Publish NPM #42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish NPM | |
| on: | |
| push: | |
| tags: | |
| - 'browser-agent-driver-v*' | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Package version to publish (must match package.json)' | |
| required: true | |
| type: string | |
| permissions: | |
| contents: read | |
| id-token: write | |
| concurrency: | |
| group: npm-publish-${{ github.repository }}-${{ github.ref_name }} | |
| cancel-in-progress: false | |
| jobs: | |
| publish: | |
| if: github.repository == 'tangle-network/browser-agent-driver' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: pnpm | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Build | |
| run: pnpm build | |
| - name: Install Playwright browsers | |
| run: pnpm exec playwright install --with-deps chromium | |
| - name: Test | |
| run: pnpm test | |
| - name: Validate publish target | |
| id: validate | |
| run: | | |
| PKG_NAME="@tangle-network/browser-agent-driver" | |
| PKG_VERSION="$(node -p "require('./package.json').version")" | |
| EXPECTED_VERSION="" | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| EXPECTED_VERSION="${{ github.event.inputs.version }}" | |
| elif [ "${GITHUB_REF_TYPE}" = "tag" ] && [[ "${GITHUB_REF_NAME}" == browser-agent-driver-v* ]]; then | |
| EXPECTED_VERSION="${GITHUB_REF_NAME#browser-agent-driver-v}" | |
| fi | |
| if [ -z "${EXPECTED_VERSION}" ]; then | |
| echo "Unsupported trigger or tag format." | |
| exit 1 | |
| fi | |
| if [ "${EXPECTED_VERSION}" != "${PKG_VERSION}" ]; then | |
| echo "Version mismatch: expected ${EXPECTED_VERSION}, package.json has ${PKG_VERSION}" | |
| exit 1 | |
| fi | |
| if npm view "${PKG_NAME}@${PKG_VERSION}" version --registry https://registry.npmjs.org >/dev/null 2>&1; then | |
| echo "${PKG_NAME}@${PKG_VERSION} is already published." | |
| exit 1 | |
| fi | |
| echo "version=${PKG_VERSION}" >> "${GITHUB_OUTPUT}" | |
| - name: Publish to npm (trusted publishing via OIDC) | |
| # Auth: GitHub OIDC validated against the trusted publisher at | |
| # https://www.npmjs.com/package/@tangle-network/browser-agent-driver/access | |
| # Each publish is cryptographically tied to this commit + workflow | |
| # run, signed by GitHub's OIDC issuer, and provenance-attested. | |
| # No long-lived tokens — `id-token: write` permission is the only | |
| # credential needed. | |
| # | |
| # We invoke `npx -y npm@11` instead of the runner's bundled npm | |
| # because Node 22 ships npm 10.x, which has incomplete OIDC support | |
| # for scoped packages and silently 404s the publish PUT instead of | |
| # using the trusted publisher token. npm 11.5+ has the full OIDC | |
| # publish path. We use `npx` rather than `npm install -g npm@latest` | |
| # because the global upgrade path on Node 22 hits a broken | |
| # transitive dep (promise-retry MODULE_NOT_FOUND). | |
| run: npx -y npm@11 publish --provenance --access public |