immich/.github/workflows/prepare-release.yml

name: Prepare new release

on:
  workflow_dispatch:
    inputs:
      serverBump:
        description: 'Bump server version'
        required: true
        default: 'false'
        type: choice
        options:
          - 'false'
          - major
          - minor
          - patch
      mobileBump:
        description: 'Bump mobile build number'
        required: false
        type: boolean
      skipTranslations:
        description: 'Skip translations'
        required: false
        type: boolean

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-root
  cancel-in-progress: true

permissions: {}

jobs:
  merge_translations:
    uses: ./.github/workflows/merge-translations.yml
    with:
      skip: ${{ inputs.skipTranslations }}
    permissions:
      pull-requests: write
    secrets:
      PUSH_O_MATIC_APP_ID: ${{ secrets.PUSH_O_MATIC_APP_ID }}
      PUSH_O_MATIC_APP_KEY: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      WEBLATE_TOKEN: ${{ secrets.WEBLATE_TOKEN }}

  bump_version:
    runs-on: ubuntu-latest
    needs: [merge_translations]
    outputs:
      ref: ${{ steps.push-tag.outputs.commit_long_sha }}
    permissions: {} # No job-level permissions are needed because it uses the app-token
    steps:
      - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
          ref: main

      - name: Install uv
        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0

      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'

      - name: Bump version
        env:
          SERVER_BUMP: ${{ inputs.serverBump }}
          MOBILE_BUMP: ${{ inputs.mobileBump }}
        run: misc/release/pump-version.sh -s "${SERVER_BUMP}" -m "${MOBILE_BUMP}"

      - name: Commit and tag
        id: push-tag
        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
        with:
          default_author: github_actions
          message: 'chore: version ${{ env.IMMICH_VERSION }}'
          tag: ${{ env.IMMICH_VERSION }}
          push: true

  build_mobile:
    uses: ./.github/workflows/build-mobile.yml
    needs: bump_version
    permissions:
      contents: read
    secrets:
      KEY_JKS: ${{ secrets.KEY_JKS }}
      ALIAS: ${{ secrets.ALIAS }}
      ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
      ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
    with:
      ref: ${{ needs.bump_version.outputs.ref }}

  prepare_release:
    runs-on: ubuntu-latest
    needs: build_mobile
    permissions:
      actions: read # To download the app artifact
      # No content permissions are needed because it uses the app-token
    steps:
      - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false

      - name: Download APK
        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: release-apk-signed

      - name: Create draft release
        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
        with:
          draft: true
          tag_name: ${{ env.IMMICH_VERSION }}
          token: ${{ steps.generate-token.outputs.token }}
          generate_release_notes: true
          body_path: misc/release/notes.tmpl
          files: |
            docker/docker-compose.yml
            docker/example.env
            docker/hwaccel.ml.yml
            docker/hwaccel.transcoding.yml
            docker/prometheus.yml
            *.apk