feat: scaffold storybook 10.4 + vitest 4 + 3.10 template corrections … #286
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| id-token: write | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| environment: npm-publish | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: pnpm/action-setup@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| registry-url: 'https://registry.npmjs.org' | |
| cache: 'pnpm' | |
| - name: Install npm 11.5.1+ for OIDC trusted publishing | |
| run: | | |
| # pnpm publish auths via OIDC natively (pnpm 9.13+), but | |
| # ensuring npm CLI ≥ 11.5.1 is the belt-and-suspenders fallback | |
| # for any path that shells out to npm. `--force` bypasses the | |
| # broken arborist self-resolution in Node 22.22.x bundled npm. | |
| npm install -g npm@11.5.1 --force | |
| npm --version | |
| - run: pnpm install --frozen-lockfile | |
| - run: pnpm run build | |
| - name: Create Release PR or Publish | |
| id: changesets | |
| uses: changesets/action@v1 | |
| with: | |
| publish: pnpm changeset:publish | |
| version: pnpm changeset:version | |
| title: 'chore: version packages' | |
| commit: 'chore: version packages' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| NPM_CONFIG_PROVENANCE: 'true' | |
| HUSKY: '0' | |
| # SBOM generation removed in v0.9.4. The prior cyclonedx-npm-based step | |
| # was both broken (`pnpm ls --all` rejected by pnpm) and architecturally | |
| # wrong (cyclonedx-npm only reads package-lock.json, ignoring | |
| # pnpm.overrides for vite/fast-uri). Swapping to cdxgen would solve | |
| # those, but cdxgen's ~675 transitive deps include sequelize@6.x with | |
| # HIGH-severity advisories that cascade into our audit gate, and | |
| # cdxgen's `--required-only` filter drops production transitives — | |
| # neither extreme produced an accurate, ship-safe SBOM. Picking a | |
| # workable SBOM stack is its own focused task (see open task tracker); | |
| # for now the SBOM step is dropped so it stops blocking release | |
| # notifications (Discord-notify below is gated after this step in | |
| # earlier revisions of the workflow — without the SBOM step there | |
| # is no gate to fail). | |
| - name: Notify Discord on release | |
| if: steps.changesets.outputs.published == 'true' | |
| env: | |
| DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} | |
| run: | | |
| if [ -z "$DISCORD_WEBHOOK_URL" ]; then | |
| echo "DISCORD_WEBHOOK_URL not set — skipping notification" | |
| exit 0 | |
| fi | |
| curl -H "Content-Type: application/json" \ | |
| -d '{ | |
| "embeds": [{ | |
| "title": "create-helix released!", | |
| "description": "A new version of `create-helix` has been published to npm!\n\n**Install:** `npm create helix`\n**npx:** `npx create-helix`", | |
| "color": 5025616, | |
| "fields": [ | |
| { "name": "Package", "value": "[create-helix](https://www.npmjs.com/package/create-helix)", "inline": true }, | |
| { "name": "Repository", "value": "[GitHub](https://github.com/bookedsolidtech/create-helix-app)", "inline": true } | |
| ], | |
| "footer": { "text": "Booked Solid - HELiX Ecosystem" }, | |
| "timestamp": "'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'" | |
| }] | |
| }' \ | |
| "$DISCORD_WEBHOOK_URL" |