         id: create_release
-        uses: softprops/action-gh-release@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
+          token: ${{ steps.generate_token.outputs.token }}
           draft: false
           prerelease: false
           generate_release_notes: true
           tag_name: v${{ needs.version.outputs.version }}
           files: |
-            linux/*
-            macos/*
+            macos/git-gr-macos
+            linux/git-gr-x86_64-linux
+            linux/git-gr-aarch64-linux
 
       - name: Comment on PR with link to the release
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        if: github.event_name == 'pull_request'
         with:
+          token: ${{ steps.generate_token.outputs.token }}
           issue-number: ${{ github.event.pull_request.number }}
           body: |
             [Release ${{ needs.version.outputs.version }}][release] was built and published successfully!