First Package Release #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: First Package Release | |
| # Bootstrap workflow for brand-new npm packages. | |
| # | |
| # npm Trusted Publishing cannot be configured until a package already exists on | |
| # the registry. This manual workflow handles that one-time gap by using a short | |
| # lived NPM_TOKEN secret to publish only public workspace packages whose package | |
| # name is not on npm yet. It skips packages that already exist, even when the | |
| # local version has not been published. | |
| # | |
| # This runs through changesets/action so successful first publishes get the | |
| # same tag and GitHub Release behavior as the normal Release workflow. It must | |
| # run on a versioned checkout with no pending changeset files; otherwise | |
| # changesets/action would create/update a release PR instead of publishing. | |
| # Newly published packages must already have a CHANGELOG.md entry for their | |
| # current version, because changesets/action uses that entry as the GitHub | |
| # Release body. | |
| # | |
| # Before running: | |
| # - Create a temporary npm granular access token with read/write access to the | |
| # relevant scope, a short expiration, and 2FA bypass for automation. | |
| # Command-line equivalent (NOTE: wants NPM password): | |
| # npm token create \ | |
| # --name "first-package-release" \ | |
| # --expires 1 \ | |
| # --scopes @fujocoded \ | |
| # --packages-and-scopes-permission read-write \ | |
| # --bypass-2fa | |
| # - Add it to this repository's Actions secrets as NPM_TOKEN. | |
| # Command-line equivalent: | |
| # gh secret set NPM_TOKEN \ | |
| # --repo FujoWebDev/fujocoded-plugins \ | |
| # --body "<temporary-npm-token>" | |
| # - Run this workflow manually. | |
| # Command-line equivalent: | |
| # gh workflow run first-release.yaml \ | |
| # --repo FujoWebDev/fujocoded-plugins \ | |
| # --ref <branch-or-tag> | |
| # | |
| # After a successful first release: | |
| # - Configure Trusted Publishing for each newly published package, using this | |
| # repository and the normal release.yaml workflow file. | |
| # Command-line equivalent: | |
| # npm trust github <package-name> \ | |
| # --repo FujoWebDev/fujocoded-plugins \ | |
| # --file release.yaml \ | |
| # --allow-publish | |
| # - Delete the NPM_TOKEN repository secret and revoke the npm token. | |
| # Command-line equivalent: | |
| # gh secret delete NPM_TOKEN \ | |
| # --repo FujoWebDev/fujocoded-plugins | |
| # npm token revoke <token-id-or-token> | |
| # - Use the normal Release workflow for future package versions. | |
| on: | |
| workflow_dispatch: | |
| concurrency: ${{ github.workflow }}-${{ github.ref }} | |
| permissions: | |
| id-token: write | |
| contents: write | |
| jobs: | |
| first-release: | |
| name: First Package Release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 24 | |
| registry-url: "https://registry.npmjs.org" | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Refuse pending changesets | |
| run: | | |
| if find .changeset -maxdepth 1 -type f -name '*.md' ! -name README.md | grep -q .; then | |
| echo "::error::First Package Release must run on a versioned checkout with no pending changeset files." | |
| exit 1 | |
| fi | |
| - name: Build | |
| run: npm run build | |
| - name: Publish first-release packages | |
| uses: changesets/action@v1 | |
| with: | |
| publish: node .github/workflows/scripts/first-release-publish.mjs | |
| createGithubReleases: true | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} |