contracts-wizard/.github/workflows/publish.yml at master · OpenZeppelin/contracts-wizard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: Publish Packages

on:
  workflow_dispatch:

concurrency: version-or-publish-${{ github.ref }}

jobs:
  publish:
    name: Publish Packages
    permissions:
      contents: write
      pull-requests: write
      id-token: write
    runs-on: ubuntu-latest
    environment: publish
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0 # To get all tags
          ref: ${{ github.ref }}
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
          node-version: '24'
      - name: Check for new packages
        id: check-packages
        run: |
          : > "$RUNNER_TEMP/new_packages.txt"
          while IFS=: read -r pkg dir; do
            npm_stderr_file="$RUNNER_TEMP/npm-view-${pkg//[^a-zA-Z0-9]/_}.stderr"
            if npm view "$pkg" version > /dev/null 2> "$npm_stderr_file"; then
              echo "Existing package: $pkg"
              rm -f "$npm_stderr_file"
              continue
            fi

            npm_error="$(tr '\n' ' ' < "$npm_stderr_file")"
            rm -f "$npm_stderr_file"

            if [[ "$npm_error" == *"E404"* || "$npm_error" == *"404"* || "$npm_error" == *"Not Found"* ]]; then
              echo "New package detected: $pkg ($dir)"
              echo "$dir" >> "$RUNNER_TEMP/new_packages.txt"
            else
              echo "::error::npm view failed for $pkg: ${npm_error:-Unknown error}"
              exit 1
            fi
          done < <(yarn workspaces --json info | node -e "
            const info = JSON.parse(JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')).data);
            for (const [name, meta] of Object.entries(info)) {
              const pkgJson = require('./' + meta.location + '/package.json');
              if (!pkgJson.private) console.log(name + ':' + meta.location);
            }
          ")

          has_new_packages=false
          if [ -s "$RUNNER_TEMP/new_packages.txt" ]; then
            echo "::notice::New packages detected — will use NPM token for publish"
            has_new_packages=true
          else
            echo "All packages exist on npm — using OIDC trusted publishing"
          fi
          echo "has_new_packages=$has_new_packages" >> "$GITHUB_OUTPUT"
      - name: Configure npm auth
        run: |
          if [ "$HAS_NEW_PACKAGES" = "true" ]; then
            echo "NODE_AUTH_TOKEN=${NPM_TOKEN}" >> "$GITHUB_ENV"
          else
            echo "NODE_AUTH_TOKEN=" >> "$GITHUB_ENV"
          fi
        env:
          HAS_NEW_PACKAGES: ${{ steps.check-packages.outputs.has_new_packages }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
      - name: Create Prepare Release PR or Publish
        id: changesets
        uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
        with:
          title: Prepare Release
          commit: Prepare Release
          version: npm run version
          publish: npm run publish
          commitMode: github-api
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_CONFIG_PROVENANCE: true
      - name: Check changesets status
        if: steps.changesets.outputs.hasChangesets == 'true'
        run: |
          echo "Changesets found. Merge Prepare Release PR before publishing."
          exit 1
      - name: Check publish status
        if: steps.changesets.outputs.published == 'false'
        run: |
          echo "Publish failed. Check the logs for more details."
          exit 1