fix: point repository url at code-forge-io to match build provenance … #70
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| # Manual safety valve: re-run publish for a version that was bumped but never | |
| # published. Guarded below so a dispatch can only ever publish from main. | |
| workflow_dispatch: | |
| concurrency: | |
| # Never cancel an in-progress release; queue concurrent runs instead. | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| contents: write # push the version PR branch, create tags + GitHub releases | |
| pull-requests: write # open/update the changesets "Release PR" | |
| id-token: write # npm Trusted Publishing (OIDC) — no long-lived NPM_TOKEN needed | |
| jobs: | |
| release: | |
| name: Release | |
| # Don't run on forks; only ever publish from main (incl. workflow_dispatch). | |
| if: github.repository_owner == 'code-forge-io' && github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| # Required so changesets/action can push the version PR branch. Only the | |
| # ephemeral GITHUB_TOKEN is persisted (auto-expires at job end) — no PAT. | |
| persist-credentials: true | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@739bfe42ca9233c5e6aca07c1a25a9d34aca49b0 # v6.0.7 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| # Pin to Node 24 (ships npm 11.x) so OIDC Trusted Publishing works even | |
| # if pnpm delegates publishing to npm. npm OIDC needs >= 11.5.1. | |
| node-version: "24" | |
| - name: Install Dependencies | |
| run: pnpm install | |
| - name: Create Release Pull Request or Publish to npm | |
| id: changesets | |
| uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0 | |
| env: | |
| # Only used to open/update the Release PR and create GitHub releases. | |
| # npm authentication is handled by OIDC Trusted Publishing (.npmrc | |
| # provenance=true + id-token:write) — there is intentionally no NPM_TOKEN. | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| title: "🚀 Release PR" | |
| commit: "chore: release" | |
| version: pnpm run version | |
| publish: pnpm run release | |
| createGithubReleases: true |