chore: centralize NPM behaviors to a single shared workflow (#1604)

Author: metal-messiah

.github/workflows/nightly.yml

@@ -87,50 +87,10 @@ jobs:
 
   deprecate-old-versions:
     name: Deprecate Unsupported Versions
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22.11.0 # See package.json for the stable node version that works with our testing.  Do not change this unless you know what you are doing as some node versions do not play nicely with our testing server.
-      - name: Authenticate with npm
-        run: npm config set "//registry.npmjs.org/:_authToken" "${{ secrets.BROWSER_NPM_TOKEN }}"
-      - name: Deprecate old versions
-        shell: bash
-        run: |
-          # Get agent EoL table from NRQL
-          response=$(curl -X POST https://api.newrelic.com/graphql \
-            -H 'Content-Type: application/json' \
-            -H 'API-Key: ${{ secrets.NR_API_KEY_PRODUCTION }}' \
-            -d '{ "query":  "{\n  docs {\n    agentReleases(agentName: BROWSER) {\n      eolDate\n      version\n    }\n  }\n}" }')
-          eol_table=$(echo "$response" | jq -r '.data.docs.agentReleases | map({(.version): .eolDate}) | add') # this is a map of version string to EoL date in yyyy-mm-dd format
-          echo "Fetched EoL table from NRDB."
-
-          # Fetch package metadata from npm registry
-          package_name="@newrelic/browser-agent"
-          metadata=$(curl -s "https://registry.npmjs.org/$package_name")
-          echo "Fetched agent releases metadata from NPM."
-
-          # Parse versions and their publication dates
-          today=$(date +%Y-%m-%d)
-          versions=$(echo "$metadata" | jq -r '.versions | keys[]') # this list is pre-sorted from oldest to newest
-          for version in $versions; do
-            eol_date=$(echo "$eol_table" | jq -r --arg version "$version" '.[$version]')
-            if [ "$eol_date" = "null" ]; then
-              echo "No EoL date found for version $version. Skipping..."
-              continue
-            fi
-            deprecation_message=$(echo "$metadata" | jq -r ".versions[\"$version\"].deprecated")
-            if [[ "$eol_date" < "$today" || "$eol_date" == "$today" ]]; then
-              if [ "$deprecation_message" = "null" ]; then
-                echo "Deprecating version $version no longer supported as of $eol_date..."
-                npm deprecate "$package_name@$version" "This version is no longer supported."
-              else
-                echo "Version $version is already deprecated."
-              fi
-            else
-              break # rest of the ascending versions should be within their support window
-            fi
-          done
+    uses: ./.github/workflows/npm-operations.yml
+    with:
+      operation: deprecate-old-versions
+    secrets:
+      NR_API_KEY_PRODUCTION: ${{ secrets.NR_API_KEY_PRODUCTION }}
 
   # TODO: Need to add a job for cleaning up experiments to run nightly

.github/workflows/npm-operations.yml

@@ -0,0 +1,171 @@
+name: NPM Operations
+
+permissions:
+  # In order to create the git tag, we must have write permissions.
+  contents: write
+  # This is important. Trusted Publishing requires this for the OIDC exchange.
+  id-token: write
+
+on:
+  # Triggered by other workflows for specific NPM operations
+  workflow_call:
+    inputs:
+      operation:
+        description: 'NPM operation to perform'
+        required: true
+        type: string
+        # Valid values: publish-release, publish-prerelease, deprecate-old-versions
+      preid:
+        description: 'Prerelease identifier (e.g., rc, alpha, beta)'
+        required: false
+        type: string
+        default: 'rc'
+      version-override:
+        description: 'Override version for prerelease operations'
+        required: false
+        type: string
+      dry_run:
+        description: 'Dry run mode for testing'
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      GITHUB_LOGIN:
+        required: false
+      GITHUB_EMAIL:
+        required: false
+      NR_API_KEY_PRODUCTION:
+        required: false
+    outputs:
+      operation:
+        description: 'The operation that was performed'
+        value: ${{ jobs.npm-operations.outputs.operation }}
+      success:
+        description: 'Whether the operation was successful'
+        value: ${{ jobs.npm-operations.outputs.success }}
+
+  # Manual trigger for testing/emergency operations
+  workflow_dispatch:
+    inputs:
+      operation:
+        description: 'NPM operation to perform'
+        required: true
+        type: choice
+        options:
+          - publish-release
+          - publish-prerelease
+          - deprecate-old-versions
+      preid:
+        description: 'Prerelease identifier (e.g., rc, alpha, beta)'
+        required: false
+        type: string
+        default: 'rc'
+      version-override:
+        description: 'Override version for prerelease operations'
+        required: false
+        type: string
+      dry_run:
+        description: 'Dry run mode for testing'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  npm-operations:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    defaults:
+      run:
+        shell: bash
+    env:
+      GITHUB_LOGIN: ${{ secrets.GITHUB_LOGIN || secrets.BROWSER_GITHUB_BOT_NAME }}
+      GITHUB_EMAIL: ${{ secrets.GITHUB_EMAIL || secrets.BROWSER_GITHUB_BOT_EMAIL }}
+    
+    steps:
+      - uses: actions/checkout@v5
+      
+      - uses: actions/setup-node@v5
+        with:
+          # Trusted Publishing requires `npm@11.5.1` or later. Compatible
+          # versions of `npm` started shipping with Node.js v24.5.0.
+          # If, for some odd reason, you need to use an earlier Node.js release,
+          # you _must_ add another step subsequent to this one that performs:
+          # `npm install -g npm@latest`.
+          node-version: 24.x
+          # This is important. The OIDC exchange requires that the registry
+          # URL matches on both ends.
+          registry-url: https://registry.npmjs.org
+      
+      # Setup Git for prerelease operations
+      - name: Set up git
+        if: inputs.operation == 'publish-prerelease'
+        run: |
+          git config --global user.name "${GITHUB_LOGIN}"
+          git config --global user.email "${GITHUB_EMAIL}"
+      
+      # Install dependencies for publish operations
+      - name: Install project dependencies
+        if: inputs.operation == 'publish-release' || inputs.operation == 'publish-prerelease'
+        run: npm ci
+      
+      # Build NPM package for release
+      - name: Build npm package
+        if: inputs.operation == 'publish-release'
+        run: npm run build:npm
+      
+      # Publish release version
+      - name: Publish npm package (release)
+        if: inputs.operation == 'publish-release'
+        run: npm publish
+      
+      # Publish prerelease version
+      - name: Publish prerelease version
+        if: inputs.operation == 'publish-prerelease'
+        uses: ./.github/actions/prerelease-npm-version
+        with:
+          version-override: ${{ inputs.version-override }}
+          preid: ${{ inputs.preid }}
+          dry_run: ${{ inputs.dry_run }}
+      
+      # Deprecate old versions
+      - name: Deprecate old versions
+        if: inputs.operation == 'deprecate-old-versions'
+        run: |
+          # Get agent EoL table from NRQL
+          response=$(curl -X POST https://api.newrelic.com/graphql \
+            -H 'Content-Type: application/json' \
+            -H 'API-Key: ${{ secrets.NR_API_KEY_PRODUCTION }}' \
+            -d '{ "query":  "{\n  docs {\n    agentReleases(agentName: BROWSER) {\n      eolDate\n      version\n    }\n  }\n}" }')
+          eol_table=$(echo "$response" | jq -r '.data.docs.agentReleases | map({(.version): .eolDate}) | add')
+          echo "Fetched EoL table from NRDB."
+
+          # Fetch package metadata from npm registry
+          package_name="@newrelic/browser-agent"
+          metadata=$(curl -s "https://registry.npmjs.org/$package_name")
+          echo "Fetched agent releases metadata from NPM."
+
+          # Parse versions and their publication dates
+          today=$(date +%Y-%m-%d)
+          versions=$(echo "$metadata" | jq -r '.versions | keys[]')
+          for version in $versions; do
+            eol_date=$(echo "$eol_table" | jq -r --arg version "$version" '.[$version]')
+            if [ "$eol_date" = "null" ]; then
+              echo "No EoL date found for version $version. Skipping..."
+              continue
+            fi
+            deprecation_message=$(echo "$metadata" | jq -r ".versions[\"$version\"].deprecated")
+            if [[ "$eol_date" < "$today" || "$eol_date" == "$today" ]]; then
+              if [ "$deprecation_message" = "null" ]; then
+                echo "Deprecating version $version no longer supported as of $eol_date..."
+                npm deprecate "$package_name@$version" "This version is no longer supported."
+              else
+                echo "Version $version is already deprecated."
+              fi
+            else
+              break
+            fi
+          done
+
+    outputs:
+      operation: ${{ inputs.operation }}
+      success: ${{ job.status == 'success' }}

.github/workflows/prerelease-npm-version.yml

@@ -23,30 +23,12 @@ on:
 
 jobs:
   prerelease-npm-version:
-    runs-on: ubuntu-latest
-    outputs:
-      version: ${{ steps.prerelease-npm-version.outputs.results }}
-    env:
-      NPM_TOKEN: ${{ secrets.BROWSER_NPM_TOKEN }}
+    uses: ./.github/workflows/npm-operations.yml
+    with:
+      operation: publish-prerelease
+      preid: ${{ github.event.inputs.preid }}
+      version-override: ${{ github.event.inputs.version-override }}
+      dry_run: ${{ github.event.inputs.dry_run == 'true' }}
+    secrets:
       GITHUB_LOGIN: ${{ secrets.BROWSER_GITHUB_BOT_NAME }}
       GITHUB_EMAIL: ${{ secrets.BROWSER_GITHUB_BOT_EMAIL }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22.11.0 # See package.json for the stable node version that works with our testing.  Do not change this unless you know what you are doing as some node versions do not play nicely with our testing server.
-      - name: Authenticate npm
-        shell: bash
-        run: |
-          npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}"
-      - name: Set up git
-        id: git-setup
-        run: |
-          git config --global user.name "${GITHUB_LOGIN}"
-          git config --global user.email "${GITHUB_EMAIL}"
-      - uses: ./.github/actions/prerelease-npm-version
-        id: prerelease-npm-version
-        with:
-          version-override: ${{ github.event.inputs.version-override }}
-          preid: ${{ github.event.inputs.preid }}
-          dry_run: ${{ github.event.inputs.dry_run }}

.github/workflows/publish-release.yml

@@ -222,29 +222,15 @@ jobs:
   #         environment: stage
 
   # Publish the agent to npmjs.org
-  publish-npm:
-    needs: [publish-prod-to-s3]
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    defaults:
-      run:
-        shell: bash
-    env:
-      NPM_TOKEN: ${{ secrets.BROWSER_NPM_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22.11.0 # See package.json for the stable node version that works with our testing.  Do not change this unless you know what you are doing as some node versions do not play nicely with our testing server.
-      - name: Authenticate npm
-        run: |
-          npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}"
-      - name: Install project dependencies
-        run: npm ci
-      - name: Build npm package
-        run: npm run build:npm
-      - name: Publish npm package
-        run: npm publish
+  call-npm-operations:
+    name: Call NPM Operations
+    uses: ./.github/workflows/npm-operations.yml
+    with:
+      action: publish-release
+    secrets:
+      GITHUB_LOGIN: ${{ secrets.BROWSER_GITHUB_BOT_NAME }}
+      GITHUB_EMAIL: ${{ secrets.BROWSER_GITHUB_BOT_EMAIL }}
+      NR_API_KEY_PRODUCTION: ${{ secrets.NR_API_KEY_PRODUCTION }}
 
   # Raise the release notes pr on the docs website repo
   raise-release-notes-pr:

.github/workflows/release-please.yml

@@ -34,26 +34,10 @@ jobs:
     # Bump a new prerelease version and publish to NPM.
   prerelease-npm-version:
     needs: release-please
-    runs-on: ubuntu-latest
-    env:
-      NPM_TOKEN: ${{ secrets.BROWSER_NPM_TOKEN }}
+    uses: ./.github/workflows/npm-operations.yml
+    with:
+      operation: publish-prerelease
+      preid: rc
+    secrets:
       GITHUB_LOGIN: ${{ secrets.BROWSER_GITHUB_BOT_NAME }}
       GITHUB_EMAIL: ${{ secrets.BROWSER_GITHUB_BOT_EMAIL }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22.11.0 # See package.json for the stable node version that works with our testing.  Do not change this unless you know what you are doing as some node versions do not play nicely with our testing server.
-      - name: Authenticate npm
-        shell: bash
-        run: |
-          npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}"
-      - name: Set up git
-        id: git-setup
-        run: |
-          git config --global user.name "${GITHUB_LOGIN}"
-          git config --global user.email "${GITHUB_EMAIL}"
-      - uses: ./.github/actions/prerelease-npm-version
-        id: prerelease-npm-version
-        with:
-          dry_run: false

package.json

@@ -170,7 +170,7 @@
     "runtime": {
       "name": "node",
       "onFail": "error",
-      "version": "22.11.0"
+      "version": ">=22.11.0"
     },
     "packageManager": {
       "name": "npm",

tools/test-builds/vite-react-wrapper/.nvmrc

@@ -0,0 +1 @@
+22.11.0