|
1 | 1 | # Package Release Workflow |
2 | 2 | # |
3 | 3 | # Automatically releases the opennextjs-cli package to npm when a version tag |
4 | | -# is pushed. Uses OIDC for npm authentication (no NPM_TOKEN secret required). |
| 4 | +# is pushed. Supports both NPM_TOKEN (for first release) and OIDC (for subsequent releases). |
5 | 5 | # |
6 | 6 | # **What it does:** |
7 | 7 | # 1. Builds and tests the package |
8 | 8 | # 2. Extracts version from tag (e.g., v1.0.0 → 1.0.0) |
9 | 9 | # 3. Verifies package.json version matches tag version |
10 | 10 | # 4. Generates changelog automatically using git-cliff |
11 | | -# 5. Publishes to npm via OIDC |
| 11 | +# 5. Publishes to npm (tries OIDC first, falls back to NPM_TOKEN) |
12 | 12 | # 6. Creates GitHub Release with changelog notes |
13 | 13 | # |
14 | 14 | # **Trigger:** |
|
20 | 20 | # |
21 | 21 | # **Prerequisites:** |
22 | 22 | # - package.json version must match tag version (e.g., 1.0.0) |
23 | | -# - npm package must have GitHub Actions configured as trusted publisher |
24 | | -# (one-time setup on npmjs.com → Account Settings → Access Tokens → Automation) |
25 | 23 | # |
26 | | -# **OIDC Setup:** |
27 | | -# - No NPM_TOKEN secret required |
28 | | -# - Uses GitHub OIDC for automatic authentication |
| 24 | +# **First Release (NPM_TOKEN):** |
| 25 | +# - Requires NPM_TOKEN secret in GitHub repository |
| 26 | +# - Create token: npmjs.com → Account Settings → Access Tokens → Generate New Token (Automation) |
| 27 | +# - Add secret: GitHub repo → Settings → Secrets and variables → Actions → New repository secret |
| 28 | +# - Name: NPM_TOKEN |
| 29 | +# - Value: Your npm automation token |
| 30 | +# |
| 31 | +# **Subsequent Releases (OIDC - Recommended):** |
| 32 | +# - After first release, set up OIDC trusted publishing: |
| 33 | +# 1. Go to npmjs.com → Account Settings → Access Tokens → Automation |
| 34 | +# 2. Click "Add GitHub Actions" or "Configure" next to "Trusted Publishers" |
| 35 | +# 3. Select repository: JSONbored/opennextjs-cli |
| 36 | +# 4. Select workflow: .github/workflows/release.yml |
| 37 | +# 5. Save |
| 38 | +# - Once OIDC is configured, NPM_TOKEN is no longer needed |
29 | 39 | # - More secure than token-based authentication |
30 | 40 | # - Automatic token rotation |
31 | 41 | name: Release |
@@ -136,11 +146,41 @@ jobs: |
136 | 146 | cat /tmp/changelog-section.md >> $GITHUB_ENV |
137 | 147 | echo "EOF" >> $GITHUB_ENV |
138 | 148 |
|
139 | | - - name: Publish to npm |
| 149 | + - name: Publish to npm (try OIDC first) |
| 150 | + id: publish-oidc |
140 | 151 | working-directory: packages/opennextjs-cli |
141 | 152 | run: | |
| 153 | + # Try publishing with OIDC (if configured) |
| 154 | + npm publish --access public && \ |
| 155 | + echo "✅ Published @jsonbored/opennextjs-cli@${{ steps.version.outputs.VERSION }} to npm (via OIDC)" || \ |
| 156 | + echo "⚠️ OIDC publish failed, will try NPM_TOKEN fallback" |
| 157 | + continue-on-error: true |
| 158 | + |
| 159 | + - name: Publish to npm (fallback to NPM_TOKEN) |
| 160 | + if: steps.publish-oidc.outcome == 'failure' |
| 161 | + working-directory: packages/opennextjs-cli |
| 162 | + env: |
| 163 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
| 164 | + run: | |
| 165 | + if [ -z "$NODE_AUTH_TOKEN" ]; then |
| 166 | + echo "❌ NPM_TOKEN secret not found. For first release, you need to:" >&2 |
| 167 | + echo " 1. Create npm automation token: https://www.npmjs.com/settings/JSONbored/tokens" >&2 |
| 168 | + echo " 2. Add NPM_TOKEN secret to GitHub: Settings → Secrets and variables → Actions" >&2 |
| 169 | + echo " 3. Name the secret: NPM_TOKEN" >&2 |
| 170 | + exit 1 |
| 171 | + fi |
| 172 | + # Configure npm to use token |
| 173 | + echo "//registry.npmjs.org/:_authToken=$NODE_AUTH_TOKEN" > ~/.npmrc |
142 | 174 | npm publish --access public |
143 | | - echo "✅ Published @jsonbored/opennextjs-cli@${{ steps.version.outputs.VERSION }} to npm" |
| 175 | + echo "✅ Published @jsonbored/opennextjs-cli@${{ steps.version.outputs.VERSION }} to npm (via NPM_TOKEN)" |
| 176 | + echo "" >&2 |
| 177 | + echo "💡 After first release, set up OIDC trusted publishing for better security:" >&2 |
| 178 | + echo " 1. Go to: https://www.npmjs.com/settings/JSONbored/automation" >&2 |
| 179 | + echo " 2. Click 'Add GitHub Actions' or 'Configure' next to 'Trusted Publishers'" >&2 |
| 180 | + echo " 3. Select repository: JSONbored/opennextjs-cli" >&2 |
| 181 | + echo " 4. Select workflow: .github/workflows/release.yml" >&2 |
| 182 | + echo " 5. Save" >&2 |
| 183 | + echo " Then you can remove the NPM_TOKEN secret." >&2 |
144 | 184 |
|
145 | 185 | - name: Create GitHub Release |
146 | 186 | uses: softprops/action-gh-release@v2 |
|
0 commit comments