server/.github/workflows/release.yml at main · supabase/server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Release

on:
  push:
    branches:
      - main

permissions:
  contents: write
  pull-requests: write
  id-token: write # required for npm trusted publishing

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false

jobs:
  release-please:
    runs-on: ubuntu-latest
    steps:
      - name: Generate GitHub App token
        id: generate-token
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

      - name: Run release-please
        uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
        id: release
        with:
          token: ${{ steps.generate-token.outputs.token }}

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Determine version
        id: version
        env:
          RELEASE_CREATED: ${{ steps.release.outputs.release_created }}
          RELEASE_VERSION: ${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }}
          PR_HEAD_BRANCH: ${{ steps.release.outputs.pr && fromJSON(steps.release.outputs.pr).headBranchName }}
        run: |
          set -euo pipefail

          if [ "$RELEASE_CREATED" == "true" ]; then
            VERSION="$RELEASE_VERSION"
            TAG="latest"
          else
            if [ -z "$PR_HEAD_BRANCH" ]; then
              echo "skip=true" >> $GITHUB_OUTPUT
              exit 0
            fi

            # Validate branch name to prevent git ref injection
            if [[ ! "$PR_HEAD_BRANCH" =~ ^[A-Za-z0-9._/-]+$ ]] || \
               [[ "$PR_HEAD_BRANCH" =~ \.\.|//|@\{|^-|/$ ]]; then
              echo "Invalid PR_HEAD_BRANCH: $PR_HEAD_BRANCH"
              exit 1
            fi

            git fetch origin "refs/heads/$PR_HEAD_BRANCH"
            NEXT_VERSION=$(git show "FETCH_HEAD:package.json" | node -p "JSON.parse(require('fs').readFileSync(0,'utf8')).version")

            if [[ ! "$NEXT_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              echo "Invalid version in PR branch package.json: $NEXT_VERSION"
              exit 1
            fi

            VERSION="${NEXT_VERSION}-rc.${{ github.run_number }}"
            TAG="rc"
          fi
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "tag=$TAG" >> $GITHUB_OUTPUT

      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        if: ${{ steps.version.outputs.skip != 'true' }}
        with:
          node-version: 22
          registry-url: 'https://registry.npmjs.org'

      - name: Install latest npm (user prefix)
        if: ${{ steps.version.outputs.skip != 'true' }}
        run: |
          mkdir -p "$HOME/.npm-global"
          npm config set prefix "$HOME/.npm-global"
          echo "$HOME/.npm-global/bin" >> "$GITHUB_PATH"

          npm install -g npm@latest
          npm --version

      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
        if: ${{ steps.version.outputs.skip != 'true' }}
        with:
          version: latest

      - name: Install dependencies
        if: ${{ steps.version.outputs.skip != 'true' }}
        run: pnpm install --frozen-lockfile

      - name: Stamp version
        if: ${{ steps.version.outputs.skip != 'true' }}
        run: npm version "${{ steps.version.outputs.version }}" --no-git-tag-version --allow-same-version

      - name: Build
        if: ${{ steps.version.outputs.skip != 'true' }}
        run: pnpm build

      - name: Publish to npm
        if: ${{ steps.version.outputs.skip != 'true' }}
        run: |
          set -euo pipefail
          NPM_VIEW_STDERR=$(mktemp)
          EXISTING=$(npm view "@supabase/server@${{ steps.version.outputs.version }}" version 2>"$NPM_VIEW_STDERR") || STATUS=$?
          if [ -n "$EXISTING" ]; then
            echo "Version ${{ steps.version.outputs.version }} already published, skipping."
            rm -f "$NPM_VIEW_STDERR"
            exit 0
          elif [ "${STATUS:-0}" -ne 0 ] && ! grep -qiE 'E404|not found' "$NPM_VIEW_STDERR"; then
            cat "$NPM_VIEW_STDERR"
            rm -f "$NPM_VIEW_STDERR"
            exit 1
          fi
          rm -f "$NPM_VIEW_STDERR"
          # TODO(@mandarini): add back --provenance once repo is OSS
          npm publish --access public --tag "${{ steps.version.outputs.tag }}"

      - name: Publish to JSR
        if: ${{ steps.version.outputs.skip != 'true' }}
        continue-on-error: true
        run: npx jsr publish --allow-dirty

      - name: Create GitHub pre-release
        if: ${{ steps.version.outputs.tag == 'rc' }}
        env:
          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
        run: |
          gh release create "server-v${{ steps.version.outputs.version }}" \
            --title "server-v${{ steps.version.outputs.version }}" \
            --generate-notes \
            --prerelease