Update Well Known to v7.8.3 (#2199) #63
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish to npm | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'package.json' | |
| workflow_dispatch: | |
| inputs: | |
| mode: | |
| description: How this run should exercise npm publishing | |
| required: true | |
| type: choice | |
| options: | |
| - oidc-check | |
| - dry-run | |
| - publish | |
| default: oidc-check | |
| npm_tag: | |
| description: Dist-tag to use for manual runs | |
| required: true | |
| type: string | |
| default: next | |
| jobs: | |
| publish: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| fetch-depth: 2 | |
| - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version: 24.x | |
| registry-url: https://registry.npmjs.org | |
| cache: pnpm | |
| env: | |
| FORCE_COLOR: 0 | |
| - name: Resolve publish mode | |
| id: publish_mode | |
| run: | | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| echo "mode=${{ inputs.mode }}" >> "$GITHUB_OUTPUT" | |
| echo "tag=${{ inputs.npm_tag }}" >> "$GITHUB_OUTPUT" | |
| echo "manual=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "mode=publish" >> "$GITHUB_OUTPUT" | |
| echo "tag=latest" >> "$GITHUB_OUTPUT" | |
| echo "manual=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Resolve release commit | |
| id: release_commit | |
| env: | |
| HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }} | |
| run: | | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| echo "is_release_commit=true" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| if ! git rev-parse HEAD^ >/dev/null 2>&1; then | |
| echo "Unable to inspect the previous commit for release detection" | |
| exit 1 | |
| fi | |
| if ! git diff --unified=0 HEAD^ HEAD -- package.json | grep -qE '^[+-][[:space:]]+"version":'; then | |
| echo "is_release_commit=false" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| if [[ ! "$HEAD_COMMIT_MESSAGE" =~ ^chore\(release\):[[:space:]]+(.+)$ ]]; then | |
| echo "package.json version changed, but HEAD is not a release commit" | |
| exit 1 | |
| fi | |
| echo "is_release_commit=true" >> "$GITHUB_OUTPUT" | |
| echo "version=${BASH_REMATCH[1]}" >> "$GITHUB_OUTPUT" | |
| - name: Check if version is already published | |
| id: check | |
| run: | | |
| LOCAL_VERSION=$(node -p "require('./package.json').version") | |
| echo "version=$LOCAL_VERSION" >> "$GITHUB_OUTPUT" | |
| if [ "${{ steps.publish_mode.outputs.manual }}" != "true" ] && [ "${{ steps.release_commit.outputs.is_release_commit }}" != "true" ]; then | |
| echo "should_publish=false" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| RELEASE_VERSION="${{ steps.release_commit.outputs.version }}" | |
| if [ -n "$RELEASE_VERSION" ] && [ "$LOCAL_VERSION" != "$RELEASE_VERSION" ]; then | |
| echo "Release commit version $RELEASE_VERSION does not match package.json version $LOCAL_VERSION" | |
| exit 1 | |
| fi | |
| NPM_VERSION=$(npm view ghost-cli version 2>/dev/null || echo "0.0.0") | |
| if [ "${{ steps.publish_mode.outputs.manual }}" = "true" ] || [ "$LOCAL_VERSION" != "$NPM_VERSION" ]; then | |
| echo "should_publish=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "should_publish=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Upgrade npm for trusted publishing support | |
| run: npm install -g npm@latest | |
| - name: Print runtime versions | |
| run: | | |
| node --version | |
| npm --version | |
| - name: Check npm OIDC exchange | |
| if: steps.check.outputs.should_publish == 'true' | |
| run: | | |
| set -euo pipefail | |
| OIDC_RESPONSE=$(curl --silent --show-error --fail \ | |
| -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \ | |
| "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org") | |
| OIDC_TOKEN=$(node -p "JSON.parse(process.argv[1]).value" "$OIDC_RESPONSE") | |
| HTTP_STATUS=$(curl --silent --show-error --output oidc-exchange.json --write-out "%{http_code}" \ | |
| --request POST \ | |
| --header "Authorization: Bearer ${OIDC_TOKEN}" \ | |
| "https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/ghost-cli") | |
| if [ "$HTTP_STATUS" != "201" ]; then | |
| echo "npm OIDC exchange failed with HTTP ${HTTP_STATUS}" | |
| cat oidc-exchange.json | |
| exit 1 | |
| fi | |
| node -p "const response = require('./oidc-exchange.json'); 'npm OIDC exchange succeeded; token expires at ' + response.expires" | |
| rm oidc-exchange.json | |
| - name: Install dependencies | |
| if: steps.check.outputs.should_publish == 'true' && steps.publish_mode.outputs.mode != 'oidc-check' | |
| run: pnpm install --frozen-lockfile | |
| - name: Preview publish tarball | |
| if: steps.check.outputs.should_publish == 'true' && steps.publish_mode.outputs.mode != 'oidc-check' | |
| run: npm pack --dry-run | |
| - name: Publish to npm | |
| if: steps.check.outputs.should_publish == 'true' && steps.publish_mode.outputs.mode != 'oidc-check' | |
| run: | | |
| PUBLISH_ARGS=(--access public --tag "${{ steps.publish_mode.outputs.tag }}" --provenance) | |
| if [ "${{ steps.publish_mode.outputs.mode }}" = "dry-run" ]; then | |
| PUBLISH_ARGS=(--dry-run "${PUBLISH_ARGS[@]}") | |
| fi | |
| npm publish "${PUBLISH_ARGS[@]}" | |
| - name: Create git tag | |
| if: github.event_name == 'push' && steps.release_commit.outputs.is_release_commit == 'true' && steps.check.outputs.should_publish == 'true' | |
| run: | | |
| TAG="v${{ steps.check.outputs.version }}" | |
| if git ls-remote --tags origin "$TAG" | grep -q "$TAG"; then | |
| echo "Tag $TAG already exists on remote, skipping" | |
| else | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git tag -a "$TAG" -m "$TAG" | |
| git push origin "$TAG" | |
| fi |