solid-undestructure/.github/workflows/publish.yml at 3a7fbd445cd765cd6ae3aebf64f7bd09c35e7522 · microdev1/solid-undestructure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: publish

on:
  push:
    tags:
      - 'v*'

concurrency:
  group: publish
  cancel-in-progress: false

jobs:
  checks:
    name: Checks
    runs-on: ubuntu-latest
    permissions:
      actions: read
    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Check tag version matches package.json
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          TAG_VERSION="${GITHUB_REF_NAME#v}"
          PKG_VERSION=$(jq -r '.version' package.json)
          echo "Tag version:     $TAG_VERSION"
          echo "package.json:    $PKG_VERSION"
          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
            echo "FAIL: tag v$TAG_VERSION does not match package.json version $PKG_VERSION"
            exit 1
          fi

      - name: Check pre-commit and tests for this commit
        run: |
          COMMIT_SHA="${{ github.sha }}"
          REPO="${{ github.repository }}"
          FAILED=0

          check_workflow() {
            local workflow_file="$1"
            local result status conclusion

            result=$(gh api "repos/$REPO/actions/workflows/$workflow_file/runs?head_sha=$COMMIT_SHA&per_page=1" \
              --jq '.workflow_runs[0] | "\(.status) \(.conclusion)"')

            read -r status conclusion <<< "$result"
            echo "[$workflow_file] status=$status conclusion=$conclusion"

            if [ "$status" != "completed" ] || [ "$conclusion" != "success" ]; then
              echo "FAIL: $workflow_file did not pass for $COMMIT_SHA"
              return 1
            fi
          }

          check_workflow "pre-commit.yml" || FAILED=1
          check_workflow "tests.yml"      || FAILED=1

          exit $FAILED
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  build:
    name: Build
    needs: checks
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v5
        with:
          submodules: recursive
          token: ${{ secrets.GH_PAT_SUBMODULE }}

      - name: Setup
        uses: ./.github/actions/setup

      - name: Build
        run: bun run build

      - name: Upload build artifact
        uses: actions/upload-artifact@v4
        with:
          name: dist
          path: dist/

  approve:
    name: Approval
    needs: [checks, build]
    runs-on: ubuntu-latest
    environment: npm-publish
    steps:
      - name: Approved
        run: echo "Publish approved"

  publish:
    name: Publish
    needs: approve
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Download build artifact
        uses: actions/download-artifact@v4
        with:
          name: dist
          path: dist/

      - name: Publish
        run: bun publish --access public
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}