api/.github/workflows/ts-old-deploy.yml at 8db44923b4baf5740af8e9b6797335d42f7f388b · meshtrade/api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
name: Deploy TypeScript SDK (Legacy) to npm via OIDC Trusted Publishing

# Triggers on tags like ts-old/v1.0.0, ts-old/v2.1.3, etc.
# Uses npm Trusted Publishing (OIDC) - no long-lived tokens required!
# Requires npm CLI >= 11.5.1 and one-time trusted publisher config on npmjs.com
on:
  push:
    tags:
      - 'ts-old/v*.*.*'

  # Allows manual workflow dispatch
  workflow_dispatch:
    inputs:
      version:
        description: 'Version to publish (e.g., 1.2.3)'
        required: true
        type: string

permissions:
  contents: write  # For committing version changes back to repository
  id-token: write  # CRITICAL: Required for OIDC authentication with npm
  pull-requests: write  # For creating PR after successful deployment

jobs:
  npm-deploy:
    runs-on: ubuntu-latest  # Must use GitHub-hosted runner (self-hosted not supported for OIDC)
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'  # Required for OIDC authentication

      - name: Upgrade npm to support OIDC
        run: |
          echo "Current npm version: $(npm --version)"
          npm install -g npm@latest
          echo "Updated npm version: $(npm --version)"
          echo "Note: OIDC requires npm >= 11.5.1"

      - name: Enable Corepack
        run: corepack enable

      - name: Cache dependencies
        uses: actions/cache@v4
        with:
          path: |
            node_modules
            .yarn/cache
            ts-old/node_modules
          key: ${{ runner.os }}-ts-old-deps-${{ hashFiles('yarn.lock', 'ts-old/yarn.lock') }}
          restore-keys: |
            ${{ runner.os }}-ts-old-deps-

      - name: Install dependencies
        run: yarn install --frozen-lockfile

      - name: Setup buf CLI (required for protobuf generation)
        uses: bufbuild/buf-setup-action@v1
        with:
          github_token: ${{ github.token }}

      - name: Generate TypeScript code from protobuf
        run: ./dev/tool.sh generate --targets=ts-old

      - name: Run TypeScript tests (early validation)
        working-directory: ./ts-old
        run: |
          echo "🧪 Running TypeScript tests..."
          yarn test

      - name: Run TypeScript linting (early validation)
        working-directory: ./ts-old
        run: |
          echo "🔍 Linting TypeScript code..."
          yarn lint

      - name: Extract version from tag or input
        id: version
        run: |
          if [[ "${{ github.event_name }}" == "push" ]]; then
            # Extract version from ts-old/v*.*.* tag (e.g., ts-old/v1.2.3 -> 1.2.3)
            VERSION=$(echo "${{ github.ref_name }}" | sed 's/^ts-old\/v//')
            echo "version=$VERSION" >> $GITHUB_OUTPUT
            echo "Extracted version from tag: $VERSION"
          else
            # Use version from manual workflow dispatch input
            VERSION="${{ inputs.version }}"
            echo "version=$VERSION" >> $GITHUB_OUTPUT
            echo "Using manual version input: $VERSION"
          fi

      - name: Update package.json version
        working-directory: ./ts-old
        run: |
          VERSION="${{ steps.version.outputs.version }}"
          echo "Setting TypeScript package version to: $VERSION"
          # Use yarn version - the native and safe way to update package.json
          yarn version --new-version "$VERSION" --no-git-tag-version
          echo "Updated package.json version:"
          grep '"version":' package.json

      - name: Build TypeScript SDK
        working-directory: ./ts-old
        run: |
          echo "🏗️ Building TypeScript SDK (Legacy)..."
          yarn build

      - name: Verify build artifacts
        working-directory: ./ts-old
        run: |
          echo "✅ Verifying build artifacts..."
          ls -la dist/ | head -10

      - name: Publish to npm via OIDC Trusted Publishing
        working-directory: ./ts-old
        run: |
          echo "🚀 Publishing to npm via OIDC Trusted Publishing..."
          echo "npm version: $(npm --version)"
          # OIDC handles authentication automatically - no tokens needed!
          # Provenance attestations are automatically generated with trusted publishing
          npm publish --access public

      - name: Success notification
        run: |
          VERSION="${{ steps.version.outputs.version }}"
          echo ""
          echo "############################################################"
          echo "#                                                          #"
          echo "#  🎉 TypeScript SDK (Legacy) v$VERSION published! 🔐    #"
          echo "#                                                          #"
          echo "#  Package: @meshtrade/api-old@$VERSION                   #"
          echo "#  Registry: https://www.npmjs.com/package/@meshtrade/api-old #"
          echo "#  Provenance: ✅ Automatically generated                  #"
          echo "#  Authentication: OIDC (no long-lived tokens!)           #"
          echo "#                                                          #"
          echo "############################################################"

      - name: Create PR with version update
        if: success()
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          VERSION="${{ steps.version.outputs.version }}"
          BRANCH_NAME="chore/npm-ts-old-version-update-$VERSION"

          echo "📝 Creating PR to commit version $VERSION back to repository..."

          # Configure git
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"

          # Create and checkout new branch
          git checkout -b "$BRANCH_NAME"

          # Add only the version change
          git add ts-old/package.json

          # Commit the version change
          COMMIT_MSG="chore: update TypeScript SDK (Legacy) version to $VERSION

          After successful deployment to npm registry via OIDC.
          Tag: ts-old/v$VERSION

          🤖 Generated with [Claude Code](https://claude.ai/code)

          Co-Authored-By: Claude <noreply@anthropic.com>"
          git commit -m "$COMMIT_MSG"

          # Push the branch
          git push origin "$BRANCH_NAME"

          # Create PR using GitHub CLI
          PR_BODY="## Summary
          Updates TypeScript SDK (Legacy) version to $VERSION after successful npm deployment via OIDC.

          ## Details
          - Package successfully published to npm registry using OIDC Trusted Publishing
          - Provenance attestations automatically generated
          - No long-lived tokens used (secure OIDC authentication)
          - Version updated in \`ts-old/package.json\`
          - Triggered by tag: \`ts-old/v$VERSION\`

          ## Security
          - ✅ Published via OIDC (no npm tokens)
          - ✅ Provenance attestations included
          - ✅ Short-lived, workflow-specific credentials

          ## Checklist
          - [x] Version updated to match published package
          - [x] Package successfully deployed to npm
          - [x] OIDC authentication successful
          - [ ] Merged to main branch

          🤖 Generated with [Claude Code](https://claude.ai/code)"

          gh pr create \
            --title "chore: update TypeScript SDK (Legacy) version to $VERSION" \
            --body "$PR_BODY" \
            --base master \
            --head "$BRANCH_NAME"

          echo "✅ PR created successfully!"