-
-
Notifications
You must be signed in to change notification settings - Fork 0
114 lines (104 loc) · 4.11 KB
/
Copy pathrelease.yml
File metadata and controls
114 lines (104 loc) · 4.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: Publish Package to npmjs
on:
push:
branches:
- main
jobs:
release-please:
runs-on: ubuntu-latest
permissions:
contents: write
issues: write
pull-requests: write
outputs:
release_created: ${{ steps.release.outputs.release_created }}
# Non-empty JSON when release-please created or updated a release PR
# this run. Used by `reattribute` below to decide whether to amend.
pr: ${{ steps.release.outputs.pr }}
steps:
- name: Create Release PR
id: release
uses: googleapis/release-please-action@v5
with:
config-file: .github/release-please-config.json
manifest-file: .github/release-please-manifest.json
# Bot PAT with access to Workflows
# The built-in GITHUB_TOKEN has cannot trigger other workflows
token: ${{ secrets.GH_PAT }}
# release-please-action commits the release PR's contents as the PAT
# owner (the action has no input to override the commit author). Re-attribute
# to github-actions[bot] so the PR shows the bot as author instead of the
# person the PAT belongs to.
reattribute:
needs: release-please
if: ${{ needs.release-please.outputs.pr != '' }}
runs-on: ubuntu-latest
permissions:
contents: write
# Cosmetic best-effort: rewrites the release-PR commit author to the bot. If
# the release PR is merged before this runs, its branch is deleted and the
# checkout below can't fetch it — don't fail the release workflow over that.
continue-on-error: true
env:
# release-please's branch name varies by config (`release-please--branches--<base>`
# for single-package, with extra `--components--<name>` segments for component mode).
# The action emits the PR object as JSON — pull `headBranchName` from it instead of
# guessing the pattern.
PR_BRANCH: ${{ fromJSON(needs.release-please.outputs.pr).headBranchName }}
steps:
- name: Checkout release-please branch
uses: actions/checkout@v7
with:
token: ${{ secrets.GH_PAT }}
ref: ${{ env.PR_BRANCH }}
fetch-depth: 2
- name: Configure git
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Amend release commit as github-actions[bot]
run: |
set -euo pipefail
# --reset-author rewrites both author and committer to the configured
# identity; --no-edit keeps the existing commit message verbatim.
git commit --amend --reset-author --no-edit
git push origin "$PR_BRANCH" --force-with-lease
publish:
needs: release-please
if: ${{ needs.release-please.outputs.release_created }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # for provenance
steps:
- name: Checkout
uses: actions/checkout@v7
# Setup .npmrc file to publish to npm
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 24.x
registry-url: https://registry.npmjs.org
- name: Install pnpm
uses: pnpm/action-setup@v6
- name: Get pnpm cache directory path
id: pnpm-cache-dir-path
run: echo "dir=$(pnpm store path)" >> $GITHUB_OUTPUT
- name: Cache node modules
uses: actions/cache@v5
with:
path: ${{ steps.pnpm-cache-dir-path.outputs.dir }}
key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.json') }}
restore-keys: |
${{ runner.os }}-pnpm-
- name: Install package dependencies
run: pnpm install
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_READ_TOKEN }}
# Using Trusted Publisher to sign the package
# See: https://docs.npmjs.com/trusted-publishers
# See: https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
# Provenance is enabled by default when publishing with an id-token
# Publish uses OIDC - no token needed
- name: Publish Package
run: pnpm publish