Fix the Release workflow (#2033)

Author: poad

.github/workflows/auto-merge.yml

@@ -4,13 +4,13 @@ on:
   pull_request:
 
 permissions:
-  id-token: write
   contents: write
   pull-requests: write
-  checks: write
 
 jobs:
-  pull-request-auto-merge:
+  auto-merge:
+    if: github.event.pull_request.draft == false
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5

.github/workflows/ci.yml

@@ -9,16 +9,6 @@ on:
 
   workflow_dispatch:
 
-permissions:
-  actions: read
-  checks: write
-  contents: none
-  deployments: none
-  issues: none
-  packages: none
-  repository-projects: none
-  statuses: write
-
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yml

@@ -20,24 +20,16 @@ on:
   schedule:
     - cron: '34 3 * * 1'
 
-permissions:
-  actions: read
-  checks: write
-  contents: none
-  deployments: none
-  issues: none
-  packages: none
-  repository-projects: none
-  statuses: write
 
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
+      security-events: write
+      packages: read
       actions: read
       contents: read
-      security-events: write
 
     strategy:
       fail-fast: false

.github/workflows/create-release-pr.yml

@@ -0,0 +1,119 @@
+name: Create Release Pull Request
+description: Create a pull request to release a new version
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version type'
+        required: true
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+jobs:
+  create-release-pr:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+      
+      
+      - name: Setup Node.js
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        with:
+          node-version: 'lts/*'
+          check-latest: true
+          package-manager-cache: false
+
+      - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        with:
+          run_install: |
+            - recursive: true
+              args: [--no-frozen-lockfile]
+      
+      # No need to install dependencies - npm version works without them
+      - name: Version bump
+        id: version
+        run: |
+          VERSION=$(pnpm version "$VERSION_TYPE" --no-git-tag-version)
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          pnpm --recursive exec pnpm pkg set version=$(node -p "JSON.parse(fs.readFileSync('package.json', 'utf8')).version")
+        env:
+          VERSION_TYPE: ${{ github.event.inputs.version }}
+
+      - name: Get release notes
+        id: release-notes
+        run: |
+          # Get the default branch
+          DEFAULT_BRANCH=$(gh api "repos/$GITHUB_REPOSITORY" --jq '.default_branch')
+          
+          # Get the latest release tag using GitHub API
+          # Use the exit code to determine if a release exists
+          if LAST_TAG=$(gh api "repos/$GITHUB_REPOSITORY/releases/latest" --jq '.tag_name' 2>/dev/null); then
+            echo "Previous release found: $LAST_TAG"
+          else
+            LAST_TAG=""
+            echo "No previous releases found - this will be the first release"
+          fi
+          
+          # Generate release notes - only include previous_tag_name if we have a valid previous tag
+          echo "Generating release notes for tag: $VERSION"
+          if [ -n "$LAST_TAG" ]; then
+            echo "Using previous tag: $LAST_TAG"
+            RELEASE_NOTES=$(gh api \
+              --method POST \
+              -H "Accept: application/vnd.github+json" \
+              "/repos/$GITHUB_REPOSITORY/releases/generate-notes" \
+              -f "tag_name=$VERSION" \
+              -f "target_commitish=$DEFAULT_BRANCH" \
+              -f "previous_tag_name=$LAST_TAG" \
+              --jq '.body')
+          else
+            echo "Generating notes from all commits"
+            RELEASE_NOTES=$(gh api \
+              --method POST \
+              -H "Accept: application/vnd.github+json" \
+              "/repos/$GITHUB_REPOSITORY/releases/generate-notes" \
+              -f "tag_name=$VERSION" \
+              -f "target_commitish=$DEFAULT_BRANCH" \
+              --jq '.body')
+          fi
+          
+          # Set release notes as environment variable
+          echo "RELEASE_NOTES<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$RELEASE_NOTES" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          VERSION: ${{ steps.version.outputs.version }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        env:
+          RELEASE_NOTES: ${{ steps.release-notes.outputs.RELEASE_NOTES }}
+          VERSION: ${{ steps.version.outputs.version }}
+        with:
+          branch: release/${{ steps.version.outputs.version }}
+          delete-branch: true
+          title: "Release ${{ steps.version.outputs.version }}"
+          body: |
+            ${{ env.RELEASE_NOTES }}
+          commit-message: "chore: release ${{ steps.version.outputs.version }}"
+          labels: |
+            Type: Release
+          assignees: ${{ github.actor }}
+          draft: true

.github/workflows/release.yml

@@ -1,56 +1,60 @@
 name: Automatic release
 on:
-  release:
+  pull_request:
+    branches:
+      - master
+      - main
     types:
-      - published
+      - closed
 
   workflow_dispatch:
 
-permissions:
-  actions: read
-  checks: write
-  contents: none
-  deployments: none
-  issues: none
-  packages: none
-  repository-projects: none
-  statuses: write
-
 jobs:
   release:
+    if: |
+      github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'Type: Release')
+    permissions:
+      contents: write
+      id-token: write  # OIDC
+      pull-requests: write  # PR comment
+
     name: check version, add tag and release
     runs-on: ubuntu-latest
     steps:
-      - name: checkout
-        uses: actions/checkout@v5
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
-      - name: setup Node
+      - name: Setup Node
         uses: actions/setup-node@v5
-        env :
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         with:
-          node-version: 22.x
+          node-version: 'lts/*'
           registry-url: 'https://registry.npmjs.org'
-          scope       : 'appstore-connect-jwt-generator-clie'
-          always-auth : true
+          scope       : 'appstore-connect-jwt-generator-core'
           package-manager-cache: false
 
-      - uses: pnpm/action-setup@v4  
-        name: Install pnpm
+      - name: Can Publish
+        run : npx can-npm-publish --verbose
+        working-directory: package
+
+      - name: Install latest npm
+        run: |
+          echo "Current npm version: $(npm -v)"
+          npm install -g npm@latest
+          echo "Updated npm version: $(npm -v)"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
         with:
           run_install: |
             - recursive: true
               args: [--no-frozen-lockfile]
-        
-      - name: Can Publish
-        run : npx can-npm-publish --verbose
-        env :
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
       - name: Build
         run : pnpm build
-        env :
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        working-directory: package
+
       - name: Publish
-        run : npm publish --access=public
-        env :
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run : pnpm -r publish --no-git-checks --access public --provenance
+        working-directory: package