ci: switch npm publish to OIDC trusted publishing #4965
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Release Notes | |
| on: | |
| pull_request: | |
| types: | |
| - synchronize | |
| branches: | |
| - main | |
| - release/** | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| update-release-notes: | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.event.pull_request.head.ref, 'release/') && github.event.pull_request.user.login == 'github-actions[bot]' | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| fetch-depth: 0 | |
| - uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1 | |
| - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 | |
| - name: Extract version from branch name | |
| env: | |
| REF_NAME: ${{ github.head_ref }} | |
| run: | | |
| BRANCH_NAME="$REF_NAME" | |
| VERSION=$(echo "$BRANCH_NAME" | sed 's/release\///') | |
| echo "version=$VERSION" >> $GITHUB_ENV | |
| echo "Version: $VERSION" | |
| - name: Get prior version | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| PRIOR_TAG=$(just get-prior-version "${{ env.version }}") | |
| if [[ -z "$PRIOR_TAG" ]]; then | |
| echo "No prior version (first release), using first commit" | |
| PRIOR_TAG=$(git rev-list --max-parents=0 HEAD) | |
| fi | |
| echo "prior_ref=$PRIOR_TAG" >> $GITHUB_ENV | |
| echo "Prior ref: $PRIOR_TAG" | |
| - name: Generate release notes | |
| uses: ./.github/actions/generate-release-pr-body | |
| with: | |
| version: ${{ env.version }} | |
| head_ref: ${{ github.event.pull_request.head.sha }} | |
| prior_ref: ${{ env.prior_ref }} | |
| - name: Update Pull Request | |
| env: | |
| REF_NAME: ${{ github.head_ref }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| PR_NUMBER=$(gh pr list --head "$REF_NAME" --json number --jq '.[0].number') | |
| if [[ -z "$PR_NUMBER" || "$PR_NUMBER" == "null" ]]; then | |
| echo "No PR found for branch $REF_NAME" | |
| exit 1 | |
| fi | |
| gh pr edit "$PR_NUMBER" --body-file pr_body.txt |