Skip to content

update deploy workflow to use oidc and classic hybrid approach (#3686) #472

update deploy workflow to use oidc and classic hybrid approach (#3686)

update deploy workflow to use oidc and classic hybrid approach (#3686) #472

Workflow file for this run

name: Deploy
on:
workflow_dispatch: # temporary for manual deployment
push:
branches:
# Stable version branches
- 2023-04
- 2023-07
- 2023-10
- 2024-01
- 2024-04
- 2024-07
- 2024-10
- 20[0-9][0-9]-[01][1470]
# RC version branches
- 20[0-9][0-9]-[01][1470]-rc
concurrency: ${{ github.workflow }}-${{ github.ref }}
jobs:
changesets:
name: Deploy
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # Required for OIDC
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
- uses: ./.github/workflows/actions/prepare
- name: Update npm to latest
run: npm install -g npm@latest
- id: changesets
name: Create release Pull Request or publish to NPM
uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
with:
title: Version Packages (${{ github.ref_name }})
publish: yarn run deploy ${{ !endsWith(github.ref_name, '-rc') && format('--tag {0}', github.ref_name) || '' }} # no tag for RC branches.
createGithubReleases: false
env:
NPM_TOKEN: '' # Forces OIDC authentication
GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
- name: Temporary manual sync 'latest' tag # will be removed after sync
if: github.event_name == 'workflow_dispatch' && github.ref_name == vars.LATEST_STABLE_VERSION
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
# dist-tag does not support OIDC yet, so fallback to classic token
# overwrite the .npmrc to ensure no OIDC session conflicts
echo "---Overwriting $NPM_CONFIG_USERCONFIG ---"
echo "@shopify:registry=https://registry.npmjs.org/" > "$NPM_CONFIG_USERCONFIG"
echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> "$NPM_CONFIG_USERCONFIG"
# Debug info
echo "--- npm identity check ---"
npm whoami --registry=https://registry.npmjs.org/
# Run with info logging
npm dist-tag add @shopify/ui-extensions@2025.10.11 latest --loglevel=info
- name: Set 'latest' NPM dist tag
if: steps.changesets.outputs.published == 'true' && github.ref_name == vars.LATEST_STABLE_VERSION
env:
PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
# dist-tag does not support OIDC yet, so fallback to classic token
# overwrite the .npmrc to ensure no OIDC session conflicts
echo "@shopify:registry=https://registry.npmjs.org/" > "$NPM_CONFIG_USERCONFIG"
echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> "$NPM_CONFIG_USERCONFIG"
for pkg in $(echo "$PUBLISHED_PACKAGES" | jq -r '.[] | @base64'); do
_jq() {
echo ${pkg} | base64 --decode | jq -r ${1}
}
npm dist-tag add $(_jq '.name')@$(_jq '.version') latest
done