fix: add contents:read permission to publish job #10

Workflow file for this run

	name: CI

	on:
	push:
	branches: [main]
	tags: ["v*"]
	pull_request:
	branches: [main]

	env:
	CARGO_TERM_COLOR: always

	jobs:
	# Detect what changed to skip unnecessary builds
	changes:
	name: Detect changes
	runs-on: ubuntu-latest
	outputs:
	rust: ${{ steps.filter.outputs.rust }}
	ts: ${{ steps.filter.outputs.ts }}
	steps:
	- uses: actions/checkout@v4
	- uses: dorny/paths-filter@v3
	id: filter
	with:
	filters: \|
	rust:
	- 'crates/**'
	- 'Cargo.toml'
	- 'Cargo.lock'
	ts:
	- 'src/**'
	- 'package.json'
	- 'tsconfig.json'
	- '__tests__/**'

	build:
	name: Build — ${{ matrix.settings.target }}
	needs: changes
	# Build if: Rust changed, tag push (release), or first run (no filter baseline)
	if: needs.changes.outputs.rust == 'true' \|\| startsWith(github.ref, 'refs/tags/v')
	strategy:
	fail-fast: false
	matrix:
	settings:
	- target: aarch64-apple-darwin
	host: macos-14
	platform: darwin-arm64
	- target: x86_64-apple-darwin
	host: macos-14
	platform: darwin-x64
	- target: x86_64-unknown-linux-gnu
	host: ubuntu-latest
	platform: linux-x64-gnu
	- target: aarch64-unknown-linux-gnu
	host: ubuntu-latest
	platform: linux-arm64-gnu
	cross: true
	- target: x86_64-pc-windows-msvc
	host: windows-latest
	platform: win32-x64-msvc
	runs-on: ${{ matrix.settings.host }}
	steps:
	- uses: actions/checkout@v4

	- uses: actions/checkout@v4
	with:
	repository: faugustdev/aiyouvector
	token: ${{ secrets.AIYOUVECTOR_TOKEN }}
	path: _aiyouvector

	# Cargo.toml uses path = "../../../aiyouvector/crates/..."
	# From crates/aiyoucli-napi/, 3 levels up = workspace parent
	- name: Link aiyouvector for Cargo path deps (Unix)
	if: runner.os != 'Windows'
	run: ln -s "$GITHUB_WORKSPACE/_aiyouvector" "$GITHUB_WORKSPACE/../aiyouvector"

	- name: Link aiyouvector for Cargo path deps (Windows)
	if: runner.os == 'Windows'
	shell: cmd
	run: mklink /D "%GITHUB_WORKSPACE%\..\aiyouvector" "%GITHUB_WORKSPACE%\_aiyouvector"

	- uses: actions-rust-lang/setup-rust-toolchain@v1
	with:
	target: ${{ matrix.settings.target }}

	- uses: Swatinem/rust-cache@v2
	with:
	shared-key: build-${{ matrix.settings.target }}

	- uses: actions/setup-node@v4
	with:
	node-version: 22
	cache: npm

	- run: npm install

	# Cross-compilation for Linux ARM64
	- name: Install cross-compilation tools
	if: matrix.settings.cross
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
	echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc" >> $GITHUB_ENV

	- name: Build native module
	shell: bash
	run: npx napi build --platform --release --package aiyoucli-napi -o . --target ${{ matrix.settings.target }}

	- uses: actions/upload-artifact@v4
	with:
	name: bindings-${{ matrix.settings.platform }}
	path: "*.node"
	if-no-files-found: error

	test:
	name: Test
	needs: changes
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- uses: actions/checkout@v4
	with:
	repository: faugustdev/aiyouvector
	token: ${{ secrets.AIYOUVECTOR_TOKEN }}
	path: _aiyouvector

	- name: Link aiyouvector for Cargo path deps
	run: ln -s "$GITHUB_WORKSPACE/_aiyouvector" "$GITHUB_WORKSPACE/../aiyouvector"

	- uses: actions-rust-lang/setup-rust-toolchain@v1

	- uses: Swatinem/rust-cache@v2
	with:
	shared-key: test-linux

	- uses: actions/setup-node@v4
	with:
	node-version: 22
	cache: npm

	- run: npm install
	- run: npm run build
	- name: Verify native binding
	run: ls -la *.node
	- run: npm test

	rust-test:
	name: Rust tests
	needs: changes
	# Skip if only TS changed
	if: needs.changes.outputs.rust == 'true' \|\| startsWith(github.ref, 'refs/tags/v')
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- uses: actions/checkout@v4
	with:
	repository: faugustdev/aiyouvector
	token: ${{ secrets.AIYOUVECTOR_TOKEN }}
	path: _aiyouvector

	- name: Link aiyouvector for Cargo path deps
	run: ln -s "$GITHUB_WORKSPACE/_aiyouvector" "$GITHUB_WORKSPACE/../aiyouvector"

	- uses: actions-rust-lang/setup-rust-toolchain@v1

	- uses: Swatinem/rust-cache@v2
	with:
	shared-key: test-linux

	- run: cargo test --workspace

	publish:
	name: Publish to npm
	if: startsWith(github.ref, 'refs/tags/v')
	needs: [build, test, rust-test]
	runs-on: ubuntu-latest
	permissions:
	contents: read
	id-token: write
	steps:
	- uses: actions/checkout@v4

	- uses: actions/setup-node@v4
	with:
	node-version: 22
	registry-url: https://registry.npmjs.org
	cache: npm

	- uses: actions/download-artifact@v4
	with:
	path: artifacts/

	- run: npm install
	- run: npm run build:ts
	- name: Prepare platform packages
	run: node scripts/prepare-publish.js

	- name: Publish platform packages
	run: \|
	for dir in npm/*/; do
	if [ -f "$dir/package.json" ] && ls "$dir"/*.node 1>/dev/null 2>&1; then
	echo "Publishing $(basename $dir)..."
	cd "$dir"
	npm publish --provenance --access public
	cd ../..
	fi
	done
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

	- name: Publish @aiyou-dev/cli
	run: npm publish --provenance --access public
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

	- name: Publish aiyoucli wrapper
	run: \|
	cd packages/aiyoucli
	npm publish --provenance --access public
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: add contents:read permission to publish job #10

Workflow file

fix: add contents:read permission to publish job #10

Uh oh!

Workflow file for this run