ci: switch npm publish to OIDC trusted publishing #21273

Workflow file for this run

	name: CI

	on:
	push:
	branches:
	- main
	pull_request:
	branches:
	- main
	merge_group:
	branches:
	- main
	workflow_dispatch:

	jobs:
	changes:
	runs-on: ubuntu-latest
	outputs:
	docs-only: ${{ steps.filter.outputs.docs-only }}
	code: ${{ steps.filter.outputs.code }}
	steps:
	- name: Checkout Code
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

	- name: Check for file changes
	uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # pin@v3
	id: filter
	with:
	filters: \|
	docs-only:
	- 'documentation/**'
	code:
	- '!documentation/**'

	rust-format:
	name: Check Rust Code Format
	runs-on: ubuntu-latest
	needs: changes
	if: needs.changes.outputs.code == 'true' \|\| github.event_name != 'pull_request'
	steps:
	- name: Checkout Code
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

	- uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1

	- name: Run cargo fmt
	run: cargo fmt --check

	rust-build-and-test:
	name: Build and Test Rust Project
	runs-on: ubuntu-latest
	needs: changes
	if: needs.changes.outputs.code == 'true' \|\| github.event_name != 'pull_request'
	steps:
	- name: Checkout Code
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

	- uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1

	- name: Install Dependencies
	run: \|
	sudo apt update -y
	sudo apt install -y libdbus-1-dev gnome-keyring libxcb1-dev

	- name: Cache Cargo artifacts
	uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2

	- name: Build and Test
	run: \|
	gnome-keyring-daemon --components=secrets --daemonize --unlock <<< 'foobar'
	export CARGO_INCREMENTAL=0
	cargo test -- --skip scenario_tests::scenarios::tests
	cargo test --jobs 1 scenario_tests::scenarios::tests
	working-directory: crates
	env:
	RUST_MIN_STACK: 8388608


	rust-build-windows:
	name: Build Rust Project on Windows
	runs-on: windows-latest
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	steps:
	- name: Checkout Code
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

	- name: Cache Cargo artifacts
	uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
	with:
	key: windows-ci

	- name: Setup Rust
	shell: bash
	run: \|
	rustup show
	rustup target add x86_64-pc-windows-msvc

	- name: Build
	run: cargo build --target x86_64-pc-windows-msvc
	env:
	CARGO_INCREMENTAL: "0"

	rust-lint:
	name: Lint Rust Code
	runs-on: ubuntu-latest
	needs: changes
	if: needs.changes.outputs.code == 'true' \|\| github.event_name != 'pull_request'
	steps:
	- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

	- uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1

	- uses: Swatinem/rust-cache@v2

	- name: Lint
	run: \|
	source ./bin/activate-hermit
	# use the non-hermit rust toolchain because the rust-cache action does not
	# play nicely with hermit-managed rust
	hermit uninstall rustup
	export CARGO_INCREMENTAL=0
	cargo clippy --workspace --all-targets --exclude v8 -- -D warnings

	openapi-schema-check:
	name: Check OpenAPI Schema is Up-to-Date
	runs-on: ubuntu-latest
	needs: changes
	if: needs.changes.outputs.code == 'true' \|\| github.event_name != 'pull_request'
	steps:
	- name: Checkout Code
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

	- uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1

	- name: Install Dependencies
	run: \|
	sudo apt update -y
	sudo apt install -y libdbus-1-dev libxcb1-dev

	- name: Cache Cargo artifacts
	uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2

	- name: Install Node.js Dependencies for OpenAPI Check
	run: source ../../bin/activate-hermit && pnpm install --frozen-lockfile
	working-directory: ui/desktop

	- name: Check OpenAPI Schema is Up-to-Date
	run: \|
	source ./bin/activate-hermit
	hermit uninstall rustup
	just check-openapi-schema

	desktop-lint:
	name: Test and Lint Electron Desktop App
	runs-on: macos-latest
	needs: changes
	if: needs.changes.outputs.code == 'true' \|\| github.event_name != 'pull_request'
	steps:
	- name: Checkout Code
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

	# Temporarily disabled due to GitHub Actions bug on macOS runners
	# https://github.com/actions/runner-images/issues/13341
	# https://github.com/actions/runner/issues/4134
	# - name: Cache pnpm dependencies
	# uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
	# with:
	# path: \|
	# ui/desktop/node_modules
	# .hermit/node/cache
	# key: ci-pnpm-cache-v1-${{ runner.os }}-${{ hashFiles('ui/pnpm-lock.yaml') }}
	# restore-keys: \|
	# ci-pnpm-cache-v1-${{ runner.os }}-

	- name: Install Dependencies
	run: source ../../bin/activate-hermit && pnpm install --frozen-lockfile
	working-directory: ui/desktop

	- name: Run Lint
	run: source ../../bin/activate-hermit && pnpm run lint:check
	working-directory: ui/desktop

	- name: Run Tests
	run: source ../../bin/activate-hermit && pnpm run test:run
	working-directory: ui/desktop

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: switch npm publish to OIDC trusted publishing #21273

Workflow file

ci: switch npm publish to OIDC trusted publishing #21273

Uh oh!

Workflow file for this run