Merge pull request #178 from linearis-oss/issue-63-batch-resolve-impl #12

Workflow file for this run

.github/workflows/release-publish.yml at fb2c476

	name: Publish Release

	on:
	push:
	branches:
	- next
	- main
	workflow_dispatch:

	permissions:
	contents: write
	id-token: write

	concurrency:
	group: release-${{ github.ref_name }}
	cancel-in-progress: false

	jobs:
	release:
	name: Publish Release
	runs-on: ubuntu-latest
	environment: npm-publish
	steps:
	- name: Guard workflow_dispatch caller permissions
	if: ${{ github.event_name == 'workflow_dispatch' }}
	uses: actions/github-script@v8
	with:
	script: \|
	const { owner, repo } = context.repo;
	const username = context.actor;
	const result = await github.rest.repos.getCollaboratorPermissionLevel({
	owner,
	repo,
	username,
	});

	const role = result.data.role_name ?? result.data.permission;
	const allowed = new Set(["maintain", "admin"]);

	if (!allowed.has(role)) {
	core.setFailed(
	`User ${username} has role '${role}'. Only maintain/admin may invoke workflow_dispatch releases.`,
	);
	return;
	}

	core.info(`workflow_dispatch authorized for ${username} (${role})`);

	- name: Resolve and validate target branch
	id: target
	shell: bash
	run: \|
	branch="${{ github.ref_name }}"

	case "$branch" in
	main\|next) ;;
	*)
	echo "Unsupported release branch: $branch"
	echo "Allowed branches: main, next"
	exit 1
	;;
	esac

	echo "branch=$branch" >> "$GITHUB_OUTPUT"
	echo "Releasing from branch: $branch"

	- name: Checkout code
	uses: actions/checkout@v6
	with:
	fetch-depth: 0
	ref: ${{ steps.target.outputs.branch }}
	persist-credentials: false

	- name: Create linearis-bot app token
	id: app-token
	uses: actions/create-github-app-token@v2
	with:
	app-id: ${{ secrets.RELEASE_APP_ID }}
	private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}

	- name: Resolve linearis-bot app bot identity
	id: app-bot
	shell: bash
	env:
	GH_TOKEN: ${{ steps.app-token.outputs.token }}
	run: \|
	set -euo pipefail
	slug='${{ steps.app-token.outputs.app-slug }}'
	id="$(gh api "/users/${slug}[bot]" --jq .id)"
	echo "name=${slug}[bot]" >> "$GITHUB_OUTPUT"
	echo "email=${id}+${slug}[bot]@users.noreply.github.com" >> "$GITHUB_OUTPUT"

	- name: Configure git identity (linearis-bot app)
	shell: bash
	run: \|
	set -euo pipefail
	git config user.name "${{ steps.app-bot.outputs.name }}"
	git config user.email "${{ steps.app-bot.outputs.email }}"

	- name: Setup Node.js
	uses: actions/setup-node@v6
	with:
	node-version: 22
	cache: npm
	registry-url: https://registry.npmjs.org

	- name: Install dependencies
	run: npm ci

	- name: Build
	run: npm run build

	- name: Verify npm auth
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	run: \|
	test -n "${NODE_AUTH_TOKEN}" \|\| {
	echo "NPM_TOKEN missing (check job environment + secret scope)"
	exit 1
	}
	npm whoami --registry=https://registry.npmjs.org/

	- name: Run semantic-release
	env:
	GH_TOKEN: ${{ steps.app-token.outputs.token }}
	GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	GITHUB_REF: refs/heads/${{ steps.target.outputs.branch }}
	GITHUB_REF_NAME: ${{ steps.target.outputs.branch }}
	run: npm run release:run

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #178 from linearis-oss/issue-63-batch-resolve-impl #12

Workflow file

Merge pull request #178 from linearis-oss/issue-63-batch-resolve-impl #12

Uh oh!

Workflow file for this run