chore: separate CI and release workflows

This reduces the attack surface of the tests, since they no longer have
any permissions to the repo.

Also make the artifact upload conditional on a release being created.

Author: yedayak

.github/workflows/ci.yaml

@@ -38,16 +38,6 @@ jobs:
 
   distcheck:
     runs-on: ubuntu-latest
-    permissions:
-      # Permissions from https://github.com/googleapis/release-please-action?tab=readme-ov-file#basic-configuration
-      # TODO: This is only needed for release, maybe split the release steps to a different job?
-      contents: write
-      pull-requests: write
-      # Needed for adding labels for PRs, we shouldn't actually need this, see https://github.com/orgs/community/discussions/156181
-      issues: write
-      # attestations and id-token for attest-build-provenance
-      attestations: write
-      id-token: write
     strategy:
       matrix:
         include:
@@ -64,12 +54,6 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
-        with:
-          config-file: .github/release-please-config.json
-          manifest-file: .github/release-please-manifest.json
-        id: release
-        if: github.event_name == 'push' && matrix.dist == 'alpine'
       # A "container" workflow config would be cleaner here, but comes with
       # some restrictions/oddities: changes root's $HOME to /github/home
       # without changing the actual home dir that can cause some problems,
@@ -91,22 +75,3 @@ jobs:
           test/docker/entrypoint.sh
         env:
           NETWORK: ${{matrix.network}}
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          path: |
-            bash-completion-*.tar.xz
-            sha256sums.txt
-        if: matrix.dist == 'alpine'
-      - name: Upload release assets
-        run: |
-          set -x
-          gh release upload ${RELEASE_PLEASE_TAG_NAME} \
-            bash-completion-$(cat version.txt).tar.xz sha256sums.txt
-        env:
-          GH_TOKEN: ${{github.token}}
-          RELEASE_PLEASE_TAG_NAME: ${{steps.release.outputs.tag_name}}
-        if: steps.release.outputs.release_created
-      - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
-        with:
-          subject-checksums: sha256sums.txt
-        if: steps.release.outputs.release_created

.github/workflows/release-please.yaml

@@ -0,0 +1,63 @@
+name: release-please
+
+on:
+  push:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    permissions:
+      # Permissions from https://github.com/googleapis/release-please-action#basic-configuration
+      contents: write
+      pull-requests: write
+      # Needed for adding labels to PRs, we shouldn't actually need this, see https://github.com/orgs/community/discussions/156181
+      issues: write
+      # attestations and id-token for actions/attest
+      attestations: write
+      id-token: write
+    steps:
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
+        with:
+          config-file: .github/release-please-config.json
+          manifest-file: .github/release-please-manifest.json
+        id: release
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        if: steps.release.outputs.release_created
+        with:
+          persist-credentials: false
+      # Use docker run instead of "container" workflow since that is what
+      # ci.yaml uses, and it's unclear how to run a script from inside the
+      # image.
+      - name: Run main build
+        if: steps.release.outputs.release_created
+        run: >-
+          docker run
+          --rm
+          --tty
+          --volume $PWD:/usr/src/bash-completion
+          --workdir /usr/src/bash-completion
+          ghcr.io/scop/bash-completion/test:alpine
+          ./make-release.sh
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        if: steps.release.outputs.release_created
+        with:
+          path: |
+            bash-completion-*.tar.xz
+            sha256sums.txt
+      - name: Upload release assets
+        if: steps.release.outputs.release_created
+        run: |
+          set -x
+          gh release upload ${RELEASE_PLEASE_TAG_NAME} \
+            bash-completion-$(cat version.txt).tar.xz sha256sums.txt
+        env:
+          GH_TOKEN: ${{github.token}}
+          RELEASE_PLEASE_TAG_NAME: ${{steps.release.outputs.tag_name}}
+      - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        if: steps.release.outputs.release_created
+        with:
+          subject-checksums: sha256sums.txt

make-release.sh

@@ -0,0 +1,9 @@
+#!/bin/sh -eux
+# shellcheck shell=sh
+
+autoreconf -i
+./configure
+# TODO: Consider using the already created and tested tarball from the CI
+# workflow
+make distcheck
+sha256sum bash-completion-*.tar.* >sha256sums.txt

test/docker/entrypoint.sh

@@ -9,7 +9,6 @@ fi
 export bashcomp_bash=bash
 env
 
-oldpwd=$(pwd)
 cp -a . /work
 cd /work
 
@@ -30,5 +29,3 @@ make -j
 
 xvfb-run make distcheck \
     PYTESTFLAGS="${PYTESTFLAGS---verbose -p no:cacheprovider --numprocesses=auto --dist=loadfile}"
-cp -p bash-completion-*.tar.* "$oldpwd/"
-sha256sum bash-completion-*.tar.* >"$oldpwd/sha256sums.txt"