Sync ci and publish workflows (#86) #22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - next | |
| - "maintenance/v*" # branch rulesets don't support v[0-9]+ | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: false | |
| queue: max | |
| permissions: {} # each job should define its own permission explicitly | |
| jobs: | |
| version: | |
| name: Version | |
| runs-on: ubuntu-latest | |
| environment: version | |
| timeout-minutes: 10 | |
| outputs: | |
| hasChangesets: ${{ steps.changesets.outputs.hasChangesets }} | |
| permissions: | |
| contents: read # to check out repo (actions/checkout) | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: ./.github/actions/ci-setup | |
| with: | |
| skip-cache: true # avoid cache poisoning attacks | |
| - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| id: app-token | |
| with: | |
| client-id: ${{ vars.APP_CLIENT_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| permission-contents: write # to create version commits (changesets/action) | |
| permission-pull-requests: write # to create pull request (changesets/action) | |
| - name: Create or update release pull request | |
| id: changesets | |
| uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0 | |
| with: | |
| github-token: ${{ steps.app-token.outputs.token }} | |
| version: pnpm version-packages | |
| publish: | |
| name: Publish | |
| if: needs.version.outputs.hasChangesets == 'false' | |
| needs: version | |
| runs-on: ubuntu-latest | |
| environment: npm | |
| timeout-minutes: 10 | |
| permissions: | |
| contents: write # to create release (changesets/action) | |
| id-token: write # to use OpenID Connect token for trusted publishing (changesets/action) | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: ./.github/actions/ci-setup | |
| with: | |
| skip-cache: true # avoid cache poisoning attacks | |
| - name: Publish to npm | |
| uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0 | |
| with: | |
| publish: pnpm release | |
| commitMode: github-api |