contentful-typescript-codegen/.github/workflows/publish.yml at master · intercom/contentful-typescript-codegen · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# CAVEAT: This repo currently publishes via semantic-release (see `npm run semantic-release`
# in package.json and the `release` job in .circleci/config.yml). semantic-release cannot emit
# `npm stage publish`, so this staged-publishing workflow is NOT yet wired into the live release
# path. Before adopting it, the semantic-release flow must be reconciled with OIDC staged
# publishing (decide which owns version bump + publish, and remove the duplicate). Also note the
# Node bump: package.json engines was `>=6.0.0` and CircleCI used Node 12.21 — .nvmrc is now
# 22.14.0 because npm >= 11.15.0 (staged publishing) requires Node >= 22.14.0.
name: Publish (staged)

on:
  release:
    types: [published]        # cutting a Release creates the tag AND fires this

permissions:
  contents: read              # workflow default (least privilege); only stage-publish also needs id-token, granted on that job

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd   # v6.0.2
        with: { persist-credentials: false }
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version-file: '.nvmrc'      # pin >= 22.14.0
          package-manager-cache: false     # release-triggered: disable auto-cache (zizmor cache-poisoning)
      - name: Assert Release tag matches package.json version
        env:
          RELEASE_TAG: ${{ github.event.release.tag_name }}
        run: |
          PKG="$(node -p "require('./package.json').version")"
          [ "${RELEASE_TAG#v}" = "$PKG" ] || { echo "tag $RELEASE_TAG != package.json v$PKG"; exit 1; }
      - name: Refuse releases not on the default branch
        env:
          RELEASE_TAG: ${{ github.event.release.tag_name }}
          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
        run: |
          git fetch origin "$DEFAULT_BRANCH" --depth=1
          git merge-base --is-ancestor "$GITHUB_SHA" "origin/$DEFAULT_BRANCH" \
            || { echo "release $RELEASE_TAG not reachable from $DEFAULT_BRANCH — refusing"; exit 1; }

  stage-publish:
    needs: verify
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write           # OIDC trusted publishing: only this job mints the token
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd   # v6.0.2
        with: { persist-credentials: false }
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version-file: '.nvmrc'
          registry-url: 'https://registry.npmjs.org'
          package-manager-cache: false
      - run: yarn install --frozen-lockfile
      - run: yarn build
      - run: npm install -g npm@11.15.0    # npm CLI: staged publishing needs npm >= 11.15.0
      - name: Resolve dist-tag (a prerelease must never go to `latest`)
        id: disttag
        env:
          PRERELEASE_TAG: next
        run: |
          VERSION="$(node -p "require('./package.json').version")"
          case "$VERSION" in
            *-*) TAG="$PRERELEASE_TAG" ;;
            *)   TAG="latest" ;;
          esac
          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
      - name: Stage publish
        env:
          DIST_TAG: ${{ steps.disttag.outputs.tag }}
        run: npm stage publish --tag "$DIST_TAG"