workflowbuilder/.github/workflows/release-sdk.yml at main · synergycodes/workflowbuilder · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
name: Release SDK

# Triggers on tags `vX.Y.Z` matching the version in packages/sdk/package.json.
# Maintainer pushes the tag after merging the version-bump PR (which ran
# `pnpm changeset version`). See packages/sdk/RELEASE.md.

on:
  push:
    tags:
      - "v*"
  workflow_dispatch: # manual fire from GitHub UI — for testing or rerunning a failed publish

permissions:
  contents: write # create GitHub Release
  id-token: write # OIDC for npm Trusted Publisher (and provenance attestation)

jobs:
  publish:
    name: Build and publish to npm
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code (at tag)
        uses: actions/checkout@v4
        with:
          submodules: true
          fetch-depth: 0 # full history so changesets can read CHANGELOG context

      - name: Set up Node.js
        # No `registry-url:` here on purpose. setup-node's registry-url writes
        # an .npmrc with `_authToken=${NODE_AUTH_TOKEN}` and exports
        # NODE_AUTH_TOKEN as the literal sentinel `XXXXX-XXXXX-XXXXX-XXXXX`.
        # pnpm then sends that sentinel as a bearer token and skips OIDC
        # entirely, so the publish PUT comes back as 404.
        uses: actions/setup-node@v4
        with:
          node-version: 22

      - name: Enable Corepack
        run: npm i -g corepack@latest

      - name: Install pnpm
        run: corepack prepare

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      # Defensive layer — if any of these fail, we'd rather find out
      # before npm than on consumers. Matches ng-diagram's publish-npm
      # flow which runs lint/format/typecheck/test before npm publish.
      - name: Lint
        run: pnpm --filter @workflowbuilder/sdk lint

      - name: Typecheck
        run: pnpm --filter @workflowbuilder/sdk typecheck

      - name: Test
        run: pnpm --filter @workflowbuilder/sdk test

      - name: Build SDK
        run: pnpm --filter @workflowbuilder/sdk build:lib

      - name: Verify version matches tag
        # Tag refs/tags/vX.Y.Z must match packages/sdk/package.json version.
        # Catches push of wrong tag (typo, pushed before version-bump PR merged).
        run: |
          TAG_VERSION="${GITHUB_REF_NAME#v}"
          PKG_VERSION=$(node -p "require('./packages/sdk/package.json').version")
          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
            echo "::error::Tag version ($TAG_VERSION) does not match package.json version ($PKG_VERSION)."
            echo "Did you forget to merge the version-bump PR before pushing the tag?"
            exit 1
          fi
          echo "Publishing @workflowbuilder/sdk@$PKG_VERSION"

      - name: Check if version already published
        # Idempotency — re-pushing a tag (e.g. after fixing a workflow bug)
        # should not re-publish. Matches ng-diagram's check.
        id: check-version
        run: |
          PKG_VERSION=$(node -p "require('./packages/sdk/package.json').version")
          if npm view "@workflowbuilder/sdk@$PKG_VERSION" version 2>/dev/null; then
            echo "already_published=true" >> "$GITHUB_OUTPUT"
            echo "::notice::@workflowbuilder/sdk@$PKG_VERSION already on npm — skipping publish step."
          else
            echo "already_published=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Publish to npm
        # Authenticates via npm Trusted Publisher (OIDC). No NPM_TOKEN.
        # Requires the package to have GitHub Actions trusted publishing
        # configured on npmjs.com pointing at this workflow file.
        if: steps.check-version.outputs.already_published == 'false'
        run: pnpm --filter @workflowbuilder/sdk publish --no-git-checks --access public --provenance

      - name: Extract release notes from CHANGELOG
        id: notes
        # Pulls the section for the current version out of CHANGELOG.md
        # so the GitHub Release body matches what consumers see on npm.
        run: |
          VERSION=$(node -p "require('./packages/sdk/package.json').version")
          # Matches either a bracketed Keep-a-Changelog heading
          # (`## [X.Y.Z] - 2026-06-16`) or a bare Changesets heading (`## X.Y.Z`).
          NOTES=$(awk -v v="$VERSION" '$0 ~ ("^## \\[?" v "\\]?([ -]|$)"){flag=1;next}/^## /{flag=0}flag' packages/sdk/CHANGELOG.md)
          {
            echo "notes<<EOF"
            echo "$NOTES"
            echo "EOF"
          } >> "$GITHUB_OUTPUT"

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ github.ref_name }}
          name: "@workflowbuilder/sdk ${{ github.ref_name }}"
          body: ${{ steps.notes.outputs.notes }}
          draft: false
          prerelease: false