Skip to content

Commit c7bfd40

Browse files
authored
Merge pull request #152 from block/chai/release-attach-tarball
ci: attach .tgz to GitHub Release on npm publish
2 parents 0510cdc + ac80f1e commit c7bfd40

2 files changed

Lines changed: 36 additions & 12 deletions

File tree

.github/workflows/release-tarball.yml

Lines changed: 10 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,16 @@
11
name: Publish tarball to GitHub Release
22

3-
# Temporary distribution channel while npm publish is blocked. Packs
3+
# Manual fallback for the tarball distribution channel. Packs
44
# @anarchitecture/ghost and attaches the .tgz to a GitHub Release, so consumers can:
55
#
66
# npm install https://github.com/block/ghost/releases/download/<tag>/<file>.tgz
77
#
8-
# Triggered by pushing a tag of the form `anarchitecture-ghost@<version>` or by
9-
# manual workflow_dispatch.
8+
# The normal path is release.yml, which attaches the tarball automatically on
9+
# every Changesets publish. This workflow is dispatch-only so a Changesets-
10+
# created tag does not fire both workflows and race on the same Release. Use it
11+
# to (re)cut a tarball for an existing version without a fresh npm publish.
1012

1113
on:
12-
push:
13-
tags:
14-
- "anarchitecture-ghost@*"
1514
workflow_dispatch:
1615
inputs:
1716
version:
@@ -60,17 +59,16 @@ jobs:
6059
# controlled (anyone with Actions write can trigger). Pass them in via
6160
# `env:` and reference as shell variables so they can't be interpolated
6261
# as shell syntax — that's what the semgrep shell-injection rule wants.
62+
# Inputs from workflow_dispatch are attacker-controlled (anyone with
63+
# Actions write can trigger). Pass them in via `env:` and reference as
64+
# shell variables so they can't be interpolated as shell syntax — that's
65+
# what the semgrep shell-injection rule wants.
6366
- name: Resolve tag
6467
id: tag
6568
env:
66-
EVENT_NAME: ${{ github.event_name }}
6769
INPUT_VERSION: ${{ inputs.version }}
6870
run: |
69-
if [ "$EVENT_NAME" = "push" ]; then
70-
TAG="$GITHUB_REF_NAME"
71-
else
72-
TAG="anarchitecture-ghost@$INPUT_VERSION"
73-
fi
71+
TAG="anarchitecture-ghost@$INPUT_VERSION"
7472
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
7573
7674
- name: Create GitHub Release

.github/workflows/release.yml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ jobs:
3737
- run: pnpm --filter @anarchitecture/ghost build
3838

3939
- name: Create Release PR or publish
40+
id: changesets
4041
uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0
4142
with:
4243
publish: npm publish ./packages/ghost --access public --provenance
@@ -47,3 +48,28 @@ jobs:
4748
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4849
NPM_TOKEN: ${{ secrets.GHOST_NPM_PUBLISH_TOKEN }}
4950
NODE_AUTH_TOKEN: ${{ secrets.GHOST_NPM_PUBLISH_TOKEN }}
51+
52+
# When a publish actually happened, Changesets has already created and
53+
# tagged a GitHub Release (createGithubReleases defaults to true). Pack
54+
# the public package and attach the .tgz to that same Release so the
55+
# tarball distribution channel stays in sync with npm — no separate tag
56+
# push required.
57+
- name: Attach tarball to GitHub Release
58+
if: steps.changesets.outputs.published == 'true'
59+
env:
60+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
61+
PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
62+
run: |
63+
VERSION="$(echo "$PUBLISHED_PACKAGES" \
64+
| python3 -c "import json,sys; pkgs=json.load(sys.stdin); print(next(p['version'] for p in pkgs if p['name']=='@anarchitecture/ghost'))")"
65+
TAG="anarchitecture-ghost@${VERSION}"
66+
mkdir -p dist-tarball
67+
pnpm --filter @anarchitecture/ghost pack --pack-destination "$GITHUB_WORKSPACE/dist-tarball"
68+
ls -la dist-tarball
69+
# Changesets creates the GitHub Release (createGithubReleases default).
70+
# If it ever isn't there yet, create it so the upload always has a
71+
# target — keeps the release from failing on a tooling change.
72+
if ! gh release view "$TAG" >/dev/null 2>&1; then
73+
gh release create "$TAG" --title "$TAG" --generate-notes
74+
fi
75+
gh release upload "$TAG" dist-tarball/*.tgz --clobber

0 commit comments

Comments
 (0)