forms/.github/workflows/release.yml at main · lambda-curry/forms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: Release

on:
  push:
    branches:
      - main

concurrency: ${{ github.workflow }}-${{ github.ref }}

permissions:
  id-token: write # Required for OIDC trusted publishing
  contents: write # Required for pushing git tags after publishing

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '22'
          registry-url: 'https://registry.npmjs.org'
          # registry-url enables OIDC authentication for npm publish

      - name: Install npm 11.5.1+ for trusted publishing
        run: npm install -g npm@latest
        # Trusted publishing requires npm CLI 11.5.1 or later

      - name: Enable Corepack
        run: corepack enable

      - name: Install Correct Yarn Version
        run: corepack prepare yarn@4.9.1 --activate

      - name: Install Dependencies
        run: yarn install --immutable

      - name: Verify npm and OIDC setup
        run: |
          echo "npm version: $(npm --version)"
          echo "Node version: $(node --version)"
          # Check if we're in a GitHub Actions OIDC environment
          if [ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]; then
            echo "✓ OIDC environment detected"
          else
            echo "⚠ OIDC environment not detected"
          fi
          # Verify npm version meets trusted publishing requirement (11.5.1+)
          NPM_VERSION=$(npm --version | cut -d. -f1,2)
          REQUIRED_VERSION="11.5"
          if [ "$(printf '%s\n' "$REQUIRED_VERSION" "$NPM_VERSION" | sort -V | head -n1)" = "$REQUIRED_VERSION" ]; then
            echo "✓ npm version meets trusted publishing requirement (11.5.1+)"
          else
            echo "⚠ npm version may be too old for trusted publishing (requires 11.5.1+)"
          fi

      - name: Create Release Pull Request or Publish to npm
        id: changesets
        uses: changesets/action@v1
        with:
          # This expects you to have a script called release which does a build for your packages and calls changeset publish
          publish: yarn release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # No NPM_TOKEN needed - using trusted publishing via OIDC
          # The registry-url in setup-node@v4 enables OIDC authentication
          # npm CLI 11.5.1+ automatically detects OIDC and uses it for publish