internal: backport new release flow from 17.x.x (#4608)

Author: yaacovCR

.github/CONTRIBUTING.md

@@ -76,25 +76,19 @@ ensure your pull request matches the style guides, run `npm run prettier`.
 
 ## Release on NPM
 
-_Only core contributors may release to NPM._
-
-To release a new version on NPM, first ensure all tests pass with `npm test`,
-then use `npm version patch|minor|major` in order to increment the version in
-package.json and tag and commit a release. Then `git push && git push --tags`
-to sync this change with source control. Then `npm publish npmDist` to actually
-publish the release to NPM.
-Once published, add [release notes](https://github.com/graphql/graphql-js/tags).
-Use [semver](https://semver.org/) to determine which version part to increment.
-
-Example for a patch release:
-
-```sh
-npm test
-npm version patch --ignore-scripts=false
-git push --follow-tags
-cd npmDist && npm publish
+Releases on `16.x.x` are managed by local scripts and GitHub Actions:
+
+```bash
+git switch 16.x.x
+git switch -c <my_release_branch>
+export GH_TOKEN=<token> # required to build changelog via GitHub API requests
+npm run release:prepare -- 16.x.x patch
 ```
 
+Push `<my_release_branch>`, open a PR from `<my_release_branch>` to `16.x.x`,
+wait for CI to pass, merge the PR, and then approve the GitHub Actions release
+workflow.
+
 ## License
 
 By contributing to graphql-js, you agree that your contributions will be

.github/workflows/release.yml

@@ -0,0 +1,166 @@
+name: Release
+on:
+  push:
+    branches:
+      - 16.x.x
+permissions: {}
+jobs:
+  check-publish:
+    name: Check for publish need and prepare artifacts
+    # Keep this guard on every job for defense-in-depth in case job dependencies are refactored.
+    if: ${{ !github.event.repository.fork && github.repository == 'graphql/graphql-js' && github.ref_name == '16.x.x' }}
+    runs-on: ubuntu-latest
+    outputs:
+      should_publish: ${{ steps.release_metadata.outputs.should_publish }}
+      tag: ${{ steps.release_metadata.outputs.tag }}
+      dist_tag: ${{ steps.release_metadata.outputs.dist_tag }}
+      prerelease: ${{ steps.release_metadata.outputs.prerelease }}
+      tarball_name: ${{ steps.release_metadata.outputs.tarball_name }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref_name }}
+      cancel-in-progress: true
+    permissions:
+      contents: read # for actions/checkout
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          # Keep checkout fast: we should only need to scroll back a few
+          # commits for release notes. If the release commit is older than
+          # this depth, release:metadata will emit empty release notes.
+          fetch-depth: 10
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          cache: npm
+          node-version-file: '.node-version'
+
+      - name: Install Dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Read release metadata
+        id: release_metadata
+        run: |
+          release_metadata_json="$(npm run --silent release:metadata)"
+          jq -r '
+            "version=\(.version)",
+            "tag=\(.tag)",
+            "dist_tag=\(.distTag)",
+            "prerelease=\(.prerelease)",
+            "package_spec=\(.packageSpec)",
+            "tarball_name=\(.tarballName)",
+            "should_publish=\(.shouldPublish)"
+          ' <<< "${release_metadata_json}" >> "${GITHUB_OUTPUT}"
+          jq -r '.releaseNotes' <<< "${release_metadata_json}" > ./release-notes.md
+
+      - name: Log publish decision
+        run: |
+          if [ "${{ steps.release_metadata.outputs.should_publish }}" = "true" ]; then
+            echo "${{ steps.release_metadata.outputs.package_spec }} is not published yet."
+          else
+            echo "${{ steps.release_metadata.outputs.package_spec }} is already published."
+          fi
+
+      - name: Build NPM package
+        if: steps.release_metadata.outputs.should_publish == 'true'
+        run: npm run build:npm
+
+      - name: Pack npmDist package
+        if: steps.release_metadata.outputs.should_publish == 'true'
+        run: npm pack ./npmDist --pack-destination . > /dev/null
+
+      - name: Upload npm package tarball
+        if: steps.release_metadata.outputs.should_publish == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: npmDist-tarball
+          path: ./${{ steps.release_metadata.outputs.tarball_name }}
+
+      - name: Upload release notes
+        if: steps.release_metadata.outputs.should_publish == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-notes
+          path: ./release-notes.md
+
+  publish-npm:
+    name: Publish npm package
+    needs: check-publish
+    # Keep this guard on every job for defense-in-depth in case job dependencies are refactored.
+    if: ${{ !github.event.repository.fork && github.repository == 'graphql/graphql-js' && github.ref_name == '16.x.x' && needs.check-publish.outputs.should_publish == 'true' && needs.check-publish.result == 'success' }}
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      contents: read # for actions/checkout
+      id-token: write # for npm trusted publishing via OIDC
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.node-version'
+
+      - name: Download npmDist package
+        uses: actions/download-artifact@v4
+        with:
+          name: npmDist-tarball
+          path: ./artifacts
+
+      - name: Publish npm package
+        run: |
+          if [ -n "${{ needs.check-publish.outputs.dist_tag }}" ]; then
+            npm publish --provenance --tag "${{ needs.check-publish.outputs.dist_tag }}" "./artifacts/${{ needs.check-publish.outputs.tarball_name }}"
+          else
+            npm publish --provenance "./artifacts/${{ needs.check-publish.outputs.tarball_name }}"
+          fi
+
+  create-release:
+    name: Create release
+    needs: check-publish
+    # Keep this guard on every job for defense-in-depth in case job dependencies are refactored.
+    if: ${{ !github.event.repository.fork && github.repository == 'graphql/graphql-js' && github.ref_name == '16.x.x' && needs.check-publish.outputs.should_publish == 'true' && needs.check-publish.result == 'success' }}
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      contents: write # for creating GitHub release
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Download release notes
+        uses: actions/download-artifact@v4
+        with:
+          name: release-notes
+          path: ./artifacts
+
+      - name: Create release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh release view "${{ needs.check-publish.outputs.tag }}" > /dev/null 2>&1; then
+            echo "GitHub release ${{ needs.check-publish.outputs.tag }} already exists. Skipping release creation."
+            exit 0
+          fi
+
+          release_notes_file="./artifacts/release-notes.md"
+
+          if [ "${{ needs.check-publish.outputs.prerelease }}" = "true" ]; then
+            gh release create "${{ needs.check-publish.outputs.tag }}" \
+              --target "${GITHUB_SHA}" \
+              --title "${{ needs.check-publish.outputs.tag }}" \
+              --notes-file "${release_notes_file}" \
+              --prerelease
+          else
+            gh release create "${{ needs.check-publish.outputs.tag }}" \
+              --target "${GITHUB_SHA}" \
+              --title "${{ needs.check-publish.outputs.tag }}" \
+              --notes-file "${release_notes_file}"
+          fi

cspell.yml

@@ -70,6 +70,7 @@ words:
   # TODO: contribute upstream
   - deno
   - codecov
+  - preid
 
   # Website tech
   - Nextra

package.json

@@ -30,10 +30,10 @@
     "node": "^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0"
   },
   "scripts": {
-    "preversion": "bash -c '. ./resources/checkgit.sh && npm ci --ignore-scripts'",
-    "version": "node resources/gen-version.js && npm test && git add src/version.ts",
     "fuzzonly": "mocha --full-trace src/**/__tests__/**/*-fuzz.ts",
     "changelog": "node resources/gen-changelog.js",
+    "release:prepare": "node resources/release-prepare.js",
+    "release:metadata": "node resources/release-metadata.js",
     "benchmark": "node benchmark/benchmark.js",
     "test": "npm run lint && npm run check && npm run testonly && npm run prettier:check && npm run check:spelling && npm run check:integrations",
     "lint": "eslint --cache --max-warnings 0 .",
@@ -45,9 +45,7 @@
     "check:spelling": "cspell --cache --no-progress '**/*'",
     "check:integrations": "npm run build:npm && npm run build:deno && mocha --full-trace integrationTests/*-test.js",
     "build:npm": "node resources/build-npm.js",
-    "build:deno": "node resources/build-deno.js",
-    "gitpublish:npm": "bash ./resources/gitpublish.sh npm npmDist",
-    "gitpublish:deno": "bash ./resources/gitpublish.sh deno denoDist"
+    "build:deno": "node resources/build-deno.js"
   },
   "devDependencies": {
     "@babel/core": "7.17.9",