fix: use workflow_run instead of workflow_call due to Trusted Publisher restrictions (#310)

Strum355 · web-flow · commit e78dbd61d8d1 · 2025-12-10T16:11:51.000Z
fix: use workflow_run instead of workflow_call due to Trusted Publishers restriction
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,20 +4,18 @@ name: Publish
 
 on:
   workflow_dispatch:
-  workflow_call:
-    inputs:
-      branch:
-        description: The branch containing the release code snapshot
-        required: true
-        type: string
-        default: ""
+  workflow_run:
+    workflows: ["Release"]
+    types:
+      - completed
   push:
     branches:
       - main
 
 permissions:
   contents: write
   id-token: write
+  actions: read
 
 jobs:
   publish-ea:
@@ -72,14 +70,28 @@ jobs:
           npm publish --verbose --tag ea --access public --provenance
 
   publish-release:
-    if: github.event_name == 'workflow_call' || github.event_name == 'workflow_dispatch'
+    if: (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     name: Publish release to NPM
     steps:
+      - name: Get releasebranch.txt artifact from Release pipeline
+        if: github.event_name == 'workflow_run'
+        uses: actions/download-artifact@v5
+        with:
+          name: releasebranch.txt
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Read releasebranch.txt
+        id: releasebranch
+        run: |
+          echo "branch=$(cat releasebranch.txt)" >> "$GITHUB_OUTPUT"
+          rm releasebranch.txt
+
       - name: Checkout sources
         uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.branch || github.ref }}
+          ref: ${{ (github.event_name == 'workflow_run' && steps.releasebranch.outputs.branch) || github.ref }}
           fetch-depth: 0
 
       - name: Install node 24
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,8 +22,6 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
-    outputs:
-      version: ${{ steps.bump.outputs.version }}
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
@@ -42,33 +40,6 @@ jobs:
           git config user.name "${{ github.actor }}"
           git config user.email "${{ github.actor }}@users.noreply.github.com"
 
-      - name: Get previous released annotated tag
-        id: last-release
-        run: |
-          # Get the latest tag that doesn't have -ea suffix (handles both -ea. and -ea- formats)
-          TAG=$(git tag -l --sort=-version:refname | grep -vE -- '-ea[.-]' | head -n 1)
-          if [ -z "$TAG" ]; then
-            # If no release tag exists, use the base version from package.json
-            BASE_VERSION=$(node -p "require('./package.json').version" | sed -E 's/-ea[.-][0-9]+$//')
-            echo "base-tag=$BASE_VERSION" >> "$GITHUB_OUTPUT"
-            echo "full-tag=$BASE_VERSION" >> "$GITHUB_OUTPUT"
-          else
-            echo "base-tag=$TAG" >> "$GITHUB_OUTPUT"
-            echo "full-tag=$TAG" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Get first tag in current development iteration
-        id: fetch-tag
-        run: |
-          BASE_TAG="${{ steps.last-release.outputs.base-tag }}"
-          # Find the oldest EA tag for this base version (handles both -ea. and -ea- formats)
-          OLDEST_EA_TAG=$(git tag -l --sort=creatordate | grep -E "^${BASE_TAG}-ea[.-]" | head -n 1)
-          if [ -n "$OLDEST_EA_TAG" ]; then
-            echo "oldest-tag=$OLDEST_EA_TAG" >> "$GITHUB_OUTPUT"
-          else
-            echo "oldest-tag=$BASE_TAG" >> "$GITHUB_OUTPUT"
-          fi
-
       - name: Update package with new version
         id: bump
         run: |
@@ -91,6 +62,12 @@ jobs:
           git add package-lock.json
           git commit -m "build: release ${{ steps.bump.outputs.version }} [skip ci]"
           git push origin "$BRANCH"
+          echo "$BRANCH" > releasebranch.txt
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: releasebranch
+          path: releasebranch.txt
 
       - name: Create GitHub release tag
         uses: softprops/action-gh-release@v1
@@ -111,14 +88,3 @@ jobs:
             --head "release/v${{ steps.bump.outputs.version }}"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  trigger-publish:
-    name: Trigger Publish pipeline
-    needs: create-release
-    permissions:
-      contents: write
-      id-token: write
-    uses: ./.github/workflows/publish.yml
-    with:
-      branch: "release/v${{ needs.create-release.outputs.version }}"
-
