-
Notifications
You must be signed in to change notification settings - Fork 1
72 lines (61 loc) · 2.85 KB
/
Copy pathrelease.yml
File metadata and controls
72 lines (61 loc) · 2.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: Release
# Changesets-driven release. On every push to `main`:
# - if there are pending changesets → opens/updates the "Version Packages" PR
# (bumps versions, writes CHANGELOGs, deletes changesets)
# - once that PR is merged (versions bumped, no changesets left) → publishes the
# changed packages to npm `latest`, tags them, and cuts GitHub Releases.
#
# SECURITY: runs only on push to `main` (trusted, post-merge code). Publishing
# uses npm Trusted Publishing (OIDC) — no long-lived NPM_TOKEN and no 2FA bypass;
# npm verifies this repo + workflow via GitHub's id-token. Each published package
# must have this repo + `release.yml` configured as a Trusted Publisher on npm.
on:
push:
branches: [main]
concurrency: ${{ github.workflow }}-${{ github.ref }}
permissions:
contents: write # push the Version Packages PR branch + git tags
pull-requests: write # open/update the Version Packages PR
id-token: write # OIDC for npm Trusted Publishing (+ provenance)
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
# Mint a short-lived token from the org-owned GitHub App so the "Version
# Packages" PR is opened by the App — that makes the required CI checks run
# on it (a default-GITHUB_TOKEN PR wouldn't trigger workflows). No user PAT.
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
with:
app-id: ${{ secrets.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- name: Setup pnpm
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
- name: Setup Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 20
cache: pnpm
registry-url: https://registry.npmjs.org/
- name: Install dependencies
run: pnpm install --frozen-lockfile
# npm Trusted Publishing (OIDC) needs npm >= 11.5.1; node 20 ships npm 10.
- name: Upgrade npm for OIDC publishing
run: npm install -g npm@latest
- name: Create Version PR or publish
uses: changesets/action@a45c4d594aa4e2c509dc14a9f2b3b67ba3780d0d # v1.9.0
with:
version: pnpm changeset:version
publish: pnpm changeset:release:ci
env:
# App token → the Version PR is opened by the App, so the required CI
# checks run on it and it can push past branch protection.
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
# No NPM_TOKEN: publish auth is npm Trusted Publishing via `id-token`.