create-react-forge/.github/workflows/release.yml at master · chiragmak10/create-react-forge · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: Release

on:
  push:
    tags:
      - 'v*.*.*' # Matches v1.0.0, v1.2.3, etc.
      - 'v*.*.*-beta.*' # Matches v1.0.0-beta.1, etc.

permissions:
  contents: write
  issues: write
  pull-requests: write
  id-token: write

jobs:
  release:
    name: Build and Publish Release
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'

      - name: Install dependencies
        run: npm ci

      - name: Build
        run: npm run build

      - name: Run tests
        run: npm test

      - name: Extract version from tag
        id: get_version
        run: |
          echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
          echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT

      - name: Update package.json version
        run: npm version ${{ steps.get_version.outputs.VERSION }} --no-git-tag-version --allow-same-version

      - name: Pack release artifact
        id: pack
        run: |
          ASSET="$(npm pack --silent | tail -n1)"
          echo "asset=${ASSET}" >> "$GITHUB_OUTPUT"

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3

      - name: Sign release artifact
        run: |
          cosign sign-blob --yes \
            --output-signature "${{ steps.pack.outputs.asset }}.sig" \
            --output-certificate "${{ steps.pack.outputs.asset }}.pem" \
            --bundle "${{ steps.pack.outputs.asset }}.sigstore.json" \
            "${{ steps.pack.outputs.asset }}"

      - name: Publish to NPM (with provenance)
        run: |
          if [[ "${{ steps.get_version.outputs.VERSION }}" == *"beta"* ]]; then
            npm publish "${{ steps.pack.outputs.asset }}" --provenance --tag beta
          else
            npm publish "${{ steps.pack.outputs.asset }}" --provenance --tag latest
          fi
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v1
        with:
          generate_release_notes: true
          prerelease: ${{ contains(steps.get_version.outputs.VERSION, 'beta') }}
          files: |
            ${{ steps.pack.outputs.asset }}
            ${{ steps.pack.outputs.asset }}.sig
            ${{ steps.pack.outputs.asset }}.pem
            ${{ steps.pack.outputs.asset }}.sigstore.json
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}