From 5da876cc636bd5b150785c51a7e67e34d39c8a92 Mon Sep 17 00:00:00 2001 From: Pat O'Callaghan Date: Tue, 9 Jun 2026 17:35:59 +0100 Subject: [PATCH] Add OIDC staged-publishing workflow and remove CircleCI publish job --- .circleci/config.yml | 12 ------ .github/workflows/publish.yml | 73 +++++++++++++++++++++++++++++++++++ .nvmrc | 1 + 3 files changed, 74 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/publish.yml create mode 100644 .nvmrc diff --git a/.circleci/config.yml b/.circleci/config.yml index 7b4d0fb8..af5dbaae 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -35,21 +35,9 @@ jobs: name: Run tests command: yarn test:ci - release: - <<: *defaults - - steps: - - checkout - - run: yarn install - - run: yarn build - - run: yarn semantic-release - workflows: version: 2 test: jobs: - test - - release: - requires: - - test diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 00000000..b9267d8b --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,73 @@ +# CAVEAT: This repo currently publishes via semantic-release (see `npm run semantic-release` +# in package.json and the `release` job in .circleci/config.yml). semantic-release cannot emit +# `npm stage publish`, so this staged-publishing workflow is NOT yet wired into the live release +# path. Before adopting it, the semantic-release flow must be reconciled with OIDC staged +# publishing (decide which owns version bump + publish, and remove the duplicate). Also note the +# Node bump: package.json engines was `>=6.0.0` and CircleCI used Node 12.21 — .nvmrc is now +# 22.14.0 because npm >= 11.15.0 (staged publishing) requires Node >= 22.14.0. +name: Publish (staged) + +on: + release: + types: [published] # cutting a Release creates the tag AND fires this + +permissions: + contents: read # workflow default (least privilege); only stage-publish also needs id-token, granted on that job + +jobs: + verify: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: { persist-credentials: false } + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version-file: '.nvmrc' # pin >= 22.14.0 + package-manager-cache: false # release-triggered: disable auto-cache (zizmor cache-poisoning) + - name: Assert Release tag matches package.json version + env: + RELEASE_TAG: ${{ github.event.release.tag_name }} + run: | + PKG="$(node -p "require('./package.json').version")" + [ "${RELEASE_TAG#v}" = "$PKG" ] || { echo "tag $RELEASE_TAG != package.json v$PKG"; exit 1; } + - name: Refuse releases not on the default branch + env: + RELEASE_TAG: ${{ github.event.release.tag_name }} + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + run: | + git fetch origin "$DEFAULT_BRANCH" --depth=1 + git merge-base --is-ancestor "$GITHUB_SHA" "origin/$DEFAULT_BRANCH" \ + || { echo "release $RELEASE_TAG not reachable from $DEFAULT_BRANCH — refusing"; exit 1; } + + stage-publish: + needs: verify + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # OIDC trusted publishing: only this job mints the token + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: { persist-credentials: false } + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version-file: '.nvmrc' + registry-url: 'https://registry.npmjs.org' + package-manager-cache: false + - run: yarn install --frozen-lockfile + - run: yarn build + - run: npm install -g npm@11.15.0 # npm CLI: staged publishing needs npm >= 11.15.0 + - name: Resolve dist-tag (a prerelease must never go to `latest`) + id: disttag + env: + PRERELEASE_TAG: next + run: | + VERSION="$(node -p "require('./package.json').version")" + case "$VERSION" in + *-*) TAG="$PRERELEASE_TAG" ;; + *) TAG="latest" ;; + esac + echo "tag=$TAG" >> "$GITHUB_OUTPUT" + - name: Stage publish + env: + DIST_TAG: ${{ steps.disttag.outputs.tag }} + run: npm stage publish --tag "$DIST_TAG" diff --git a/.nvmrc b/.nvmrc new file mode 100644 index 00000000..7d41c735 --- /dev/null +++ b/.nvmrc @@ -0,0 +1 @@ +22.14.0