update deploy workflow to use oidc and classic hybrid approach (#3686) #472
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| workflow_dispatch: # temporary for manual deployment | |
| push: | |
| branches: | |
| # Stable version branches | |
| - 2023-04 | |
| - 2023-07 | |
| - 2023-10 | |
| - 2024-01 | |
| - 2024-04 | |
| - 2024-07 | |
| - 2024-10 | |
| - 20[0-9][0-9]-[01][1470] | |
| # RC version branches | |
| - 20[0-9][0-9]-[01][1470]-rc | |
| concurrency: ${{ github.workflow }}-${{ github.ref }} | |
| jobs: | |
| changesets: | |
| name: Deploy | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write # Required for OIDC | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| token: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }} | |
| - uses: ./.github/workflows/actions/prepare | |
| - name: Update npm to latest | |
| run: npm install -g npm@latest | |
| - id: changesets | |
| name: Create release Pull Request or publish to NPM | |
| uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3 | |
| with: | |
| title: Version Packages (${{ github.ref_name }}) | |
| publish: yarn run deploy ${{ !endsWith(github.ref_name, '-rc') && format('--tag {0}', github.ref_name) || '' }} # no tag for RC branches. | |
| createGithubReleases: false | |
| env: | |
| NPM_TOKEN: '' # Forces OIDC authentication | |
| GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }} | |
| - name: Temporary manual sync 'latest' tag # will be removed after sync | |
| if: github.event_name == 'workflow_dispatch' && github.ref_name == vars.LATEST_STABLE_VERSION | |
| env: | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| run: | | |
| # dist-tag does not support OIDC yet, so fallback to classic token | |
| # overwrite the .npmrc to ensure no OIDC session conflicts | |
| echo "---Overwriting $NPM_CONFIG_USERCONFIG ---" | |
| echo "@shopify:registry=https://registry.npmjs.org/" > "$NPM_CONFIG_USERCONFIG" | |
| echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> "$NPM_CONFIG_USERCONFIG" | |
| # Debug info | |
| echo "--- npm identity check ---" | |
| npm whoami --registry=https://registry.npmjs.org/ | |
| # Run with info logging | |
| npm dist-tag add @shopify/ui-extensions@2025.10.11 latest --loglevel=info | |
| - name: Set 'latest' NPM dist tag | |
| if: steps.changesets.outputs.published == 'true' && github.ref_name == vars.LATEST_STABLE_VERSION | |
| env: | |
| PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }} | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| run: | | |
| # dist-tag does not support OIDC yet, so fallback to classic token | |
| # overwrite the .npmrc to ensure no OIDC session conflicts | |
| echo "@shopify:registry=https://registry.npmjs.org/" > "$NPM_CONFIG_USERCONFIG" | |
| echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> "$NPM_CONFIG_USERCONFIG" | |
| for pkg in $(echo "$PUBLISHED_PACKAGES" | jq -r '.[] | @base64'); do | |
| _jq() { | |
| echo ${pkg} | base64 --decode | jq -r ${1} | |
| } | |
| npm dist-tag add $(_jq '.name')@$(_jq '.version') latest | |
| done |