Workflow: separating jobs to allow Rekku token to don't expire during the build

.github/workflows/build_release.yml

@@ -27,16 +27,10 @@ permissions:
   contents: write
 
 jobs:
-  # Generate Rekku Token Job
-  Generate-Rekku-Token:
-    uses: RetroDECK/components-template/.github/workflows/generate_rekku_token.yml@main
-    secrets:
-      REKKU_PRIVATE_KEY: ${{ secrets.REKKU_PRIVATE_KEY }}
 
   # Build RetroDECK Job
   Build_RetroDECK:
     runs-on: retrodeck-server
-    needs: Generate-Rekku-Token
     outputs:
       tag: ${{ steps.set-outputs.outputs.tag }}
       release_body: ${{ steps.set-outputs.outputs.release_body }}
@@ -114,12 +108,12 @@ jobs:
 
             # Generate the tag for a pull request
             echo "TAG=PR-$source_branch-${{ env.buildid }}" >> $GITHUB_ENV
-            echo "MAKE_LATEST=false" >> $GITHUB_ENV  # Not marked as the latest cooker version if it's a feature branch
+            echo "MAKE_LATEST=false" >> $GITHUB_OUTPUT  # Not marked as the latest cooker version if it's a feature branch
           else
             # Generate the tag for non-pull request branches
             TAG="$MANIFEST_VERSION-${{ env.buildid }}"
             echo "TAG=$TAG" >> $GITHUB_ENV
-            echo "MAKE_LATEST=true" >> $GITHUB_ENV
+            echo "MAKE_LATEST=true" >> $GITHUB_OUTPUT
           fi
 
           # Output the manifest version and generated tag for debugging
@@ -132,7 +126,7 @@ jobs:
         run: "cp ${GITHUB_WORKSPACE}/net.retrodeck.retrodeck.yml ${GITHUB_WORKSPACE}/net.retrodeck.retrodeck.yml.bak"
 
       - name: Run pre-build automation tasks
-        run : "/bin/bash ${GITHUB_WORKSPACE}/automation_tools/pre_build_automation.sh"
+        run: "/bin/bash ${GITHUB_WORKSPACE}/automation_tools/pre_build_automation.sh"
 
       - name: "Adding flatpak portal for automated updates (Cooker only)"
         if: github.ref != 'refs/heads/main'
@@ -234,11 +228,36 @@ jobs:
       - name: Create Bundle
         run: "/bin/bash ${GITHUB_WORKSPACE}/automation_tools/flatpak_build_bundle.sh"
 
+      # Upload artifacts for other jobs
+      - name: Upload Build Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: retrodeck-artifacts
+          path: |
+            RetroDECK*.flatpak
+            RetroDECK*.flatpak.sha
+            RetroDECK*Artifact.tar.gz
+
+  Generate-Rekku-Token:
+    uses: RetroDECK/components-template/.github/workflows/generate_rekku_token.yml@main
+    secrets:
+      REKKU_PRIVATE_KEY: ${{ secrets.REKKU_PRIVATE_KEY }}
+
+  GitHub-publish:
+    runs-on: ubuntu-latest
+    needs: [Generate-Rekku-Token, Build_RetroDECK]
+    env:
+      REKKU_TOKEN: ${{ needs.Generate-Rekku-Token.outputs.rekku_token }}
+      tag: ${{ needs.Build_RetroDECK.outputs.tag }}
+      release_body: ${{ needs.Build_RetroDECK.outputs.release_body }}
+      MAKE_LATEST: ${{ needs.Build_RetroDECK.outputs.MAKE_LATEST }}
+    steps:
+
       # Determine if Target Repository is Main or not, in that case is a Cooker build
       - name: Determine target repository
         id: set-repo
         run: |
-          if [[ "$GITHUB_REF" == "refs/heads/main" || "$GITHUB_REF" == refs/heads/feat* ]]; then
+          if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
             echo "repo_name=RetroDECK" >> $GITHUB_ENV
           else
             echo "repo_name=Cooker" >> $GITHUB_ENV
@@ -248,13 +267,13 @@ jobs:
       - name: Publish release
         uses: ncipollo/release-action@v1
         with:
-          tag: ${{ steps.set-outputs.outputs.tag }}
+          tag: ${{ env.tag }}
-          name: "RetroDECK ${{ steps.set-outputs.outputs.tag }}"
+          name: "RetroDECK ${{ env.tag }}"
-          body: ${{ steps.generate-body.outputs.release_body }}
+          body: ${{ env.release_body }}
-          artifacts: "RetroDECK*.flatpak,RetroDECK*.flatpak.sha,RetroDECK*Artifact.tar.gz"
+          artifacts: "*.flatpak,*.flatpak.sha,*Artifact.tar.gz"
           allowUpdates: true
           makeLatest: ${{ env.MAKE_LATEST }}
-          token: ${{ needs.Generate-Rekku-Token.outputs.token }}
+          token: ${{ env.REKKU_TOKEN }}
           repo: "${{ env.repo_name }}"
         continue-on-error: ${{ github.ref != 'refs/heads/main' }}
 
@@ -271,17 +290,7 @@ jobs:
           git tag "${{ steps.set-outputs.outputs.tag }}"
           git push origin "${{ steps.set-outputs.outputs.tag }}"
         env:
-          GITHUB_TOKEN: ${{ needs.Generate-Rekku-Token.outputs.token }}
+          GITHUB_TOKEN: ${{ env.REKKU_TOKEN }}
-
-      # Upload artifacts for other jobs
-      - name: Upload Build Artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: retrodeck-artifacts
-          path: |
-            RetroDECK*.flatpak
-            RetroDECK*.flatpak.sha
-            RetroDECK*Artifact.tar.gz
 
   # As backup we're even publishing the build on our own selfhosted Fogejo instance
   # Forgejo Publish Job if main branch
@@ -291,7 +300,7 @@ jobs:
   #   uses: RetroDECK/components-template/.github/workflows/fogejo_publish_release.yml@main
   #   with:
   #     release_body: ${{ needs.Build_RetroDECK.outputs.release_body }}
-  #     artifacts: "RetroDECK*.flatpak,RetroDECK*.flatpak.sha,RetroDECK*Artifact.tar.gz"
+  #     artifacts: "*.flatpak,*.flatpak.sha,*Artifact.tar.gz"
   #     tag: ${{ needs.Build_RetroDECK.outputs.tag }}
   #   secrets: 
   #     FORGEJO_TRIGGER_BUILD_TOKEN: ${{ secrets.FORGEJO_TRIGGER_BUILD_TOKEN }}