|
| 1 | +# CAVEAT: This repo currently publishes via semantic-release (see `npm run semantic-release` |
| 2 | +# in package.json and the `release` job in .circleci/config.yml). semantic-release cannot emit |
| 3 | +# `npm stage publish`, so this staged-publishing workflow is NOT yet wired into the live release |
| 4 | +# path. Before adopting it, the semantic-release flow must be reconciled with OIDC staged |
| 5 | +# publishing (decide which owns version bump + publish, and remove the duplicate). Also note the |
| 6 | +# Node bump: package.json engines was `>=6.0.0` and CircleCI used Node 12.21 — .nvmrc is now |
| 7 | +# 22.14.0 because npm >= 11.15.0 (staged publishing) requires Node >= 22.14.0. |
| 8 | +name: Publish (staged) |
| 9 | + |
| 10 | +on: |
| 11 | + release: |
| 12 | + types: [published] # cutting a Release creates the tag AND fires this |
| 13 | + |
| 14 | +permissions: |
| 15 | + contents: read # workflow default (least privilege); only stage-publish also needs id-token, granted on that job |
| 16 | + |
| 17 | +jobs: |
| 18 | + verify: |
| 19 | + runs-on: ubuntu-latest |
| 20 | + steps: |
| 21 | + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 22 | + with: { persist-credentials: false } |
| 23 | + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 |
| 24 | + with: |
| 25 | + node-version-file: '.nvmrc' # pin >= 22.14.0 |
| 26 | + package-manager-cache: false # release-triggered: disable auto-cache (zizmor cache-poisoning) |
| 27 | + - name: Assert Release tag matches package.json version |
| 28 | + env: |
| 29 | + RELEASE_TAG: ${{ github.event.release.tag_name }} |
| 30 | + run: | |
| 31 | + PKG="$(node -p "require('./package.json').version")" |
| 32 | + [ "${RELEASE_TAG#v}" = "$PKG" ] || { echo "tag $RELEASE_TAG != package.json v$PKG"; exit 1; } |
| 33 | + - name: Refuse releases not on the default branch |
| 34 | + env: |
| 35 | + RELEASE_TAG: ${{ github.event.release.tag_name }} |
| 36 | + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} |
| 37 | + run: | |
| 38 | + git fetch origin "$DEFAULT_BRANCH" --depth=1 |
| 39 | + git merge-base --is-ancestor "$GITHUB_SHA" "origin/$DEFAULT_BRANCH" \ |
| 40 | + || { echo "release $RELEASE_TAG not reachable from $DEFAULT_BRANCH — refusing"; exit 1; } |
| 41 | +
|
| 42 | + stage-publish: |
| 43 | + needs: verify |
| 44 | + runs-on: ubuntu-latest |
| 45 | + permissions: |
| 46 | + contents: read |
| 47 | + id-token: write # OIDC trusted publishing: only this job mints the token |
| 48 | + steps: |
| 49 | + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 50 | + with: { persist-credentials: false } |
| 51 | + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 |
| 52 | + with: |
| 53 | + node-version-file: '.nvmrc' |
| 54 | + registry-url: 'https://registry.npmjs.org' |
| 55 | + package-manager-cache: false |
| 56 | + - run: yarn install --frozen-lockfile |
| 57 | + - run: yarn build |
| 58 | + - run: npm install -g npm@11.15.0 # npm CLI: staged publishing needs npm >= 11.15.0 |
| 59 | + - name: Resolve dist-tag (a prerelease must never go to `latest`) |
| 60 | + id: disttag |
| 61 | + env: |
| 62 | + PRERELEASE_TAG: next |
| 63 | + run: | |
| 64 | + VERSION="$(node -p "require('./package.json').version")" |
| 65 | + case "$VERSION" in |
| 66 | + *-*) TAG="$PRERELEASE_TAG" ;; |
| 67 | + *) TAG="latest" ;; |
| 68 | + esac |
| 69 | + echo "tag=$TAG" >> "$GITHUB_OUTPUT" |
| 70 | + - name: Stage publish |
| 71 | + env: |
| 72 | + DIST_TAG: ${{ steps.disttag.outputs.tag }} |
| 73 | + run: npm stage publish --tag "$DIST_TAG" |
0 commit comments