Automated Release

fix: resolve npm OIDC trusted publishing 404 error [patch] #16

Sign in to view logs

Workflow file for this run

.github/workflows/release.yml at 5d558d2

	name: Automated Release

	on:
	push:
	branches:
	- main

	jobs:
	release:
	if: contains(github.event.head_commit.message, '[patch]') \|\| contains(github.event.head_commit.message, '[minor]') \|\| contains(github.event.head_commit.message, '[major]')
	runs-on: ubuntu-latest

	# Required permissions for npm trusted publishing with provenance
	permissions:
	contents: write # For creating tags and releases
	id-token: write # Required for OIDC authentication (npm trusted publishers)

	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	token: ${{ secrets.GITHUB_TOKEN }}

	# Setup Bun for installing dependencies and building
	- name: Setup Bun
	uses: oven-sh/setup-bun@v2
	with:
	bun-version: latest

	# Setup Node.js for npm publish with trusted publishers
	# Node 24 is required for OIDC trusted publishing to work properly
	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '24'
	registry-url: 'https://registry.npmjs.org'

	# Upgrade npm to 11.5.1+ (required for trusted publishers)
	- name: Upgrade npm for trusted publishing
	run: npm install -g npm@latest

	- name: Install dependencies with Bun
	run: bun install

	- name: Determine version bump type
	id: bump-type
	run: \|
	if [[ "${{ github.event.head_commit.message }}" == "[major]" ]]; then
	echo "type=major" >> $GITHUB_OUTPUT
	elif [[ "${{ github.event.head_commit.message }}" == "[minor]" ]]; then
	echo "type=minor" >> $GITHUB_OUTPUT
	else
	echo "type=patch" >> $GITHUB_OUTPUT
	fi

	- name: Get current version
	id: current-version
	run: \|
	CURRENT_VERSION=$(node -p "require('./package.json').version")
	echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT

	- name: Calculate new version
	id: new-version
	run: \|
	CURRENT="${{ steps.current-version.outputs.version }}"
	TYPE="${{ steps.bump-type.outputs.type }}"

	# Parse version numbers
	IFS='.' read -ra VERSION_PARTS <<< "$CURRENT"
	MAJOR=${VERSION_PARTS[0]}
	MINOR=${VERSION_PARTS[1]}
	PATCH=${VERSION_PARTS[2]}

	case $TYPE in
	major)
	NEW_VERSION="$((MAJOR + 1)).0.0"
	;;
	minor)
	NEW_VERSION="$MAJOR.$((MINOR + 1)).0"
	;;
	patch)
	NEW_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
	;;
	esac

	echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT

	- name: Update package.json version
	run: \|
	npm version ${{ steps.new-version.outputs.version }} --no-git-tag-version

	- name: Build package with Bun
	run: bun run package

	# Use npm for publishing with trusted publishers (OIDC - no token needed)
	# Provenance is automatically generated with trusted publishing
	# NPM_CONFIG_PROVENANCE=true is required to fix OIDC 404 bug (npm/cli#8730)
	- name: Publish to npm with provenance
	run: npm publish --provenance --access public
	env:
	NPM_CONFIG_PROVENANCE: true

	- name: Create git tag
	run: \|
	git config --local user.email "[email protected]"
	git config --local user.name "GitHub Action"
	git tag "v${{ steps.new-version.outputs.version }}"
	git push origin "v${{ steps.new-version.outputs.version }}"

	- name: Create GitHub release
	uses: actions/create-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	tag_name: v${{ steps.new-version.outputs.version }}
	release_name: Release v${{ steps.new-version.outputs.version }}
	body: \|
	Automated release v${{ steps.new-version.outputs.version }}

	✅ Published with npm provenance
	🚀 Built with Bun

	Changes in this release:
	- ${{ github.event.head_commit.message }}