ci-run-release #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci-run-release | |
| on: | |
| workflow_call: | |
| inputs: | |
| tag: | |
| type: string | |
| description: 'Exact git tag to release (omit to use HEAD)' | |
| required: false | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Git tag to release (leave blank for HEAD)' | |
| required: false | |
| type: string | |
| prerelease_name: | |
| description: 'Suffix for a manual pre-release (blank = full release)' | |
| required: false | |
| type: string | |
| default: '' | |
| skip_publish: | |
| description: 'Skip publishing to npm' | |
| required: false | |
| type: boolean | |
| default: true | |
| permissions: | |
| id-token: write # Required for OIDC | |
| contents: read | |
| jobs: | |
| create-release: | |
| name: create-release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| env: | |
| COMPILE_ARTIFACTS: 'false' | |
| steps: | |
| - name: Checkout sources | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ inputs.tag || '' }} | |
| - name: Determine tag | |
| id: tag | |
| run: | | |
| TAG_INPUT="${{ inputs.tag }}" | |
| # Check if the tag input is provided | |
| if [ -n "$TAG_INPUT" ]; then | |
| # Sanitize the input - request by security team | |
| # Replace any character that is NOT | |
| # alphanumeric, a hyphen, an underscore, or a period with nothing. | |
| # This prevents unexpected shell chars (like ;, $, |, etc.) | |
| # from being executed. | |
| SANITIZED_TAG=$(echo "$TAG_INPUT" | tr -cd '[:alnum:]._-') | |
| # Use the sanitized tag | |
| echo "value=$SANITIZED_TAG" >> "$GITHUB_OUTPUT" | |
| if [ "$TAG_INPUT" != "$SANITIZED_TAG" ]; then | |
| echo "Warning: Input tag was sanitized from '$TAG_INPUT' to '$SANITIZED_TAG'" | |
| fi | |
| else | |
| # Fallback to commit short SHA if no tag is provided | |
| echo "value=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Update release-please release artifacts | |
| if: ${{ inputs.tag != '' }} | |
| uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 | |
| with: | |
| tag_name: ${{ inputs.tag }} | |
| - name: Publish release | |
| if: ${{ inputs.prerelease_name != '' }} | |
| uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 | |
| with: | |
| tag_name: ${{ steps.tag.outputs.value }} | |
| name: zksync-js ${{ steps.tag.outputs.value }}${{ inputs.prerelease_name && format(' {0}', inputs.prerelease_name) || '' }} | |
| target_commitish: ${{ github.sha }} | |
| prerelease: ${{ inputs.prerelease_name != '' }} | |
| # Trigger package publishing to npm registry | |
| publish: | |
| name: publish-package 📦 | |
| runs-on: ubuntu-latest | |
| if: ${{ inputs.skip_publish != 'true' }} | |
| permissions: | |
| contents: read | |
| id-token: write # Required for npm OIDC trusted publishing | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Setup Bun | |
| uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2 | |
| with: | |
| bun-version: '1.3.5' | |
| - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 | |
| with: | |
| node-version: 22.x | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Upgrade npm for OIDC support | |
| run: npm install -g npm@11.7.0 | |
| - run: bun install | |
| - name: Publish to npm | |
| run: npm publish --access public --tag latest --provenance |