Skip to content
Release

fix(ci): Update release for trusted publishing (#104) #2

Sign in to view logs

fix(ci): Update release for trusted publishing (#104)

fix(ci): Update release for trusted publishing (#104) #2

Workflow file for this run

.github/workflows/release-please.yaml at 5d4b7fd
name: Release
on:
push:
branches:
- main
jobs:
release:
runs-on: ubuntu-latest
outputs:
tag_name: ${{ steps.release.outputs.tag_name }}
release_created: ${{ steps.release.outputs.release_created }}
permissions:
# Write to "contents" is needed to create a release
contents: write
# Write to pull-requests is needed to create and update the release PR
pull-requests: write
steps:
# Create/update release PR
- uses: googleapis/release-please-action@v4
id: release
with:
release-type: node
npm:
runs-on: ubuntu-latest
needs: release
if: needs.release.outputs.release_created
permissions:
# Required for OIDC ("trusted publishing")
id-token: write
# Write to "contents" is needed to attach files to the release
contents: write
steps:
- uses: actions/checkout@v4
with:
ref: refs/tags/${{ needs.release.outputs.tag_name }}
persist-credentials: false
- uses: actions/setup-node@v4
with:
# NOTE: OIDC fails with node less than 24.
node-version: 24
registry-url: 'https://registry.npmjs.org'
# NOTE: OIDC fails with npm less than 11.5.1.
- name: Update npm
run: sudo npm install -g npm@11.7
- run: npm ci
# NOTE: OIDC fails if the repository URL doesn't match package.json.
- run: npm pkg set repository.url=https://github.com/${{ github.repository }}
# NOTE: --access public is required for scoped forks.
- run: npm publish --access public
# Stores the file name into the file "tarball" (unpredictable for forks).
- run: npm pack > tarball
- name: Attach files to release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Reads the file name from the file "tarball".
run: gh release upload --clobber "${{ needs.release.outputs.tag_name }}" "$(cat tarball)"