fix: use npm OIDC trusted publishing (no NPM_TOKEN needed) #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write # Required for npm provenance | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| build: | |
| name: Build all binaries (Zig cross-compile) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Zig | |
| uses: mlugg/setup-zig@v2 | |
| with: | |
| version: 0.15.2 | |
| - name: Build all platforms | |
| run: | | |
| # Zig cross-compiles for any platform from any platform | |
| # No need for matrix - build everything on one runner | |
| TARGETS=( | |
| "x86_64-linux-gnu:linux-x64-gnu" | |
| "x86_64-linux-musl:linux-x64-musl" | |
| "aarch64-linux-gnu:linux-arm64-gnu" | |
| "aarch64-linux-musl:linux-arm64-musl" | |
| "arm-linux-gnueabihf:linux-arm-gnu" | |
| "arm-linux-musleabihf:linux-arm-musl" | |
| "x86_64-macos:darwin-x64" | |
| "aarch64-macos:darwin-arm64" | |
| # Windows - DISABLED: POSIX API usage needs fixing | |
| # "x86_64-windows:win32-x64" | |
| # i386 - DISABLED: Low priority, test after v1.0.0 | |
| # "i386-linux-musl:linux-i386-musl" | |
| ) | |
| for entry in "${TARGETS[@]}"; do | |
| IFS=':' read -r target platform <<< "$entry" | |
| echo "=== Building $platform (zig target: $target) ===" | |
| zig build -Dtarget="$target" -Doptimize=ReleaseSafe | |
| mkdir -p "release/$platform" | |
| if [[ "$platform" == win32* ]]; then | |
| cp zig-out/bin/ansilust.exe "release/$platform/" | |
| else | |
| cp zig-out/bin/ansilust "release/$platform/" | |
| fi | |
| # Clean for next build | |
| rm -rf zig-out zig-cache | |
| done | |
| echo "=== All builds complete ===" | |
| find release -type f | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: binaries-all | |
| path: release/ | |
| retention-days: 1 | |
| assemble-npm: | |
| name: Assemble npm packages | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: Download binaries artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: binaries-all | |
| path: artifacts/ | |
| - name: Show artifact structure | |
| run: | | |
| echo "=== Artifact structure ===" | |
| find artifacts -type f | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Extract version from tag | |
| id: version | |
| run: | | |
| VERSION=${GITHUB_REF#refs/tags/v} | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| - name: Run assembly script | |
| run: PACKAGE_VERSION=${{ steps.version.outputs.version }} node scripts/assemble-npm-packages.js | |
| - name: Upload npm packages | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: npm-packages | |
| path: packages/ansilust*/ | |
| retention-days: 1 | |
| publish-npm: | |
| name: Publish to npm (OIDC) | |
| needs: assemble-npm | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write # Required for npm OIDC trusted publishing | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Upgrade npm for OIDC support | |
| run: npm install -g npm@latest | |
| - name: Download npm packages | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: npm-packages | |
| path: packages/ | |
| - name: Publish platform packages | |
| run: | | |
| for pkg in packages/ansilust-*/; do | |
| if [ -f "$pkg/package.json" ]; then | |
| echo "Publishing $pkg..." | |
| cd "$pkg" | |
| npm publish --provenance --access public || echo "Failed to publish $pkg (may already exist)" | |
| cd - > /dev/null | |
| fi | |
| done | |
| - name: Publish meta package | |
| run: npm publish packages/ansilust/ --provenance --access public || echo "Failed to publish meta package (may already exist)" | |
| create-release: | |
| name: Create GitHub release | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download binaries artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: binaries-all | |
| path: artifacts/ | |
| - name: Prepare release artifacts | |
| run: | | |
| mkdir -p release-artifacts | |
| # Iterate through platform directories | |
| for platform_dir in artifacts/*/; do | |
| platform=$(basename "$platform_dir") | |
| binary="$platform_dir/ansilust" | |
| binary_exe="$platform_dir/ansilust.exe" | |
| if [[ -f "$binary_exe" ]]; then | |
| # Windows: create zip | |
| mkdir -p "temp/ansilust-$platform" | |
| cp "$binary_exe" "temp/ansilust-$platform/" | |
| cd temp | |
| zip -r "../release-artifacts/ansilust-$platform.zip" "ansilust-$platform/" | |
| cd .. | |
| rm -rf temp | |
| elif [[ -f "$binary" ]]; then | |
| # Unix: create tar.gz | |
| mkdir -p "temp/ansilust-$platform" | |
| cp "$binary" "temp/ansilust-$platform/" | |
| chmod +x "temp/ansilust-$platform/ansilust" | |
| cd temp | |
| tar -czf "../release-artifacts/ansilust-$platform.tar.gz" "ansilust-$platform/" | |
| cd .. | |
| rm -rf temp | |
| fi | |
| done | |
| echo "=== Release artifacts ===" | |
| ls -la release-artifacts/ | |
| - name: Generate checksums | |
| run: bash scripts/generate-checksums.sh release-artifacts/ | |
| - name: Create release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| files: release-artifacts/* | |
| generate_release_notes: true | |
| draft: false | |
| prerelease: false | |
| update-aur: | |
| name: Update AUR package | |
| needs: create-release | |
| runs-on: ubuntu-latest | |
| # Only run if AUR_SSH_KEY secret is configured | |
| if: ${{ vars.AUR_PUBLISH_ENABLED == 'true' }} | |
| steps: | |
| - name: Extract version | |
| id: version | |
| run: | | |
| VERSION=${GITHUB_REF#refs/tags/v} | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| - name: Checkout main repo | |
| uses: actions/checkout@v4 | |
| - name: Setup SSH for AUR | |
| run: | | |
| mkdir -p ~/.ssh | |
| echo "${{ secrets.AUR_SSH_KEY }}" > ~/.ssh/id_rsa | |
| chmod 600 ~/.ssh/id_rsa | |
| ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts 2>/dev/null || true | |
| - name: Clone AUR repository | |
| run: git clone ssh://[email protected]/ansilust.git aur-ansilust | |
| - name: Update PKGBUILD | |
| run: | | |
| cd aur-ansilust | |
| # Download latest checksums from GitHub | |
| curl -fsSL https://github.com/${{ github.repository }}/releases/latest/download/SHA256SUMS -o SHA256SUMS.new | |
| # Extract checksums for the architectures we support | |
| # This is a placeholder - actual PKGBUILD generation would be more complex | |
| echo "PKGBUILD update would be implemented here" | |
| - name: Push to AUR | |
| run: | | |
| cd aur-ansilust | |
| git config user.name "GitHub Actions" | |
| git config user.email "[email protected]" | |
| git add -A | |
| git commit -m "chore: update to v${{ steps.version.outputs.version }}" || true | |
| git push | |
| - name: Clean up SSH | |
| if: always() | |
| run: rm -rf ~/.ssh/id_rsa | |
| build-containers: | |
| name: Build and push container image | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download binaries artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: binaries-all | |
| path: artifacts/ | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=raw,value=latest | |
| - name: Build and push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64,linux/arm/v7 |