improve github workflows

ItsOnlyBinary · ItsOnlyBinary · commit 8e9069ba759d · 2026-02-23T17:17:52.000Z
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,28 +1,153 @@
 name: Release
 
 on:
-  release:
-    types: [published]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to publish"
+        required: true
+      dry_run:
+        description: "Perform a dry run without publishing"
+        type: boolean
+        required: false
+        default: true
+
+concurrency:
+  group: npm-publish-${{ github.repository }}
+  cancel-in-progress: false
 
 jobs:
   release:
     name: Release workflow
-
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      id-token: write   # Required for OIDC trusted publishing
+
     steps:
-      - uses: actions/checkout@v4
+      - name: Validate GitHub release and tag exists
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          TAG="v${{ inputs.version }}"
+          echo "Looking for release with tag $TAG..."
+
+          RELEASE=$(gh release view "$TAG" --repo ${{ github.repository }} --json tagName,name 2>/dev/null)
+          if [ $? -ne 0 ]; then
+            echo "❌ No GitHub release found with tag $TAG"
+            exit 1
+          fi
+
+          RELEASE_NAME=$(echo "$RELEASE" | jq -r '.name')
+          if [ "$RELEASE_NAME" != "$TAG" ]; then
+            echo "❌ Release name '$RELEASE_NAME' does not match expected '$TAG'"
+            exit 1
+          fi
+
+          echo "✅ GitHub release '$RELEASE_NAME' confirmed"
+
+      - name: Checkout tag
+        uses: actions/checkout@v4
+        with:
+          ref: "v${{ inputs.version }}"
+          fetch-depth: 0
+
+      - name: Ensure tag commit is on master
+        run: |
+          if ! git branch -r --contains "$(git rev-parse HEAD)" | grep -q "origin/master"; then
+            echo "❌ Tag is not based on master branch"
+            exit 1
+          fi
+          echo "✅ Tag commit is on master"
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22.x'
-          registry-url: 'https://registry.npmjs.org/'
+          node-version: "lts/*"
+          registry-url: "https://registry.npmjs.org/"
 
-      - name: Install
-        run: yarn --frozen-lockfile --non-interactive
+      - name: Enable Corepack
+        run: corepack enable
+
+      - name: Detect Yarn version
+        id: yarn-version
+        run: |
+          # Resolve the Yarn major version from the packageManager field in
+          # package.json if present, otherwise fall back to the installed version.
+          YARN_VERSION=$(node -p "
+            try {
+              const pm = require('./package.json').packageManager ?? '';
+              const match = pm.match(/^yarn@(\d+)/);
+              match ? match[1] : '';
+            } catch { '' }
+          ")
+          if [ -z "$YARN_VERSION" ]; then
+            YARN_VERSION=$(yarn --version | cut -d. -f1)
+          fi
+          echo "major=$YARN_VERSION" >> "$GITHUB_OUTPUT"
+          echo "Detected Yarn major version: $YARN_VERSION"
+
+      - name: Validate version matches package.json
+        run: |
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          INPUT_VERSION="${{ inputs.version }}"
+          if [ "$PKG_VERSION" != "$INPUT_VERSION" ]; then
+            echo "❌ Version mismatch: package.json has $PKG_VERSION but input was $INPUT_VERSION"
+            exit 1
+          fi
+          echo "✅ Version $PKG_VERSION confirmed"
+
+      - name: Install dependencies
+        run: |
+          if [ "${{ steps.yarn-version.outputs.major }}" = "1" ]; then
+            yarn install --frozen-lockfile --non-interactive
+          else
+            yarn install --immutable
+          fi
+
+      - name: Build package (if build script exists)
+        run: |
+          if node -e "process.exit(require('./package.json').scripts?.build ? 0 : 1)" 2>/dev/null; then
+            yarn build
+          else
+            echo "No build script found — skipping build step"
+          fi
+
+      - name: Publish (dry run)
+        if: ${{ inputs.dry_run }}
+        env:
+          # The npm CLI automatically detects the OIDC environment via
+          # ACTIONS_ID_TOKEN_REQUEST_URL / ACTIONS_ID_TOKEN_REQUEST_TOKEN and
+          # handles the token exchange itself. NODE_AUTH_TOKEN must still be set
+          # (even if empty) to satisfy the .npmrc written by actions/setup-node,
+          # otherwise npm errors before it reaches OIDC auth.
+          NODE_AUTH_TOKEN: ""
+        run: npm publish --provenance --access public --dry-run
 
       - name: Publish
-        run: yarn publish
+        if: ${{ !inputs.dry_run }}
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+          NODE_AUTH_TOKEN: ""
+        run: npm publish --provenance --access public
+
+      - name: Verify published version
+        if: ${{ !inputs.dry_run }}
+        run: |
+          PACKAGE_NAME=$(node -p "require('./package.json').name")
+          EXPECTED_VERSION="${{ inputs.version }}"
+
+          echo "Waiting for npm propagation..."
+
+          for i in {1..10}; do
+            PUBLISHED_VERSION=$(npm view "$PACKAGE_NAME" version 2>/dev/null)
+            if [ "$PUBLISHED_VERSION" = "$EXPECTED_VERSION" ]; then
+              echo "✅ Version $PUBLISHED_VERSION confirmed on npm"
+              exit 0
+            fi
+            echo "Not visible yet (attempt $i)..."
+            sleep 15
+          done
+
+          echo "❌ Published version not visible after waiting"
+          exit 1
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -3,13 +3,136 @@ name: Tests
 on: [push, pull_request]
 
 jobs:
-  build:
+  resolve-node-versions:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - id: set-matrix
+        run: |
+          node <<'EOF' >> $GITHUB_OUTPUT
+          const https = require('https');
+          const fs = require('fs');
+
+          function compareSemver(a, b) {
+            const pa = a.split('.').map(Number);
+            const pb = b.split('.').map(Number);
+            for (let i = 0; i < 3; i++) {
+              if ((pa[i] ?? 0) !== (pb[i] ?? 0)) return (pb[i] ?? 0) - (pa[i] ?? 0);
+            }
+            return 0;
+          }
+
+          // Returns { major, minor, patch, minorSpecified, patchSpecified } or null
+          function parseEnginesVersion(enginesNode) {
+            if (!enginesNode) return null;
+            const match = enginesNode.match(/>=\s*(\d+)(?:\.(\d+)(?:\.(\d+))?)?/);
+            if (!match) return null;
+            return {
+              major: parseInt(match[1], 10),
+              minor: match[2] !== undefined ? parseInt(match[2], 10) : null,
+              patch: match[3] !== undefined ? parseInt(match[3], 10) : null,
+              minorSpecified: match[2] !== undefined,
+              patchSpecified: match[3] !== undefined,
+            };
+          }
+
+          // Build the version spec to pass to setup-node for the minimum version.
+          // We let setup-node resolve the latest patch when patch is omitted.
+          // e.g. ">= 18"       -> "18"
+          //      ">= 18.18"    -> "18.18"
+          //      ">= 18.18.2"  -> "18.18.2"
+          function minVersionSpec(minVersion) {
+            if (minVersion.patchSpecified) return `${minVersion.major}.${minVersion.minor}.${minVersion.patch}`;
+            if (minVersion.minorSpecified) return `${minVersion.major}.${minVersion.minor}`;
+            return `${minVersion.major}`;
+          }
+
+          let enginesNode = null;
+          try {
+            const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
+            enginesNode = pkg?.engines?.node ?? null;
+          } catch {}
+
+          const minVersion = parseEnginesVersion(enginesNode);
+
+          https.get('https://nodejs.org/dist/index.json', res => {
+            let data = '';
+            res.on('data', chunk => data += chunk);
+            res.on('end', () => {
+              const releases = JSON.parse(data);
+
+              const lts = releases
+                .filter(r => r.lts)
+                .map(r => r.version.replace(/^v/, ''));
+
+              // Group by major, pick highest semver per major
+              const byMajor = {};
+              for (const v of lts) {
+                const major = parseInt(v.split('.')[0], 10);
+                if (!byMajor[major]) byMajor[major] = [];
+                byMajor[major].push(v);
+              }
+
+              const latestPerMajor = Object.entries(byMajor)
+                .map(([major, versions]) => {
+                  versions.sort(compareSemver);
+                  return { major: parseInt(major, 10), version: versions[0] };
+                });
+
+              latestPerMajor.sort((a, b) => b.major - a.major);
+
+              // Take latest 4 LTS majors (these are exact resolved versions)
+              const top4 = latestPerMajor.slice(0, 4);
+              const top4Majors = new Set(top4.map(e => e.major));
+
+              const extra = [];
 
+              if (minVersion !== null) {
+                const spec = minVersionSpec(minVersion);
+
+                // Check if this spec is already fully covered:
+                // - If only major specified and that major is in top4, it's covered.
+                // - If minor or patch specified, we always add it — even if the major
+                //   is in top4, because the top4 entry is the *latest* of that major,
+                //   which may differ from the minimum spec.
+                const alreadyCovered =
+                  !minVersion.minorSpecified && top4Majors.has(minVersion.major);
+
+                if (!alreadyCovered) {
+                  // Check for exact duplicate against resolved top4 versions
+                  const alreadyExact = top4.some(e => e.version === spec);
+                  if (!alreadyExact) {
+                    extra.push({ major: minVersion.major, version: spec });
+                  }
+                }
+
+                // Also ensure the latest of the min major is in the list,
+                // in case it wasn't in top4 (e.g. engines requires an older major)
+                const latestOfMinMajor = latestPerMajor.find(e => e.major === minVersion.major);
+                if (latestOfMinMajor && !top4Majors.has(minVersion.major)) {
+                  extra.push(latestOfMinMajor);
+                }
+              }
+
+              // Merge, sort ascending by semver (oldest -> newest)
+              const all = [...top4, ...extra];
+              all.sort((a, b) => compareSemver(b.version, a.version));
+
+              const matrix = { "node-version": all.map(e => e.version) };
+              console.log(`matrix=${JSON.stringify(matrix)}`);
+            });
+          });
+          EOF
+
+  test:
+    needs: resolve-node-versions
     runs-on: ubuntu-latest
 
     strategy:
-      matrix:
-        node-version: [18.x, 20.x, 22.x, 24.x]
+      fail-fast: false
+      matrix: ${{ fromJson(needs.resolve-node-versions.outputs.matrix) }}
+    name: Node ${{ matrix.node-version }}
 
     steps:
       - uses: actions/checkout@v4
@@ -18,13 +141,36 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'yarn'
 
-      - name: Install dependencies
-        run: yarn --frozen-lockfile --non-interactive --prefer-offline
+      - name: Enable Corepack
+        run: corepack enable
 
-      - name: Test
-        run: yarn test
+      - name: Detect Yarn version
+        id: yarn-version
+        run: |
+          YARN_VERSION=$(node -p "
+            try {
+              const pm = require('./package.json').packageManager ?? '';
+              const match = pm.match(/^yarn@(\d+)/);
+              match ? match[1] : '';
+            } catch { '' }
+          ")
+          if [ -z "$YARN_VERSION" ]; then
+            YARN_VERSION=$(yarn --version | cut -d. -f1)
+          fi
+          echo "major=$YARN_VERSION" >> "$GITHUB_OUTPUT"
+          echo "Detected Yarn major version: $YARN_VERSION"
+
+      - name: Install dependencies
+        run: |
+          if [ "${{ steps.yarn-version.outputs.major }}" = "1" ]; then
+            yarn install --frozen-lockfile --non-interactive --prefer-offline
+          else
+            yarn install --immutable
+          fi
 
       - name: Lint
         run: yarn lint
+
+      - name: Test
+        run: yarn test
