-
Notifications
You must be signed in to change notification settings - Fork 0
125 lines (109 loc) · 4.27 KB
/
Copy pathray-task-profiles-release.yml
File metadata and controls
125 lines (109 loc) · 4.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: "@razroo/ray-task-profiles Release to npm"
# Publish when a GitHub Release whose tag starts with `task-profiles-v` is published.
#
# Cut releases with the guarded helper from main:
# bun run release:github -- --dry-run
# bun run release:github -- --yes
on:
release:
types: [published]
permissions:
contents: read
id-token: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
defaults:
run:
working-directory: packages/task-profiles
jobs:
publish:
if: github.repository == 'razroo/ray' && startsWith(github.ref_name, 'task-profiles-v')
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
with:
node-version: "22"
registry-url: "https://registry.npmjs.org"
package-manager-cache: false
- uses: oven-sh/setup-bun@v2
with:
bun-version: "1.3.9"
- name: Set version from release tag
run: |
VERSION="${GITHUB_REF_NAME#task-profiles-v}"
echo "VERSION=$VERSION" >> $GITHUB_ENV
- name: Verify release commit is on main
working-directory: .
run: |
set -euo pipefail
SHA="$(git rev-parse HEAD)"
if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then
timeout 120s git fetch --no-tags --prune --unshallow origin main:refs/remotes/origin/main
else
timeout 120s git fetch --no-tags --prune origin main:refs/remotes/origin/main
fi
if ! git merge-base --is-ancestor "$SHA" refs/remotes/origin/main; then
echo "::error::Release tag ${GITHUB_REF_NAME} (${SHA}) must point at a commit on main."
exit 1
fi
- name: Verify Quality checks passed for release commit
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
working-directory: .
run: |
SHA=$(git rev-parse HEAD)
echo "Verifying Quality checks status for $SHA"
DEADLINE=$(( $(date +%s) + 1800 ))
STATUS=""
CONCLUSION=""
while [ "$(date +%s)" -lt "$DEADLINE" ]; do
CHECK_RUN="$(timeout 30s gh api "repos/${{ github.repository }}/commits/$SHA/check-runs" \
--jq '[.check_runs[] | select(.name == "quality")] | sort_by(.started_at) | last | "\(.status // "missing") \(.conclusion // "null")"' || true)"
read -r STATUS CONCLUSION <<<"$CHECK_RUN"
STATUS="${STATUS:-missing}"
CONCLUSION="${CONCLUSION:-null}"
echo "quality check-run: status=$STATUS conclusion=$CONCLUSION"
if [ "$STATUS" = "completed" ]; then
break
fi
sleep 15
done
if [ "$STATUS" != "completed" ]; then
echo "::error::Quality checks for $SHA never completed within 30min (last status: $STATUS)."
exit 1
fi
if [ "$CONCLUSION" != "success" ]; then
echo "::error::Quality checks for $SHA did not succeed (conclusion: $CONCLUSION). Fix before re-releasing."
exit 1
fi
echo "Quality checks succeeded for $SHA"
- name: Verify package.json version matches release tag
working-directory: .
run: timeout 60s bun ./scripts/release/check-source.mjs "$VERSION"
- name: Install (workspace root)
run: timeout 300s bun install --frozen-lockfile
working-directory: .
- name: Build
run: timeout 300s bun run build
working-directory: .
- name: Pack package
id: pack
run: |
set -euo pipefail
PACK_DIR="$RUNNER_TEMP/ray-packs"
timeout 60s rm -rf "$PACK_DIR"
timeout 30s mkdir -p "$PACK_DIR"
timeout 120s bun pm pack --destination "$PACK_DIR"
TARBALL="$(timeout 30s find "$PACK_DIR" -name '*.tgz' -print -quit)"
if [ -z "$TARBALL" ]; then
echo "::error::Bun did not produce a package tarball."
exit 1
fi
echo "tarball=$TARBALL" >> "$GITHUB_OUTPUT"
- name: Publish to npm (with provenance)
working-directory: .
run: timeout 300s npm publish "${{ steps.pack.outputs.tarball }}" --access public --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}