hypercerts-sdk/.github/workflows/release.yml at develop · hypercerts-org/hypercerts-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
name: Release

on:
  workflow_dispatch:

concurrency: ${{ github.workflow }}-${{ github.ref }}

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      # Required for npm Trusted Publishers via GitHub OIDC
      # See: https://docs.npmjs.com/trusted-publishers
      id-token: write

    steps:
      - name: Generate Release Bot App Token
        id: generate-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.RELEASE_BOT_APP_ID }}
          private-key: ${{ secrets.RELEASE_BOT_APP_PRIVATE_KEY }}

      - uses: actions/checkout@v6
        with:
          # Persist releasebot app credentials to ensure that the push
          # below can bypass branch protection rules
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
          fetch-depth: 0

      # Branch validation: Only allow develop (beta) or main (stable)
      - name: Validate branch
        run: |
          if [ "${{ github.ref }}" == "refs/heads/develop" ]; then
            echo "RELEASE_TYPE=beta" >> $GITHUB_ENV
            echo "Detected beta release from develop branch"
          elif [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "RELEASE_TYPE=stable" >> $GITHUB_ENV
            echo "Detected stable release from main branch"
          else
            echo "Error: This workflow can only be run from 'develop' (beta) or 'main' (stable) branches"
            exit 1
          fi

      - uses: pnpm/action-setup@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: "pnpm"
          # registry-url is required for npm Trusted Publishers
          registry-url: "https://registry.npmjs.org"

      # Upgrade to npm >=11.5.1 for Trusted Publishers support
      # (pnpm uses npm under the hood for publishing)
      - run: npm install -g npm@latest

      - run: pnpm install

      # Work around Turbo failing to allow cross-package task
      # dependencies - we need sdk-core built before sdk-react
      # can even typecheck successfully
      - run: pnpm --filter @hypercerts-org/sdk-core build

      # Run checks early to fail fast before any versioning/git operations.
      # Note: checks run again in `pnpm release` - this is intentional to also
      # guard local releases and catch any issues after version bumps.
      #
      # FIXME: We can't run pnpm check because it currently hangs
      # forever for unknown reasons.
      - run: pnpm build
      - run: pnpm format:check
      - run: pnpm lint
      - run: pnpm typecheck
      - run: pnpm test

      # Stable release: Verify prerelease mode has been exited
      # The exit intent should already be set on develop before merging to main
      - name: Verify prerelease mode exit
        if: env.RELEASE_TYPE == 'stable'
        run: |
          if [ -f .changeset/pre.json ]; then
            # Check if prerelease mode has been exited (exit intent set)
            if ! grep -q '"exit": true' .changeset/pre.json 2>/dev/null; then
              echo "Error: Prerelease mode must be exited before merging to main."
              echo "Run 'pnpm changeset pre exit' on the develop branch and commit the change."
              exit 1
            fi
            echo "Prerelease mode exit intent confirmed - changeset version will handle the exit"
          else
            echo "No prerelease mode detected (pre.json not present)"
          fi

      # Beta-specific: Enter prerelease mode (if not already)
      - name: Enter prerelease mode (if not already)
        if: env.RELEASE_TYPE == 'beta'
        run: |
          if [ ! -f .changeset/pre.json ]; then
            pnpm changeset pre enter beta
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git add .changeset/pre.json
            git commit -m "chore: enter beta prerelease mode"
            git push
          fi

      # Beta-specific: Version packages manually
      - name: Version packages
        if: env.RELEASE_TYPE == 'beta'
        # GITHUB_TOKEN is required for @changesets/changelog-github to fetch PR/commit
        # information from GitHub API when generating changelog entries
        run: pnpm version-packages
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      # Beta-specific: Commit and push version changes (before publishing)
      - name: Commit and push version changes
        if: env.RELEASE_TYPE == 'beta'
        run: |
          VERSIONS=""
          for pkg in packages/*/package.json; do
            NAME=$(node -p "require('./$pkg').name")
            VERSION=$(node -p "require('./$pkg').version")
            VERSIONS="${VERSIONS}- ${NAME}: ${VERSION}\n"
          done
          echo "Versioning packages:"
          echo -e "$VERSIONS"
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add -A
          git diff --staged --quiet || git commit -m "chore: version packages (beta)" -m "$(echo -e "$VERSIONS")"
          git push

      # No .npmrc creation needed - npm Trusted Publishers uses GitHub OIDC tokens
      # automatically via the id-token: write permission and registry-url configuration

      # Stable release: Use changesets/action which handles versioning and publishing
      - name: Create Release Pull Request or Publish
        if: env.RELEASE_TYPE == 'stable'
        id: changesets
        uses: changesets/action@v1
        with:
          publish: pnpm release
          version: pnpm version-packages
          title: "chore: release packages"
          commit: "chore: release packages"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_CONFIG_PROVENANCE: true

      # Beta-specific: Publish beta packages using changeset publish
      - name: Publish beta packages
        if: env.RELEASE_TYPE == 'beta'
        # changeset publish will automatically use the beta tag when in
        # prerelease mode and will create git tags for the release
        run: pnpm release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_CONFIG_PROVENANCE: true

      # Push git tags created by changeset publish
      - name: Push git tags
        if: env.RELEASE_TYPE == 'beta'
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git push origin --tags
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      # Log published packages
      - name: Log published packages
        if: |
          (env.RELEASE_TYPE == 'stable' && steps.changesets.outputs.published == 'true') ||
          env.RELEASE_TYPE == 'beta'
        run: |
          if [ "${{ env.RELEASE_TYPE }}" == "stable" ]; then
            echo "Published - ${{ steps.changesets.outputs.publishedPackages }}"
          else
            echo "Published beta release:"
            for pkg in packages/*/package.json; do
              NAME=$(node -p "require('./$pkg').name")
              VERSION=$(node -p "require('./$pkg').version")
              echo "  - ${NAME}: ${VERSION}"
            done
          fi