storage/.github/workflows/release.yml at main · vercel/storage · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# This workflow handles two flows:
#
# 1. Normal release (default)
#    Triggered only by pushes to `main` (not by manual workflow runs).
#    Uses changesets/action to either open a "Version Packages" PR or, when such
#    a PR is merged, publish to npm.
#
# 2. Snapshot release (manual, opt-in)
#    Triggered by running this workflow via workflow_dispatch with the
#    `snapshot` input set to true.
#
#    A snapshot release is useful when you want to try out changes on a pull
#    request before making a full release and without entering pre-release mode.
#    Changesets force pre-release mode across all packages in the monorepo,
#    which blocks stable releases of every package until pre-release is exited,
#    so we use snapshots instead.
#
#    Snapshot releases are published under the `snapshot` dist-tag with versions
#    like 0.4.0-579bd13f-20230913164912 (the version that would be generated,
#    the commit short sha, and a timestamp).
#
#    How to create one:
#      - Push your branch to GitHub.
#      - Make sure the branch has a changeset committed (`pnpm changeset`).
#      - Open Actions > Release > "Run workflow", select your branch, tick
#        "snapshot", and run.
#      - In the run's logs find the "Create Snapshot Release" step. The last
#        line shows the published version, e.g.
#          @vercel/blob@2.3.4-579bd13-20230913164912
#      - Install with `pnpm add @vercel/blob@<that version>` or
#        `pnpm add @vercel/blob@snapshot` for the latest snapshot.
#
# Authentication: this workflow publishes to npm via Trusted Publishing (OIDC),
# not a long-lived NPM_TOKEN. Each package that should be published from this
# workflow must have a Trusted Publisher configured on npmjs.com pointing at
# this repo and the `release.yml` workflow filename. See:
#   https://docs.npmjs.com/trusted-publishers
# Trusted publishing requires Node >= 22.14.0 and npm >= 11.5.1, which is why
# we pin `node-version: latest` here. The `id-token: write` permission below
# is what allows GitHub Actions to mint the OIDC token npm uses to verify us.

name: Release

env:
  TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
  TURBO_TEAM: ${{ vars.TURBO_TEAM }}
  POSTGRES_URL: ${{ secrets.POSTGRES_URL }}
  POSTGRES_URL_NON_POOLING: ${{ secrets.POSTGRES_URL_NON_POOLING }}
  EDGE_CONFIG: ${{ secrets.EDGE_CONFIG }}

on:
  push:
    branches:
      - main
  workflow_dispatch:
    inputs:
      snapshot:
        description: "Manual runs must enable this to publish (snapshot dist-tag from the selected branch); otherwise the workflow fails. Stable versioning/publish runs only on push to main. Requires a changeset on the branch."
        type: boolean
        default: false

concurrency: ${{ github.workflow }}-${{ github.ref }}

permissions:
  contents: write       # version commits + GitHub releases (changesets/action)
  pull-requests: write  # "Version Packages" PR (changesets/action)
  id-token: write       # OIDC token for npm Trusted Publishing

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Setup pnpm
        uses: pnpm/action-setup@v5

      - uses: actions/setup-node@v6
        with:
          node-version: latest
          registry-url: "https://registry.npmjs.org"
          cache: "pnpm"

      - name: Install Dependencies
        run: pnpm install

      - name: Disallow manual non-snapshot release
        if: ${{ github.event_name == 'workflow_dispatch' && inputs.snapshot != true }}
        run: |
          echo "::error::Stable releases (changesets version/publish) run only on push to main. For a manual run, enable the snapshot input."
          exit 1

      # ----- Normal release (push to main only) -----
      - name: Create Release Pull Request or Publish to npm
        if: ${{ github.event_name == 'push' }}
        id: changesets
        uses: changesets/action@v1
        with:
          # Use GitHub API commits so release PR commits are verified/signed.
          commitMode: github-api
          # This expects you to have a script called release which does a build for your packages and calls changeset publish
          publish: pnpm release
          version: pnpm version-packages
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      # ----- Snapshot release (manual, when `snapshot` input is true) -----
      - name: Add SHORT_SHA env property with commit short sha
        if: ${{ inputs.snapshot == true }}
        run: echo "SHORT_SHA=`echo ${{ github.sha }} | cut -c1-7`" >> $GITHUB_ENV

      - name: Version Packages (snapshot)
        if: ${{ inputs.snapshot == true }}
        run: pnpm changeset version --snapshot ${SHORT_SHA}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Build (snapshot)
        if: ${{ inputs.snapshot == true }}
        run: pnpm build

      - name: Create Snapshot Release
        if: ${{ inputs.snapshot == true }}
        run: pnpm changeset publish --no-git-tag --tag snapshot
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}