Release #19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_dispatch: | |
| concurrency: ${{ github.workflow }}-${{ github.ref }} | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| # Required for npm Trusted Publishers via GitHub OIDC | |
| # See: https://docs.npmjs.com/trusted-publishers | |
| id-token: write | |
| steps: | |
| - name: Generate Release Bot App Token | |
| id: generate-token | |
| uses: actions/create-github-app-token@v1 | |
| with: | |
| app-id: ${{ secrets.RELEASE_BOT_APP_ID }} | |
| private-key: ${{ secrets.RELEASE_BOT_APP_PRIVATE_KEY }} | |
| - uses: actions/checkout@v6 | |
| with: | |
| # Persist releasebot app credentials to ensure that the push | |
| # below can bypass branch protection rules | |
| token: ${{ steps.generate-token.outputs.token }} | |
| persist-credentials: true | |
| fetch-depth: 0 | |
| # Branch validation: Only allow develop (beta) or main (stable) | |
| - name: Validate branch | |
| run: | | |
| if [ "${{ github.ref }}" == "refs/heads/develop" ]; then | |
| echo "RELEASE_TYPE=beta" >> $GITHUB_ENV | |
| echo "Detected beta release from develop branch" | |
| elif [ "${{ github.ref }}" == "refs/heads/main" ]; then | |
| echo "RELEASE_TYPE=stable" >> $GITHUB_ENV | |
| echo "Detected stable release from main branch" | |
| else | |
| echo "Error: This workflow can only be run from 'develop' (beta) or 'main' (stable) branches" | |
| exit 1 | |
| fi | |
| - uses: pnpm/action-setup@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: "pnpm" | |
| # registry-url is required for npm Trusted Publishers | |
| registry-url: "https://registry.npmjs.org" | |
| # Upgrade to npm >=11.5.1 for Trusted Publishers support | |
| # (pnpm uses npm under the hood for publishing) | |
| - run: npm install -g npm@latest | |
| - run: pnpm install | |
| # Work around Turbo failing to allow cross-package task | |
| # dependencies - we need sdk-core built before sdk-react | |
| # can even typecheck successfully | |
| - run: pnpm --filter @hypercerts-org/sdk-core build | |
| # Run checks early to fail fast before any versioning/git operations. | |
| # Note: checks run again in `pnpm release` - this is intentional to also | |
| # guard local releases and catch any issues after version bumps. | |
| # | |
| # FIXME: We can't run pnpm check because it currently hangs | |
| # forever for unknown reasons. | |
| - run: pnpm build | |
| - run: pnpm format:check | |
| - run: pnpm lint | |
| - run: pnpm typecheck | |
| - run: pnpm test | |
| # Stable release: Verify prerelease mode has been exited | |
| # The exit intent should already be set on develop before merging to main | |
| - name: Verify prerelease mode exit | |
| if: env.RELEASE_TYPE == 'stable' | |
| run: | | |
| if [ -f .changeset/pre.json ]; then | |
| # Check if prerelease mode has been exited (exit intent set) | |
| if ! grep -q '"exit": true' .changeset/pre.json 2>/dev/null; then | |
| echo "Error: Prerelease mode must be exited before merging to main." | |
| echo "Run 'pnpm changeset pre exit' on the develop branch and commit the change." | |
| exit 1 | |
| fi | |
| echo "Prerelease mode exit intent confirmed - changeset version will handle the exit" | |
| else | |
| echo "No prerelease mode detected (pre.json not present)" | |
| fi | |
| # Beta-specific: Enter prerelease mode (if not already) | |
| - name: Enter prerelease mode (if not already) | |
| if: env.RELEASE_TYPE == 'beta' | |
| run: | | |
| if [ ! -f .changeset/pre.json ]; then | |
| pnpm changeset pre enter beta | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git add .changeset/pre.json | |
| git commit -m "chore: enter beta prerelease mode" | |
| git push | |
| fi | |
| # Beta-specific: Version packages manually | |
| - name: Version packages | |
| if: env.RELEASE_TYPE == 'beta' | |
| # GITHUB_TOKEN is required for @changesets/changelog-github to fetch PR/commit | |
| # information from GitHub API when generating changelog entries | |
| run: pnpm version-packages | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Beta-specific: Commit and push version changes (before publishing) | |
| - name: Commit and push version changes | |
| if: env.RELEASE_TYPE == 'beta' | |
| run: | | |
| VERSIONS="" | |
| for pkg in packages/*/package.json; do | |
| NAME=$(node -p "require('./$pkg').name") | |
| VERSION=$(node -p "require('./$pkg').version") | |
| VERSIONS="${VERSIONS}- ${NAME}: ${VERSION}\n" | |
| done | |
| echo "Versioning packages:" | |
| echo -e "$VERSIONS" | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git add -A | |
| git diff --staged --quiet || git commit -m "chore: version packages (beta)" -m "$(echo -e "$VERSIONS")" | |
| git push | |
| # No .npmrc creation needed - npm Trusted Publishers uses GitHub OIDC tokens | |
| # automatically via the id-token: write permission and registry-url configuration | |
| # Stable release: Use changesets/action which handles versioning and publishing | |
| - name: Create Release Pull Request or Publish | |
| if: env.RELEASE_TYPE == 'stable' | |
| id: changesets | |
| uses: changesets/action@v1 | |
| with: | |
| publish: pnpm release | |
| version: pnpm version-packages | |
| title: "chore: release packages" | |
| commit: "chore: release packages" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| NPM_CONFIG_PROVENANCE: true | |
| # Beta-specific: Publish beta packages using changeset publish | |
| - name: Publish beta packages | |
| if: env.RELEASE_TYPE == 'beta' | |
| # changeset publish will automatically use the beta tag when in | |
| # prerelease mode and will create git tags for the release | |
| run: pnpm release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| NPM_CONFIG_PROVENANCE: true | |
| # Push git tags created by changeset publish | |
| - name: Push git tags | |
| if: env.RELEASE_TYPE == 'beta' | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git push origin --tags | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Log published packages | |
| - name: Log published packages | |
| if: | | |
| (env.RELEASE_TYPE == 'stable' && steps.changesets.outputs.published == 'true') || | |
| env.RELEASE_TYPE == 'beta' | |
| run: | | |
| if [ "${{ env.RELEASE_TYPE }}" == "stable" ]; then | |
| echo "Published - ${{ steps.changesets.outputs.publishedPackages }}" | |
| else | |
| echo "Published beta release:" | |
| for pkg in packages/*/package.json; do | |
| NAME=$(node -p "require('./$pkg').name") | |
| VERSION=$(node -p "require('./$pkg').version") | |
| echo " - ${NAME}: ${VERSION}" | |
| done | |
| fi |