diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 37f98b18..735f6162 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -4,13 +4,13 @@ on: pull_request: permissions: - id-token: write contents: write pull-requests: write - checks: write jobs: - pull-request-auto-merge: + auto-merge: + if: github.event.pull_request.draft == false + runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 237f13f8..8a8bdb3a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,16 +9,6 @@ on: workflow_dispatch: -permissions: - actions: read - checks: write - contents: none - deployments: none - issues: none - packages: none - repository-projects: none - statuses: write - jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 07a116c3..8be0b073 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,24 +20,16 @@ on: schedule: - cron: '34 3 * * 1' -permissions: - actions: read - checks: write - contents: none - deployments: none - issues: none - packages: none - repository-projects: none - statuses: write jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: + security-events: write + packages: read actions: read contents: read - security-events: write strategy: fail-fast: false diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml new file mode 100644 index 00000000..d50760bc --- /dev/null +++ b/.github/workflows/create-release-pr.yml @@ -0,0 +1,119 @@ +name: Create Release Pull Request +description: Create a pull request to release a new version + +on: + workflow_dispatch: + inputs: + version: + description: 'Version type' + required: true + type: choice + options: + - patch + - minor + - major + +jobs: + create-release-pr: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Configure Git + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + + - name: Setup Node.js + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 + with: + node-version: 'lts/*' + check-latest: true + package-manager-cache: false + + - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 + with: + run_install: | + - recursive: true + args: [--no-frozen-lockfile] + + # No need to install dependencies - npm version works without them + - name: Version bump + id: version + run: | + VERSION=$(pnpm version "$VERSION_TYPE" --no-git-tag-version) + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + pnpm --recursive exec pnpm pkg set version=$(node -p "JSON.parse(fs.readFileSync('package.json', 'utf8')).version") + env: + VERSION_TYPE: ${{ github.event.inputs.version }} + + - name: Get release notes + id: release-notes + run: | + # Get the default branch + DEFAULT_BRANCH=$(gh api "repos/$GITHUB_REPOSITORY" --jq '.default_branch') + + # Get the latest release tag using GitHub API + # Use the exit code to determine if a release exists + if LAST_TAG=$(gh api "repos/$GITHUB_REPOSITORY/releases/latest" --jq '.tag_name' 2>/dev/null); then + echo "Previous release found: $LAST_TAG" + else + LAST_TAG="" + echo "No previous releases found - this will be the first release" + fi + + # Generate release notes - only include previous_tag_name if we have a valid previous tag + echo "Generating release notes for tag: $VERSION" + if [ -n "$LAST_TAG" ]; then + echo "Using previous tag: $LAST_TAG" + RELEASE_NOTES=$(gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + "/repos/$GITHUB_REPOSITORY/releases/generate-notes" \ + -f "tag_name=$VERSION" \ + -f "target_commitish=$DEFAULT_BRANCH" \ + -f "previous_tag_name=$LAST_TAG" \ + --jq '.body') + else + echo "Generating notes from all commits" + RELEASE_NOTES=$(gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + "/repos/$GITHUB_REPOSITORY/releases/generate-notes" \ + -f "tag_name=$VERSION" \ + -f "target_commitish=$DEFAULT_BRANCH" \ + --jq '.body') + fi + + # Set release notes as environment variable + echo "RELEASE_NOTES<> "$GITHUB_OUTPUT" + echo "$RELEASE_NOTES" >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ github.token }} + VERSION: ${{ steps.version.outputs.version }} + GITHUB_REPOSITORY: ${{ github.repository }} + + - name: Create Pull Request + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + env: + RELEASE_NOTES: ${{ steps.release-notes.outputs.RELEASE_NOTES }} + VERSION: ${{ steps.version.outputs.version }} + with: + branch: release/${{ steps.version.outputs.version }} + delete-branch: true + title: "Release ${{ steps.version.outputs.version }}" + body: | + ${{ env.RELEASE_NOTES }} + commit-message: "chore: release ${{ steps.version.outputs.version }}" + labels: | + Type: Release + assignees: ${{ github.actor }} + draft: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1a02c5d5..25aceb7f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,56 +1,60 @@ name: Automatic release on: - release: + pull_request: + branches: + - master + - main types: - - published + - closed workflow_dispatch: -permissions: - actions: read - checks: write - contents: none - deployments: none - issues: none - packages: none - repository-projects: none - statuses: write - jobs: release: + if: | + github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'Type: Release') + permissions: + contents: write + id-token: write # OIDC + pull-requests: write # PR comment + name: check version, add tag and release runs-on: ubuntu-latest steps: - - name: checkout - uses: actions/checkout@v5 + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - - name: setup Node + - name: Setup Node uses: actions/setup-node@v5 - env : - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} with: - node-version: 22.x + node-version: 'lts/*' registry-url: 'https://registry.npmjs.org' - scope : 'appstore-connect-jwt-generator-clie' - always-auth : true + scope : 'appstore-connect-jwt-generator-core' package-manager-cache: false - - uses: pnpm/action-setup@v4 - name: Install pnpm + - name: Can Publish + run : npx can-npm-publish --verbose + working-directory: package + + - name: Install latest npm + run: | + echo "Current npm version: $(npm -v)" + npm install -g npm@latest + echo "Updated npm version: $(npm -v)" + + - name: Install pnpm + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 with: run_install: | - recursive: true args: [--no-frozen-lockfile] - - - name: Can Publish - run : npx can-npm-publish --verbose - env : - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + - name: Build run : pnpm build - env : - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + working-directory: package + - name: Publish - run : npm publish --access=public - env : - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file + run : pnpm -r publish --no-git-checks --access public --provenance + working-directory: package