ci(release): Switch from action-prepare-release to Craft

.craft.yml

@@ -6,17 +6,19 @@ statusProvider:
   name: github
   config:
     contexts:
-      - 'build-amd64'
-      - 'build-arm64'
-      - 'assemble-image'
+    - 'build-amd64'
+    - 'build-arm64'
+    - 'assemble-image'
 targets:
-  - name: github
-  - id: release
-    name: docker
-    source: ghcr.io/getsentry/vroom
-    target: getsentry/vroom
-  - id: latest
-    name: docker
-    source: ghcr.io/getsentry/vroom
-    target: getsentry/vroom
-    targetFormat: '{{{target}}}:latest'
+- name: github
+- id: release
+  name: docker
+  source: ghcr.io/getsentry/vroom
+  target: getsentry/vroom
+- id: latest
+  name: docker
+  source: ghcr.io/getsentry/vroom
+  target: getsentry/vroom
+  targetFormat: '{{{target}}}:latest'
+versioning:
+  policy: calver

.github/workflows/changelog-preview.yml

@@ -0,0 +1,17 @@
+name: Changelog Preview
+on:
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - edited
+    - labeled
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  changelog-preview:
+    uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
+    secrets: inherit

.github/workflows/changelog.yaml

@@ -8,7 +8,7 @@ jobs:
     name: changelog
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci.yaml

@@ -23,7 +23,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
@@ -78,7 +78,7 @@ jobs:
   test-vroom:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
       - uses: actions/setup-go@v6

.github/workflows/codeql.yaml

@@ -40,7 +40,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5.0.0
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/image.yaml

@@ -6,6 +6,10 @@ on:
       - main
       - release/**
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   build-image:
     runs-on: ${{ matrix.os }}
@@ -19,7 +23,7 @@ jobs:
     if: github.repository_owner == 'getsentry'
     name: build-${{ matrix.platform }}
     steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -54,7 +58,7 @@ jobs:
       - build-image
     if: ${{ github.event_name != 'pull_request' }}
     steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - run: docker login --username '${{ github.actor }}' --password-stdin ghcr.io <<< "$GHCR_TOKEN"
         env:
           GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -106,7 +110,7 @@ jobs:
     needs:
       - assemble-image
     steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Push built docker image
         shell: bash
         run: |
@@ -149,7 +153,7 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v4.2.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Build and push image to single-region registry
         uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01

.github/workflows/release-ghcr-version-tag.yaml

@@ -4,6 +4,10 @@ on:
   release:
     types: [prereleased, released]
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release-ghcr-version-tag:
     runs-on: ubuntu-latest

.github/workflows/release.yaml

@@ -1,40 +1,38 @@
 name: release
-
 on:
   workflow_dispatch:
     inputs:
       version:
-        description: Version to release (optional)
+        description: Version to release (or "auto")
         required: false
       force:
-        description: Force a release even when there are release-blockers (optional)
+        description: Force a release even when there are release-blockers
         required: false
-
   schedule:
-    # We want the release to be at 9-10am Pacific Time
-    # We also want it to be 1 hour before the on-prem release
-    - cron: "0 17 15 * *"
+  - cron: "0 17 15 * *"
+permissions:
+  contents: write
+  pull-requests: write
 
 jobs:
   release:
     runs-on: ubuntu-latest
-    name: "Release a new vroom version"
+    name: Release a new version
     steps:
-      - name: Get auth token
-        id: token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
-        with:
-          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
-          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-      - uses: actions/checkout@v5.0.0
-        with:
-          token: ${{ steps.token.outputs.token }}
-          fetch-depth: 0
-      - name: Prepare release
-        uses: getsentry/action-prepare-release@v1
-        env:
-          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
-        with:
-          version: ${{ github.event.inputs.version }}
-          force: ${{ github.event.inputs.force }}
-          calver: true
+    - name: Get auth token
+      id: token
+      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+      with:
+        app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+        private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      with:
+        token: ${{ steps.token.outputs.token }}
+        fetch-depth: 0
+    - name: Prepare release
+      uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce
+      env:
+        GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+      with:
+        version: ${{ inputs.version }}
+        force: ${{ inputs.force }}

.github/workflows/validate-pipelines.yaml

@@ -17,7 +17,7 @@ jobs:
         outputs:
             gocd: ${{ steps.changes.outputs.gocd }}
         steps:
-          - uses: actions/checkout@v5.0.0
+          - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
           - name: Check for relevant file changes
             uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
             id: changes
@@ -39,7 +39,7 @@ jobs:
             id-token: "write"
 
         steps:
-            - uses: actions/checkout@v5.0.0
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
             - id: 'auth'
               uses: google-github-actions/auth@v3
               with: