-
-
Notifications
You must be signed in to change notification settings - Fork 11
170 lines (151 loc) · 5.74 KB
/
release.yml
File metadata and controls
170 lines (151 loc) · 5.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
name: Release
on:
pull_request:
branches:
- master
types: [closed]
jobs:
# Job 1: Check if release is needed (read-only permissions)
check:
permissions:
contents: read
runs-on: ubuntu-latest
outputs:
EXISTS_TAG: ${{ steps.tag_check.outputs.EXISTS_TAG }}
if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')
steps:
- name: Checkout
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
persist-credentials: false
- name: Install pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
- name: Set PACKAGE_VERSION
run: echo "PACKAGE_VERSION=$(cat lerna.json | jq -r .version)" >> $GITHUB_ENV
- name: Tag Check
id: tag_check
run: |
if git ls-remote --tags origin | grep -q "refs/tags/v${PACKAGE_VERSION}$"; then
echo "EXISTS_TAG=true" >> $GITHUB_OUTPUT
else
echo "EXISTS_TAG=false" >> $GITHUB_OUTPUT
fi
env:
PACKAGE_VERSION: ${{ env.PACKAGE_VERSION }}
# Job 2: Actual release process (minimal permissions)
release:
runs-on: ubuntu-latest
needs: check
if: always() && (needs.check.outputs.EXISTS_TAG == 'false')
# Environment configuration - Required for OIDC authentication
environment:
name: npm
outputs:
version: ${{ steps.set_version.outputs.version }}
release-url: ${{ steps.create_release.outputs.release-url }}
released: ${{ steps.create_release.outputs.released }}
permissions:
contents: write
# Required for OIDC authentication
id-token: write
steps:
- name: Checkout
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
persist-credentials: false
- name: Install pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
- name: Setup Node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
# Release workflow should not use cache to prevent cache poisoning
# See: https://docs.zizmor.sh/audits/#cache-poisoning
# cache: 'pnpm'
node-version: 22
registry-url: https://registry.npmjs.org
- name: Git Identity
run: |
git config --global user.name 'github-actions[bot]'
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/$GITHUB_REPOSITORY
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set PACKAGE_VERSION
id: set_version
run: |
VERSION=$(cat lerna.json | jq -r .version)
echo "PACKAGE_VERSION=$VERSION" >> $GITHUB_ENV
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Install
run: pnpm install
- name: Build
run: pnpm run build
- name: Publish
run: pnpm run ci:release
env:
# Publish to npm with OIDC authentication
# See: https://docs.npmjs.com/generating-provenance-statements
NPM_CONFIG_PROVENANCE: true
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create Git Tag
run: |
git tag "v${PACKAGE_VERSION}"
git push origin "v${PACKAGE_VERSION}"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PACKAGE_VERSION: ${{ env.PACKAGE_VERSION }}
- name: Create Release
id: create_release
run: |
RELEASE_URL=$(gh release create "v${PACKAGE_VERSION}" \
--title "${GITHUB_EVENT_PULL_REQUEST_TITLE}" \
--notes "${GITHUB_EVENT_PULL_REQUEST_BODY}" \
--json url -q .url)
echo "release-url=$RELEASE_URL" >> $GITHUB_OUTPUT
echo "released=true" >> $GITHUB_OUTPUT
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PACKAGE_VERSION: ${{ env.PACKAGE_VERSION }}
GITHUB_EVENT_PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }}
GITHUB_EVENT_PULL_REQUEST_BODY: ${{ github.event.pull_request.body }}
# Job 3: Comment on PR (write-only permissions)
comment:
needs: release
if: |
always() &&
github.event_name == 'pull_request' &&
needs.release.result != 'skipped'
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Comment on PR - Success
if: needs.release.result == 'success'
run: |
gh pr comment "$PR_NUMBER" \
--repo "$REPOSITORY" \
--body "✅ **Release v$VERSION completed successfully!**
- 🏷️ GitHub Release: $RELEASE_URL
- 🔗 Workflow run: $SERVER_URL/$REPOSITORY/actions/runs/$RUN_ID"
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
VERSION: ${{ needs.release.outputs.version }}
RELEASE_URL: ${{ needs.release.outputs.release-url }}
SERVER_URL: ${{ github.server_url }}
REPOSITORY: ${{ github.repository }}
RUN_ID: ${{ github.run_id }}
- name: Comment on PR - Failure
if: needs.release.result == 'failure'
run: |
gh pr comment "$PR_NUMBER" \
--repo "$REPOSITORY" \
--body "❌ **Release failed**
Please check the workflow logs for details.
🔗 Workflow run: $SERVER_URL/$REPOSITORY/actions/runs/$RUN_ID"
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
SERVER_URL: ${{ github.server_url }}
REPOSITORY: ${{ github.repository }}
RUN_ID: ${{ github.run_id }}