@@ -19,13 +19,16 @@ jobs:
1919 node-version : ${{ matrix.node-version }}
2020 registry-url : " https://registry.npmjs.org"
2121 - run : node --version
22+ - name : Enable Yarn (Corepack)
23+ run : |
24+ corepack enable
25+ corepack prepare yarn@1.22.22 --activate
26+ yarn --version
2227name : Upgrade npm for trusted publishing compatibility
2328 run : |
2429 npm i -g npm@^11.5.1
2530 npm --version
2631run : yarn install
27- - run : node --version
28- - run : npm --version
2932 - run : DEBUG=eslint:cli-engine npm run lint:all
3033 - run : npm run build
3134 - run : npm run test:browser
@@ -47,16 +50,83 @@ jobs:
4750 with :
4851 node-version : ${{ matrix.node-version }}
4952 registry-url : " https://registry.npmjs.org"
53+ - run : node --version
54+ - name : Enable Yarn (Corepack)
55+ run : |
56+ corepack enable
57+ corepack prepare yarn@1.22.22 --activate
58+ yarn --version
5059name : Upgrade npm for trusted publishing compatibility
5160 run : |
5261 npm i -g npm@^11.5.1
5362 npm --version
5463run : yarn install
5564 - run : npm run build
56- - run : git status && git stash
5765 - run : echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
58- - run : npm run publish:release -- $TAG --yes
66+ - name : Publish packages to npm (OIDC)
5967 if : ${{ env.TAG != '' && !contains(env.TAG, '/') && github.repository == 'ringcentral/ringcentral-js' }}
68+ env :
69+ # Prevent any repo/org secret from forcing token-based publishing.
70+ NODE_AUTH_TOKEN : " "
71+ NPM_CONFIG_PROVENANCE : " true"
72+ run : |
73+ set -euo pipefail
74+
75+ VERSION="${TAG#v}"
76+ export VERSION
77+ echo "Publishing version: ${VERSION}"
78+
79+ unset NODE_AUTH_TOKEN
80+
81+ node - <<'NODE'
82+ const fs = require('fs');
83+ const path = require('path');
84+ const { spawnSync } = require('child_process');
85+
86+ const version = process.env.VERSION;
87+ if (!version || version.trim() === '') {
88+ console.error('Missing VERSION');
89+ process.exit(1);
90+ }
91+ const publishTag = version.includes('-') ? 'next' : 'latest';
92+ console.log(`npm dist-tag: ${publishTag}`);
93+
94+ const rootPkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
95+ const workspaces = rootPkg.workspaces || [];
96+
97+ function run(cmd, args, cwd) {
98+ const res = spawnSync(cmd, args, { cwd, stdio: 'inherit' });
99+ if (res.status) process.exit(res.status);
100+ }
101+
102+ const publishTargets = [];
103+ for (const ws of workspaces) {
104+ const pkgJsonPath = path.join(ws, 'package.json');
105+ if (!fs.existsSync(pkgJsonPath)) continue;
106+ const pkg = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
107+ if (pkg.private) continue;
108+ if (!pkg.name) continue;
109+ publishTargets.push({ dir: ws, name: pkg.name });
110+ }
111+
112+ if (publishTargets.length === 0) {
113+ console.log('No public workspaces found to publish.');
114+ process.exit(0);
115+ }
116+
117+ console.log('Publish targets:');
118+ for (const t of publishTargets) console.log(`- ${t.name} (${t.dir})`);
119+
120+ // Ensure versions are set consistently before publishing.
121+ for (const t of publishTargets) {
122+ run('npm', ['version', version, '--no-git-tag-version'], t.dir);
123+ }
124+
125+ // Publish each package using npm OIDC trusted publishing.
126+ for (const t of publishTargets) {
127+ run('npm', ['publish', '--provenance', '--access', 'public', '--tag', publishTag], t.dir);
128+ }
129+ NODE
60130name : Release
61131 if : ${{ env.TAG != '' && !contains(env.TAG, '/') && github.repository == 'ringcentral/ringcentral-js' }}
62132 uses : softprops/action-gh-release@v1
0 commit comments