release.yml

name: Release

on:
  push:
    branches:
      - main

concurrency: ${{ github.workflow }} @ ${{ github.ref }}

permissions: {}

jobs:
  prepare:
    name: Prepare
    runs-on: ubuntu-latest

    # if: github.repository_owner == 'drivenets'

    permissions:
      contents: write # to create release (changesets/action)
      issues: write # to post issue comments (changesets/action)
      pull-requests: write # to create pull request (changesets/action)

    outputs:
      should-publish: ${{ steps.changesets.outputs.hasChangesets == 'false' }}

    steps:
      # changesets/action commits the release PR via git push, so it needs the persisted GITHUB_TOKEN.
      - name: Checkout source code # zizmor: ignore[artipacked]
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0
          filter: 'blob:none'
          ssh-key: ${{ secrets.DEPLOY_KEY }}
          persist-credentials: true

      - name: Install Dependencies
        uses: ./.github/actions/install

      - name: Create or update release PR
        id: changesets
        uses: changesets/action@a45c4d594aa4e2c509dc14a9f2b3b67ba3780d0d # v1.9.0
        with:
          commit: 'chore(release): publish'
          title: 'chore(release): publish'

  build:
    name: Build for publish
    needs: prepare
    if: needs.prepare.outputs.should-publish == 'true'
    runs-on: ubuntu-latest

    permissions:
      contents: read

    steps:
      - name: Checkout source code
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

      - name: Install Dependencies
        uses: ./.github/actions/install

      - name: Cache turbo
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: .turbo
          key: ${{ runner.os }}-turbo-build-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-turbo-build-

      - name: Build packages
        run: pnpm build

      - name: Upload build
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: release-build
          path: packages/*/dist
          if-no-files-found: error
          retention-days: 1
          include-hidden-files: false

  # WARNING:
  #   For security reasons, this is the only job that should have `id-token: write` permissions.
  #   We don't want dependencies and build scripts to have access to this token.
  publish:
    name: Publish
    needs: build
    runs-on: ubuntu-latest

    permissions:
      contents: write # to create release (changesets/action)
      id-token: write # for npm trusted publishing

    steps:
      - name: Checkout source code # zizmor: ignore[artipacked] Need persisted token to push tags.
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Install Dependencies
        uses: ./.github/actions/install

      - name: Download build
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: release-build
          path: packages

      - name: Publish
        uses: changesets/action@a45c4d594aa4e2c509dc14a9f2b3b67ba3780d0d # v1.9.0
        with:
          publish: pnpm changeset publish
        env:
          NPM_TOKEN: '' # https://github.com/changesets/action/issues/542#issuecomment-3642334398