|
6 | 6 | - '**' |
7 | 7 | tags: |
8 | 8 | - 'v*' |
9 | | -permissions: |
10 | | - id-token: write |
11 | | - contents: write |
| 9 | + workflow_dispatch: |
| 10 | + inputs: |
| 11 | + job: |
| 12 | + description: Which job to run |
| 13 | + type: choice |
| 14 | + required: true |
| 15 | + default: all |
| 16 | + options: |
| 17 | + - all |
| 18 | + - npm-publish |
| 19 | + - release-notes |
| 20 | + tag: |
| 21 | + description: Existing tag to release (e.g. v11.2.3 or v12.0.0-alpha.3) |
| 22 | + type: string |
| 23 | + required: true |
| 24 | + |
| 25 | +env: |
| 26 | + TAG: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref_name }} |
| 27 | + |
| 28 | +permissions: {} |
12 | 29 |
|
13 | 30 | jobs: |
14 | | - release: |
| 31 | + npm-publish: |
| 32 | + if: >- |
| 33 | + github.event_name == 'push' || |
| 34 | + (github.event_name == 'workflow_dispatch' && |
| 35 | + (inputs.job == 'all' || inputs.job == 'npm-publish')) |
15 | 36 | runs-on: ubuntu-latest |
| 37 | + permissions: |
| 38 | + contents: read |
| 39 | + id-token: write # npm trusted publisher (OIDC) |
16 | 40 | steps: |
17 | | - - name: Checkout |
18 | | - # zizmor: ignore[artipacked] needs persisted credentials so that |
19 | | - # stefanzweifel/git-auto-commit-action can push the changelog commit. |
20 | | - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 |
| 41 | + - name: Checkout codes |
| 42 | + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
21 | 43 | with: |
22 | | - ref: ${{ github.head_ref }} |
| 44 | + ref: ${{ env.TAG }} |
| 45 | + persist-credentials: false |
| 46 | + |
| 47 | + - name: Resolve dist-tag from tag |
| 48 | + id: meta |
| 49 | + # When adding a new major (e.g. v13), append a case branch below. |
| 50 | + run: | |
| 51 | + case "$TAG" in |
| 52 | + v11.*) echo "dist_tag=latest" >> "$GITHUB_OUTPUT" ;; |
| 53 | + v12.*) echo "dist_tag=next" >> "$GITHUB_OUTPUT" ;; |
| 54 | + *) echo "Unknown tag pattern: $TAG" >&2; exit 1 ;; |
| 55 | + esac |
23 | 56 |
|
24 | 57 | - name: Install pnpm |
25 | | - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 |
| 58 | + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 |
26 | 59 |
|
27 | 60 | - name: Setup Node |
28 | | - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 |
| 61 | + # zizmor: ignore[cache-poisoning] no package cache is enabled; toolchain only |
| 62 | + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 |
29 | 63 | with: |
30 | 64 | node-version: 24 |
31 | 65 |
|
32 | 66 | - name: Install dependencies |
33 | | - run: pnpm install --no-frozen-lockfile |
| 67 | + run: pnpm install --frozen-lockfile |
| 68 | + |
| 69 | + - name: Build packages |
| 70 | + run: pnpm build |
34 | 71 |
|
35 | | - - name: Extract version tag |
36 | | - if: startsWith( github.ref, 'refs/tags/v' ) |
37 | | - uses: jungwinter/split@7f51d99e7cc1f147f6f99be75acf5e641930af88 # v2.1.0 |
38 | | - id: split |
| 72 | + - name: Publish packages to npm |
| 73 | + # OIDC trusted publisher (id-token: write). No NPM_AUTH_TOKEN needed. |
| 74 | + run: | |
| 75 | + for PKG in packages/*; do |
| 76 | + if [[ -d "$PKG" ]]; then |
| 77 | + pushd "$PKG" > /dev/null |
| 78 | + echo "⚡ Publishing $PKG with --tag $DIST_TAG" |
| 79 | + pnpm publish --access public --no-git-checks --tag "$DIST_TAG" |
| 80 | + popd > /dev/null |
| 81 | + fi |
| 82 | + done |
| 83 | + env: |
| 84 | + DIST_TAG: ${{ steps.meta.outputs.dist_tag }} |
| 85 | + |
| 86 | + release-notes: |
| 87 | + needs: [npm-publish] |
| 88 | + if: >- |
| 89 | + always() && ( |
| 90 | + (github.event_name == 'push' && needs.npm-publish.result == 'success') || |
| 91 | + (github.event_name == 'workflow_dispatch' && inputs.job == 'release-notes') || |
| 92 | + (github.event_name == 'workflow_dispatch' && inputs.job == 'all' && |
| 93 | + needs.npm-publish.result == 'success') |
| 94 | + ) |
| 95 | + runs-on: ubuntu-latest |
| 96 | + permissions: |
| 97 | + contents: write # GitHub Release 作成 + CHANGELOG push |
| 98 | + steps: |
| 99 | + - name: Resolve target branch from tag |
| 100 | + id: meta |
| 101 | + # When adding a new major (e.g. v13), append a case branch below. |
| 102 | + run: | |
| 103 | + case "$TAG" in |
| 104 | + v11.*) echo "branch=v11" >> "$GITHUB_OUTPUT" ;; |
| 105 | + v12.*) echo "branch=main" >> "$GITHUB_OUTPUT" ;; |
| 106 | + *) echo "Unknown tag pattern: $TAG" >&2; exit 1 ;; |
| 107 | + esac |
| 108 | +
|
| 109 | + - name: Checkout codes |
| 110 | + # zizmor: ignore[artipacked] git-auto-commit-action requires persisted credentials |
| 111 | + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 112 | + with: |
| 113 | + ref: ${{ steps.meta.outputs.branch }} |
| 114 | + fetch-depth: 0 |
| 115 | + |
| 116 | + - name: Install pnpm |
| 117 | + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 |
| 118 | + |
| 119 | + - name: Setup Node |
| 120 | + # zizmor: ignore[cache-poisoning] no package cache is enabled; toolchain only |
| 121 | + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 |
39 | 122 | with: |
40 | | - msg: ${{ github.ref }} |
41 | | - separator: '/' |
| 123 | + node-version: 24 |
42 | 124 |
|
43 | | - - name: Create Github Release |
44 | | - run: gh release create "$TAG" --generate-notes |
| 125 | + - name: Create GitHub Release (idempotent) |
| 126 | + run: | |
| 127 | + if gh release view "$TAG" >/dev/null 2>&1; then |
| 128 | + echo "Release $TAG already exists, skipping creation" |
| 129 | + else |
| 130 | + FLAGS=(--verify-tag --generate-notes) |
| 131 | + # SemVer prerelease tags (containing '-', e.g. v12.0.0-alpha.3) |
| 132 | + if [[ "$TAG" == *-* ]]; then |
| 133 | + FLAGS+=(--prerelease) |
| 134 | + fi |
| 135 | + gh release create "$TAG" "${FLAGS[@]}" |
| 136 | + fi |
45 | 137 | env: |
46 | 138 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
47 | | - TAG: ${{ steps.split.outputs._2 }} |
48 | 139 |
|
49 | | - - name: Generate changelog |
| 140 | + - name: Sync changelog from GitHub Releases |
50 | 141 | run: pnpx gh-changelogen --repo=intlify/bundle-tools --tag="$TAG" |
51 | 142 | env: |
52 | 143 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
53 | | - TAG: ${{ steps.split.outputs._2 }} |
54 | 144 |
|
55 | 145 | - name: Commit changelog |
56 | | - uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5.0.0 |
| 146 | + uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0 |
57 | 147 | with: |
58 | | - branch: v11 |
| 148 | + branch: ${{ steps.meta.outputs.branch }} |
59 | 149 | file_pattern: '*.md' |
60 | 150 | commit_message: 'chore: sync changelog' |
61 | | - |
62 | | - - name: Publish package |
63 | | - run: | |
64 | | - ./scripts/release.sh |
|
0 commit comments