-
Notifications
You must be signed in to change notification settings - Fork 0
108 lines (97 loc) · 3.96 KB
/
Copy pathrelease.yml
File metadata and controls
108 lines (97 loc) · 3.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
name: Release
# Release runs only after the CI workflow has completed successfully on a push
# to `main`. This gates npm publish behind green lint/typecheck/test/build
# (STRUCT-073) and lets us publish the exact artifact CI validated (STRUCT-081).
on:
workflow_run:
workflows: [CI]
types: [completed]
branches: [main]
concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }}
cancel-in-progress: true
jobs:
release:
name: Release
runs-on: ubuntu-latest
# Only release for a successful CI run triggered by a push to main.
if: >-
github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.event == 'push' &&
github.event.workflow_run.head_branch == 'main'
permissions:
contents: write
pull-requests: write
id-token: write
# Cross-run artifact download (actions/download-artifact with run-id +
# github-token) needs actions:read. Once a permissions block is declared,
# every unlisted scope defaults to none, so this must be explicit or the
# "Download validated build artifact" step 403s. (CR-001 / STRUCT-081)
actions: read
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.workflow_run.head_sha }}
# Full history (all branches) so `pnpm changeset status` can diff
# against the `main` baseBranch when generating the PR body; a shallow
# detached checkout errors and silently degrades the body. (CR-007 / STRUCT-076)
fetch-depth: 0
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: 24
cache: pnpm
registry-url: https://registry.npmjs.org
- name: Install dependencies
run: pnpm install --frozen-lockfile
# Publish the exact build CI produced and validated instead of rebuilding.
- name: Download validated build artifact
uses: actions/download-artifact@v4
with:
name: datum-ui-dist
path: packages/datum-ui/dist/
run-id: ${{ github.event.workflow_run.id }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Generate PR description
id: pr-body
run: |
BODY=$(.github/scripts/generate-version-pr-body.sh)
{
echo "body<<EOF"
echo "$BODY"
echo "EOF"
} >> "$GITHUB_OUTPUT"
# Determine title suffix based on bump type
if grep -q "Release Type: \`major\`" <<< "$BODY"; then
echo "title-suffix=(major)" >> "$GITHUB_OUTPUT"
elif grep -q "Release Type: \`minor\`" <<< "$BODY"; then
echo "title-suffix=(minor)" >> "$GITHUB_OUTPUT"
elif grep -q "Release Type: \`patch\`" <<< "$BODY"; then
echo "title-suffix=(patch)" >> "$GITHUB_OUTPUT"
else
echo "title-suffix=" >> "$GITHUB_OUTPUT"
fi
- name: Create Release Pull Request or Publish
id: changesets
uses: changesets/action@v1
with:
version: pnpm changeset version
publish: pnpm changeset publish
commit: "chore: version packages"
title: "chore: version packages ${{ steps.pr-body.outputs.title-suffix }}"
createGithubReleases: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
# Pass the body through the environment (never interpolated into the shell
# command) so backticks/quotes in the changelog can't be executed. (BUG-107)
- name: Update PR description
if: steps.changesets.outputs.pullRequestNumber != ''
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_BODY: ${{ steps.pr-body.outputs.body }}
PR_NUMBER: ${{ steps.changesets.outputs.pullRequestNumber }}
run: |
gh pr edit "$PR_NUMBER" --body "$PR_BODY"