ci: validate npm publish token #4

Workflow file for this run

.github/workflows/release.yml at cf55eec

	name: Release

	on:
	push:
	branches:
	- master
	workflow_dispatch:

	concurrency: ${{ github.workflow }}-${{ github.ref }}

	permissions:
	contents: write
	pull-requests: write

	jobs:
	release:
	name: Version or publish packages
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: 20
	registry-url: https://registry.npmjs.org

	- name: Setup pnpm
	run: \|
	corepack enable
	corepack prepare pnpm@8.15.9 --activate

	- name: Install dependencies
	run: pnpm install --frozen-lockfile

	- name: Detect pending changesets
	id: pending-changesets
	run: \|
	if find .changeset -maxdepth 1 -type f -name '*.md' ! -name 'README.md' \| grep -q .; then
	echo "found=true" >> "$GITHUB_OUTPUT"
	else
	echo "found=false" >> "$GITHUB_OUTPUT"
	fi

	- name: Audit release plan
	if: steps.pending-changesets.outputs.found == 'true'
	run: pnpm -w run release:audit

	- name: Run release verification before version PR
	if: steps.pending-changesets.outputs.found == 'true'
	run: pnpm -w run test:release

	- name: Configure npm token
	run: \|
	set -euo pipefail

	if [ -z "${NPM_TOKEN:-}" ]; then
	echo "NPM_TOKEN is not available to this workflow. Check repository/org secret name and repository access." >&2
	exit 1
	fi

	printf '//registry.npmjs.org/:_authToken=%s\n' "$NPM_TOKEN" > "$HOME/.npmrc"
	npm whoami --registry https://registry.npmjs.org/
	env:
	NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

	- name: Create version PR or publish packages
	id: changesets
	uses: changesets/action@v1
	with:
	version: pnpm -w run changeset:version
	publish: pnpm -w run changeset:publish
	commit: 'release: version packages'
	title: 'release: version packages'
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

	- name: Create repository release baseline tag
	if: steps.changesets.outputs.published == 'true'
	env:
	PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
	run: \|
	set -euo pipefail
	tag="$(node ./scripts/resolve-release-baseline-tag.mjs)"
	if [ -z "$tag" ]; then
	echo "No published package versions were reported; skipping repository baseline tag."
	exit 0
	fi

	git fetch --tags --force
	if git rev-parse "$tag" >/dev/null 2>&1; then
	echo "Tag $tag already exists; skipping."
	exit 0
	fi

	git tag "$tag"
	git push origin "$tag"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: validate npm publish token #4

Workflow file

ci: validate npm publish token #4

Uh oh!

Workflow file for this run