Skip to content

Commit 279363c

Browse files
fatbattkfatbattk
committed
update deploy to handle deploy-rc with OIDC.
1 parent c667bb1 commit 279363c

File tree

3 files changed

+18
-43
lines changed

3 files changed

+18
-43
lines changed

.github/workflows/actions/prepare/action.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ runs:
77
with:
88
cache: yarn
99
node-version-file: '.nvmrc'
10-
registry-url: 'https://registry.npmjs.org'
1110

1211
- name: Yarn install
1312
run: yarn install --frozen-lockfile

.github/workflows/deploy-rc.yml

Lines changed: 0 additions & 35 deletions
This file was deleted.

.github/workflows/deploy.yml

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ name: Deploy
33
on:
44
push:
55
branches:
6+
# Stable version branches
67
- 2023-04
78
- 2023-07
89
- 2023-10
@@ -11,40 +12,50 @@ on:
1112
- 2024-07
1213
- 2024-10
1314
- 20[0-9][0-9]-[01][1470]
15+
# RC version branches
16+
- 20[0-9][0-9]-[01][1470]-rc
1417

1518
concurrency: ${{ github.workflow }}-${{ github.ref }}
1619

1720
jobs:
1821
changesets:
1922
name: Deploy
2023
runs-on: ubuntu-latest
24+
permissions:
25+
contents: read
26+
id-token: write # Required for OIDC
2127
steps:
2228
- uses: actions/checkout@v3
2329
with:
2430
token: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
2531

2632
- uses: ./.github/workflows/actions/prepare
2733

34+
- uses: actions/setup-node@v4
35+
with:
36+
node-version: '20' # Must be 20+ to support npm 11.5.1+
37+
registry-url: 'https://registry.npmjs.org' # Required for OIDC
38+
cache: yarn
39+
40+
- name: Update npm to latest
41+
run: npm install -g npm@latest
42+
2843
- id: changesets
2944
name: Create release Pull Request or publish to NPM
30-
uses: changesets/action@06245a4e0a36c064a573d4150030f5ec548e4fcc # v1.4.10
45+
uses: changesets/action@v1 # Must use latest version for OIDC
3146
with:
3247
title: Version Packages (${{ github.ref_name }})
33-
publish: yarn run deploy --tag ${{ github.ref_name }}
48+
publish: yarn run deploy --tag ${{ endsWith(github.ref_name, '-rc') && 'rc' || github.ref_name }}
3449
createGithubReleases: false
3550
env:
36-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
51+
NPM_TOKEN: '' # Forces OIDC authentication
3752
GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
3853

3954
- name: Set 'latest' NPM dist tag
4055
if: steps.changesets.outputs.published == 'true' && github.ref_name == vars.LATEST_STABLE_VERSION
4156
env:
42-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
4357
PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
4458
run: |
45-
cat << EOF > "$HOME/.npmrc"
46-
//registry.npmjs.org/:_authToken=$NPM_TOKEN
47-
EOF
4859
for pkg in $(echo "$PUBLISHED_PACKAGES" | jq -r '.[] | @base64'); do
4960
_jq() {
5061
echo ${pkg} | base64 --decode | jq -r ${1}

0 commit comments

Comments
 (0)