react-router-devtools/.github/workflows/publish.yaml at main · code-forge-io/react-router-devtools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: Release

on:
  push:
    branches:
      - main
  # Manual safety valve: re-run publish for a version that was bumped but never
  # published. Guarded below so a dispatch can only ever publish from main.
  workflow_dispatch:

concurrency:
  # Never cancel an in-progress release; queue concurrent runs instead.
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false

permissions:
  contents: write # push the version PR branch, create tags + GitHub releases
  pull-requests: write # open/update the changesets "Release PR"
  id-token: write # npm Trusted Publishing (OIDC) — no long-lived NPM_TOKEN needed

jobs:
  release:
    name: Release
    # Don't run on forks; only ever publish from main (incl. workflow_dispatch).
    if: github.repository_owner == 'code-forge-io' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          # Required so changesets/action can push the version PR branch. Only the
          # ephemeral GITHUB_TOKEN is persisted (auto-expires at job end) — no PAT.
          persist-credentials: true

      - name: Install pnpm
        uses: pnpm/action-setup@739bfe42ca9233c5e6aca07c1a25a9d34aca49b0 # v6.0.7

      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          # Pin to Node 24 (ships npm 11.x) so OIDC Trusted Publishing works even
          # if pnpm delegates publishing to npm. npm OIDC needs >= 11.5.1.
          node-version: "24"

      - name: Install Dependencies
        run: pnpm install

      - name: Create Release Pull Request or Publish to npm
        id: changesets
        uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0
        env:
          # Only used to open/update the Release PR and create GitHub releases.
          # npm authentication is handled by OIDC Trusted Publishing (.npmrc
          # provenance=true + id-token:write) — there is intentionally no NPM_TOKEN.
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          title: "🚀 Release PR"
          commit: "chore: release"
          version: pnpm run version
          publish: pnpm run release
          createGithubReleases: true