99
1010jobs :
1111 verify :
12-
12+ name : Lint & Test Node.js ${{ matrix.node-version }}
1313 runs-on : ubuntu-latest
1414
1515 strategy :
1616 matrix :
1717 node-version : [ '18.x', '20.x', '21.x', '22.x' ]
1818
19- name : Lint & Test Node.js ${{ matrix.node-version }}
2019
2120 steps :
2221 - uses : actions/checkout@v4
@@ -43,15 +42,13 @@ jobs:
4342 npm test
4443
4544verify-minimum-version-check :
46-
45+ name : Verify Minimum Version Check (Node.js ${{ matrix.node-version }})
4746 runs-on : ubuntu-latest
4847
4948 strategy :
5049 matrix :
5150 node-version : [ '16.x' ]
5251
53- name : Verify Minimum Version Check (Node.js ${{ matrix.node-version }})
54-
5552 steps :
5653 - uses : actions/checkout@v4
5754 with :
7168 - name : integration test
7269 run : |
7370 npm run test:integration
71+
72+ publish-release :
73+ name : Publish Release
74+ runs-on : ubuntu-latest
75+
76+ # only release from the main branch
77+ # actually, semantic-release does this check on its own anyway, but by adding a github ref check the job does not
78+ # even get triggered, saving some GH action minutes.
79+ if : github.ref == 'refs/heads/main'
80+
81+ permissions :
82+ contents : write # for publishing GitHub releases
83+ issues : write # to be able to comment on released issues
84+ pull-requests : write # to be able to comment on released pull requests
85+ id-token : write # to enable use of OIDC for npm provenance
86+
87+ needs :
88+ - verify
89+ - verify-minimum-version-check
90+
91+ steps :
92+ - uses : actions/checkout@v4
93+ with :
94+ fetch-depth : 0
95+ - uses : actions/setup-node@v4
96+ with :
97+ node-version : " lts/*"
98+ cache : ' npm'
99+ - run : npm ci
100+ - name : Verify the integrity of provenance attestations and registry signatures for installed dependencies
101+ run : npm audit signatures
102+ - name : Release
103+ env :
104+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
105+ NPM_TOKEN : ${{ secrets.NPM_TOKEN }}
106+ run : npx semantic-release --dry-run
107+
0 commit comments