Skip to content

Commit dd51e11

Browse files
authored
ci: changesets-driven releases + pkg.pr.new PR previews (#301)
1 parent 9a0a1f7 commit dd51e11

4 files changed

Lines changed: 129 additions & 48 deletions

File tree

.github/workflows/preview.yml

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
name: Preview
2+
3+
# Publishes throwaway preview packages for each PR via pkg.pr.new, installable
4+
# from its CDN (e.g. `npm i https://pkg.pr.new/@zerodev/wallet-react@<sha>`).
5+
#
6+
# SECURITY (public repo): uses `pull_request` — NOT `pull_request_target` — and
7+
# NO secrets. Fork PRs run with a read-only token and cannot access anything
8+
# sensitive. pkg.pr.new publishes to its own CDN (never npm) using the Actions
9+
# OIDC identity; its GitHub App posts the PR comment. No NPM_TOKEN is involved.
10+
11+
on:
12+
pull_request:
13+
branches: [main]
14+
15+
permissions:
16+
contents: read
17+
18+
concurrency:
19+
group: preview-${{ github.event.pull_request.number }}
20+
cancel-in-progress: true
21+
22+
jobs:
23+
preview:
24+
name: Publish preview packages
25+
runs-on: ubuntu-latest
26+
# Previews are advisory — a hiccup (or the pkg.pr.new app not yet installed)
27+
# must never block a PR from merging.
28+
continue-on-error: true
29+
steps:
30+
- name: Checkout
31+
uses: actions/checkout@v4
32+
33+
- name: Setup pnpm
34+
uses: pnpm/action-setup@v4
35+
36+
- name: Setup Node.js
37+
uses: actions/setup-node@v4
38+
with:
39+
node-version: 20
40+
cache: pnpm
41+
42+
- name: Install dependencies
43+
run: pnpm install --frozen-lockfile
44+
45+
- name: Build packages
46+
run: pnpm build
47+
48+
# Only the four publishable packages (skips react-kit / native-kit / apps).
49+
- name: Publish previews
50+
run: >
51+
pnpm dlx pkg-pr-new publish --pnpm
52+
'./packages/core'
53+
'./packages/react'
54+
'./packages/react-ui'
55+
'./packages/wallet-react-ui'

.github/workflows/release.yml

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
name: Release
2+
3+
# Changesets-driven release. On every push to `main`:
4+
# - if there are pending changesets → opens/updates the "Version Packages" PR
5+
# (bumps versions, writes CHANGELOGs, deletes changesets)
6+
# - once that PR is merged (versions bumped, no changesets left) → publishes the
7+
# changed packages to npm `latest`, tags them, and cuts GitHub Releases.
8+
#
9+
# SECURITY: runs only on push to `main` (trusted, post-merge code). Publishing
10+
# uses npm Trusted Publishing (OIDC) — no long-lived NPM_TOKEN and no 2FA bypass;
11+
# npm verifies this repo + workflow via GitHub's id-token. Each published package
12+
# must have this repo + `release.yml` configured as a Trusted Publisher on npm.
13+
14+
on:
15+
push:
16+
branches: [main]
17+
18+
concurrency: ${{ github.workflow }}-${{ github.ref }}
19+
20+
permissions:
21+
contents: write # push the Version Packages PR branch + git tags
22+
pull-requests: write # open/update the Version Packages PR
23+
id-token: write # OIDC for npm Trusted Publishing (+ provenance)
24+
25+
jobs:
26+
release:
27+
name: Release
28+
runs-on: ubuntu-latest
29+
steps:
30+
# Mint a short-lived token from the org-owned GitHub App so the "Version
31+
# Packages" PR is opened by the App — that makes the required CI checks run
32+
# on it (a default-GITHUB_TOKEN PR wouldn't trigger workflows). No user PAT.
33+
- name: Generate GitHub App token
34+
id: app-token
35+
uses: actions/create-github-app-token@v1
36+
with:
37+
app-id: ${{ secrets.RELEASE_APP_ID }}
38+
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
39+
40+
- name: Checkout
41+
uses: actions/checkout@v4
42+
with:
43+
fetch-depth: 0
44+
token: ${{ steps.app-token.outputs.token }}
45+
46+
- name: Setup pnpm
47+
uses: pnpm/action-setup@v4
48+
49+
- name: Setup Node.js
50+
uses: actions/setup-node@v4
51+
with:
52+
node-version: 20
53+
cache: pnpm
54+
registry-url: https://registry.npmjs.org/
55+
56+
- name: Install dependencies
57+
run: pnpm install --frozen-lockfile
58+
59+
# npm Trusted Publishing (OIDC) needs npm >= 11.5.1; node 20 ships npm 10.
60+
- name: Upgrade npm for OIDC publishing
61+
run: npm install -g npm@latest
62+
63+
- name: Create Version PR or publish
64+
uses: changesets/action@v1
65+
with:
66+
version: pnpm changeset:version
67+
publish: pnpm changeset:release:ci
68+
env:
69+
# App token → the Version PR is opened by the App, so the required CI
70+
# checks run on it and it can push past branch protection.
71+
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
72+
# No NPM_TOKEN: publish auth is npm Trusted Publishing via `id-token`.

.github/workflows/release.yml.disabled

Lines changed: 0 additions & 47 deletions
This file was deleted.

package.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,8 @@
2626
"prepare": "husky",
2727
"changeset": "changeset",
2828
"changeset:version": "changeset version && pnpm install --lockfile-only",
29-
"changeset:release": "pnpm build && bash scripts/remove-type.sh && changeset publish && bash scripts/restore-type.sh && pnpm format"
29+
"changeset:release": "pnpm build && bash scripts/remove-type.sh && changeset publish && bash scripts/restore-type.sh && pnpm format",
30+
"changeset:release:ci": "pnpm build && bash scripts/remove-type.sh && changeset publish && bash scripts/restore-type.sh"
3031
},
3132
"keywords": [
3233
"monorepo",

0 commit comments

Comments
 (0)