secbot/.github/workflows/release.yml at 1889f0d98eb063c19704fae9867c35399202fe25 · iammm0/secbot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# 自动发布 npm 包 @opensec/secbot（以 2.0.3 / 标签 v2.0.3 为例）
# 1. 确认根目录 package.json 的 version 与即将打的标签一致（如 2.0.3 对应标签 v2.0.3）。
# 2. NPM_TOKEN（npm 账号若开启 2FA，必须二选一，否则会报 403：需 bypass 2FA 才能 publish）：
#    · Granular Access Token：Packages 选 Read and write；创建时勾选「允许发布时绕过双因素认证」
#      （英文界面类似 "Bypass two-factor authentication (2FA) for writes"，以 npm 网站为准）。
#    · 或 Classic Token：类型必须选 Automation（勿用需 OTP 的 Publish 类令牌）。
#    权限须覆盖 @opensec；GitHub Secret 名仍为 NPM_TOKEN。
#    勿在仓库根目录提交含 //registry.../:_authToken 的 .npmrc（已 .gitignore）；与 PyPI 勿提交 .pypirc 同理。
# 3. git tag v2.0.3 && git push origin v2.0.3
#    将触发：构建 → 校验版本 → 打 GitHub Release 并上传 tgz → npm publish（npmjs）+
#    GitHub Packages（仓库 Settings → Packages 可见；包名为 @<仓库所有者>/secbot，与 @opensec/secbot 并存）。
#    工作流 permissions 需含 packages: write（已配置）；使用 GITHUB_TOKEN 认证 npm.pkg.github.com。

name: Release

on:
  push:
    tags:
      - 'v*.*.*'
  workflow_dispatch:

permissions:
  contents: write
  packages: write

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '24'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Match package.json version to git tag
        if: startsWith(github.ref, 'refs/tags/v')
        run: |
          set -e
          REF_NAME="${GITHUB_REF_NAME#refs/tags/}"
          REF_NAME="${REF_NAME#v}"
          PKG_VER="$(node -p "require('./package.json').version")"
          if [ "$REF_NAME" != "$PKG_VER" ]; then
            echo "::error::package.json version is $PKG_VER but tag resolves to $REF_NAME (expected v$PKG_VER)"
            exit 1
          fi

      - name: CI checks
        run: npm run typecheck && npm run lint && npm run format:check && npm test

      - name: Build package
        run: npm run release:pack

      - name: Upload package artifact
        uses: actions/upload-artifact@v4
        with:
          name: secbot-npm-package
          path: '*.tgz'

  upload-assets:
    name: GitHub Release assets
    needs: build
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - name: Download built package
        uses: actions/download-artifact@v4
        with:
          name: secbot-npm-package
          path: artifacts

      - name: Create or update release and upload .tgz
        uses: softprops/action-gh-release@v2
        with:
          files: artifacts/*.tgz
          generate_release_notes: true
          prerelease: ${{ contains(github.ref_name, '-') }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  publish-npm:
    name: Publish to npm registry
    needs: build
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v4

      - name: Set up Node.js for npm
        uses: actions/setup-node@v4
        with:
          node-version: '24'
          registry-url: 'https://registry.npmjs.org'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Verify npm registry authentication
        run: npm whoami
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

      - name: Publish to npm
        run: |
          PKG_VER="$(node -p "require('./package.json').version")"
          if [[ "$PKG_VER" == *-* ]]; then
            npm publish --access public --tag next
          else
            npm publish --access public
          fi
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

  publish-github-packages:
    name: Publish to GitHub Packages
    needs: build
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v4

      # GitHub Packages 要求作用域小写，与 apply-github-packages-name.js 中 pkg.name 一致
      - name: Normalize npm scope owner (lowercase)
        run: echo "NPM_SCOPE_OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV

      - name: Set up Node.js for GitHub Packages
        uses: actions/setup-node@v4
        with:
          node-version: '24'
          registry-url: 'https://npm.pkg.github.com'
          scope: '${{ env.NPM_SCOPE_OWNER }}'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Apply scoped name for GitHub Packages registry
        run: node scripts/apply-github-packages-name.js
        env:
          GITHUB_REPOSITORY_OWNER: ${{ env.NPM_SCOPE_OWNER }}

      - name: Publish to GitHub Packages
        run: |
          PKG_VER="$(node -p "require('./package.json').version")"
          if [[ "$PKG_VER" == *-* ]]; then
            npm publish --tag next
          else
            npm publish
          fi
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}