Update version without committing to main

Author: twangboy

.github/workflows/release.yml

@@ -9,13 +9,13 @@ jobs:
     runs-on: ubuntu-latest
     environment: release-check
     steps:
-      - name: Check For Admin Permission
+      - name: Verify Admin Permission
         uses: actions-cool/check-user-permission@v2
         with:
           require: admin
           username: ${{ github.triggering_actor }}
 
-      - name: Check Repository
+      - name: Verifying Release Workflow
         run: |
           if [ "${{ vars.RUN_RELEASE_BUILDS }}" = "1" ]; then
             MSG="Running workflow because RUN_RELEASE_BUILDS=1"
@@ -38,7 +38,7 @@ jobs:
               echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
           fi
 
-      - name: Check Branch
+      - name: Verifying Branch
         run: |
           echo "Trying to run the release workflow from branch ${{ github.ref_name }}"
           if [ "${{ github.ref_name }}" != "main" ]; then
@@ -50,7 +50,7 @@ jobs:
           fi
 
   update-main:
-    name: Update CHANGELOG.md and linux/svtminion.sh windows/svtminion.ps1
+    name: Prepare Files for Release
     runs-on: ubuntu-latest
     permissions:
       contents: write  # To be able to publish the release
@@ -146,19 +146,23 @@ jobs:
           CUT_RELEASE_VERSION=$(cat .cut_release_version)
           echo "CUT_RELEASE_VERSION=${CUT_RELEASE_VERSION}" >> "$GITHUB_ENV"
 
-      - name: Update linux/svtminion.sh sha256sum's
+      - name: Prepare Release Artifacts
         run: |
-          (cd linux && sha256sum svtminion.sh > ../svtminion.sh.sha256)
-          (cd windows && sha256sum svtminion.ps1 > ../svtminion.ps1.sha256)
-          git add svtminion.sh.sha256
-          git add svtminion.ps1.sha256
-          git commit --allow-empty -am "Update sha256 checksums" || git commit --allow-empty -am "Update sha256 checksums"
+          # Move scripts to dist directory so we don't update the source files
+          mkdir -p dist
+          cp linux/svtminion.sh dist/svtminion.sh
+          cp windows/svtminion.ps1 dist/svtminion.ps1
+          # Inject release version into artifact copies via helper script
+          python3 .github/workflows/scripts/update-svtminion-versions.py "${CUT_RELEASE_VERSION}"
+          # Generate checksums for the release artifacts
+          (cd dist && sha256sum svtminion.sh > ../svtminion.sh.sha256)
+          (cd dist && sha256sum svtminion.ps1 > ../svtminion.ps1.sha256)
 
-      - name: Tag The ${{ needs.update-main.outputs.release-version }} Release
+      - name: Create Tag: ${{ needs.update-main.outputs.release-version }}
         run: |
           git tag -f --no-sign -m "Release ${{ needs.update-main.outputs.release-version }}" -a ${{ needs.update-main.outputs.release-version }}
 
-      - name: Create Github Release
+      - name: Create GitHub Release
         uses: softprops/action-gh-release@v1
         with:
           name: ${{ env.CUT_RELEASE_VERSION }}
@@ -169,8 +173,8 @@ jobs:
           prerelease: false
           generate_release_notes: false
           files: |
-            linux/svtminion.sh
-            windows/svtminion.ps1
+            dist/svtminion.sh
+            dist/svtminion.ps1
             svtminion.sh.sha256
             svtminion.ps1.sha256
             LICENSE
@@ -182,9 +186,10 @@ jobs:
           failOnError: false
 
   update-main-checksums:
-    name: Update Release Checksums on Main
+    name: Update Release Checksums
     runs-on: ubuntu-latest
     needs:
+      - update-main
       - publish-release
     environment: release
     permissions:
@@ -198,17 +203,6 @@ jobs:
           repository: ${{ github.repository }}
           ssh-key: ${{ secrets.SALT_VMTOOLS_RELEASE_KEY }}
 
-      - name: Get linux/svtminion.sh on main branch sha256sum
-        run: |
-          echo "SH=$(sha256sum linux/svtminion.sh | awk '{ print $1 }')" >> "$GITHUB_ENV"
-          echo "VMTS_VERSION=$(bash linux/svtminion.sh --version | awk '{ print $1 }')" >> "$GITHUB_ENV"
-
-      - uses: actions/checkout@v6
-        with:
-          ref: main
-          repository: ${{ github.repository }}
-          ssh-key: ${{ secrets.SALT_VMTOOLS_RELEASE_KEY }}
-
       - name: Configure Git
         shell: bash
         run: |
@@ -217,9 +211,13 @@ jobs:
           git config --global user.email saltproject.pdl@broadcom.com
           git config --global commit.gpgsign false
 
-      - name: Update Latest Release on README
+      - name: Update Checksums in README.md
+        shell: bash
         run: |
-          python3 .github/workflows/scripts/update-release-shasum.py ${{ env.VMTS_VERSION }} ${{ env.SH }}
+          VERSION="${{ needs.update-main.outputs['release-version'] }}"
+          curl -sL "https://github.com/${{ github.repository }}/releases/download/${VERSION}/svtminion.sh" -o svtminion.sh
+          SH="$(sha256sum svtminion.sh | awk '{ print $1 }')"
+          python3 .github/workflows/scripts/update-release-shasum.py "$VERSION" "$SH"
 
       - name: Show Changes
         run: |

.github/workflows/scripts/cut-release.py

@@ -188,37 +188,7 @@ def main():
         + changelog_file.read_text()
     )
 
-    # Update Script Version for the bash script
-    svtminion_script_path = REPO_ROOT / "linux/svtminion.sh"
-    print(
-        f"* Updating {svtminion_script_path.relative_to(REPO_ROOT)} ...",
-        file=sys.stderr,
-        flush=True,
-    )
-    svtminion_script_path.write_text(
-        re.sub(
-            r'readonly SCRIPT_VERSION="(.*)"',
-            f'readonly SCRIPT_VERSION="{options.release_tag.lstrip("v")}"',
-            svtminion_script_path.read_text(),
-        )
-    )
-
-    # Update the Script Version for the powershell script
-    svtminion_script_path = REPO_ROOT / "windows/svtminion.ps1"
-    print(
-        f"* Updating {svtminion_script_path.relative_to(REPO_ROOT)} ...",
-        file=sys.stderr,
-        flush=True,
-    )
-    svtminion_script_path.write_text(
-        re.sub(
-            r'\$SCRIPT_VERSION = "(.*)"',
-            f'$SCRIPT_VERSION = "{options.release_tag.lstrip("v")}"',
-            svtminion_script_path.read_text(),
-        )
-    )
-
-    parser.exit(status=0, message="CHANGELOG.md and svtminion.sh updated\n")
+    parser.exit(status=0, message="CHANGELOG.md and release metadata updated\n")
 
 
 if __name__ == "__main__":

.github/workflows/scripts/update-release-shasum.py

@@ -9,6 +9,8 @@
 
 
 def main(version, sha256sum):
+    # Normalize version tags like "v2026.03.16" to "2026.03.16"
+    version = version.lstrip("v")
     in_contents = README_PATH.read_text()
     if version in in_contents:
         print(f"README file already contains an entry for version {version}")

.github/workflows/scripts/update-svtminion-versions.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python
+import pathlib
+import re
+import sys
+
+
+def main():
+    if len(sys.argv) != 2:
+        raise SystemExit(f"Usage: {sys.argv[0]} <version>")
+
+    # Strip leading "v" from tags like "v2026.03.16"
+    version = sys.argv[1].lstrip("v")
+
+    # These are the artifact copies created in the workflow
+    linux_path = pathlib.Path("dist/svtminion.sh")
+    windows_path = pathlib.Path("dist/svtminion.ps1")
+
+    # Update bash script readonly SCRIPT_VERSION
+    linux_text = linux_path.read_text(encoding="utf-8")
+    linux_text = re.sub(
+        r'readonly SCRIPT_VERSION="(.*)"',
+        f'readonly SCRIPT_VERSION="{version}"',
+        linux_text,
+    )
+    linux_path.write_text(linux_text, encoding="utf-8")
+
+    # Update PowerShell script $SCRIPT_VERSION
+    windows_text = windows_path.read_text(encoding="utf-8")
+    windows_text = re.sub(
+        r'\$SCRIPT_VERSION = "(.*)"',
+        f'$SCRIPT_VERSION = "{version}"',
+        windows_text,
+    )
+    windows_path.write_text(windows_text, encoding="utf-8")
+
+
+if __name__ == "__main__":
+    main()
+

linux/svtminion.sh

@@ -19,7 +19,7 @@ set -o pipefail
 # using bash for now
 # run this script as root, as needed to run Salt
 
-readonly SCRIPT_VERSION="2026.03.13"
+readonly SCRIPT_VERSION="SCRIPT_VERSION_REPLACE"
 
 # definitions
 

windows/svtminion.ps1

@@ -287,7 +287,7 @@ if ($help) {
 }
 
 # This value is populated via CICD during build
-$SCRIPT_VERSION = "2026.03.13"
+$SCRIPT_VERSION = "SCRIPT_VERSION_REPLACE"
 if ($Version) {
     Write-Host $SCRIPT_VERSION
     exit 0