feat: support npm trusted publisher (#15)

fengmk2 · web-flow · commit 98d5749ddb5d · 2025-08-06T22:19:37.000+08:00
close #14  ## Summary by CodeRabbit * **New Features** * Introduced an automated npm release workflow using GitHub Actions, supporting dry runs, testing, and configurable install commands. * Added a script to handle semantic-release automation, including changelog updates, npm publishing, and GitHub release creation. * Provided a dedicated package for release automation with all required dependencies. * **Documentation** * Updated release workflow documentation to reflect the new npm release process and streamlined token configuration instructions.
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
@@ -0,0 +1,97 @@
+name: NPM Trusted Publisher
+
+on:
+  workflow_call:
+
+    inputs:
+      checkTest:
+        type: boolean
+        description: whether run test before release
+        default: false
+
+      dryRun:
+        type: boolean
+        description: pass dry-run to semantic-release
+        default: false
+
+      install:
+        type: string
+        description: 'Install dependencies script'
+        default: 'npm i --no-package-lock --no-fund --force && rm -rf package-lock.json'
+
+      action_ref:
+        type: string
+        description: 'Branch name for node-modules/github-actions, for test purpose'
+        default: master
+
+jobs:
+  Release:
+    permissions:
+      contents: write
+      id-token: write # Required for OIDC
+      deployments: write
+      issues: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: main_repo
+
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+
+    steps:
+      # Checkout action repository
+      - name: Checkout action repository
+        uses: actions/checkout@v4
+        with:
+          repository: node-modules/github-actions
+          path: action_repo
+          ref: ${{ inputs.action_ref }}
+
+      # Checkout project repository
+      - name: Checkout project repository
+        uses: actions/checkout@v4
+        with:
+          path: main_repo
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Setup Node.js environment
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+
+      # Ensure npm 11.5.1 or later is installed
+      - name: Update npm
+        run: npm install -g npm@latest
+
+      # Install action dependencies
+      - name: Install action dependencies
+        run: npm i --no-package-lock --no-fund --force --omit=dev
+        working-directory: action_repo/scripts/npm-release
+
+      # Install dependencies
+      - name: Install project dependencies
+        run: ${{ inputs.install }}
+
+      # Run Test Only
+      - name: Run Test
+        run: npm test
+        if: inputs.checkTest
+
+      - name: Semantic Release
+        id: release
+        run: node ../action_repo/scripts/npm-release/index.js
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DRYRUN: ${{ inputs.dryRun }}
+
+      - name: Publish ${{ steps.release.outputs.name }}@${{ steps.release.outputs.release_version }}
+        if: steps.release.outputs.release_version && !inputs.dryRun
+        run: |
+          echo ${{ steps.release.outputs.name }}
+          echo ${{ steps.release.outputs.release_version }}
+          echo ${{ steps.release.outputs.registry }}
+          echo ${{ steps.release.outputs.cnpm_sync_url }}
diff --git a/README.md b/README.md
@@ -145,18 +145,6 @@ BREAKING CHANGE: Drop Node.js < 18 support
 
 ### 配置方式
 
-- 创建 NPM Token
-  - NPM Registry 需创建 Automation Token，参见[文档](https://docs.npmjs.com/creating-and-viewing-access-tokens)
-  - GitHub Package 无需创建，默认支持
-
-- 创建 GitHub Token
-  - 因为生成的 CHANGELOG.md 和 package.json 需回写 GitHub，而默认的 `GITHUB_TOKEN` 没有该权限
-  - 因此需要创建一个新的 Token，参见[文档](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token)
-
-- 配置 Token
-  - 在项目或组织维度配置 2 个 `secrets`：`NPM_TOKEN` 和 `GIT_TOKEN`
-  - 参见[文档](https://docs.github.com/en/codespaces/managing-codespaces-for-your-organization/managing-encrypted-secrets-for-your-repository-and-organization-for-github-codespaces)
-
 - 创建 `.github/workflows/release.yml`：
 
 ```yaml
@@ -171,24 +159,14 @@ on:
 jobs:
   release:
     name: Node.js
-    uses: node-modules/github-actions/.github/workflows/node-release.yml@master
-    secrets:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
+    uses: node-modules/github-actions/.github/workflows/npm-release.yml@master
     # with:
       # checkTest: false
       # dryRun: true
 ```
 
 ### 发布到 GitHub Package
 
-修改 `release.yml` 的 secrets：
-
-```yaml
-secrets:
-  NPM_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-```
-
 修改 `package.json`：
 
 ```json
diff --git a/scripts/npm-release/index.js b/scripts/npm-release/index.js
@@ -0,0 +1,68 @@
+const path = require('path');
+const fs = require('fs');
+const core = require('@actions/core');
+const semanticRelease = require('semantic-release').default;
+const { request } = require('undici');
+
+async function run() {
+  const mainRepoPath = process.cwd();
+  const pkgInfo = require(`${mainRepoPath}/package.json`);
+  const registry = pkgInfo.publishConfig?.registry || 'https://registry.npmjs.org';
+  core.setOutput('name', pkgInfo.name);
+  core.setOutput('registry', registry);
+
+  try {
+    const configFiles = [
+      path.join(__dirname, 'release.config.js'),
+      path.join(mainRepoPath, 'release.config.js'),
+    ].filter(file => fs.existsSync(file));
+
+    core.info(`Using config files: ${configFiles.join(', ')}`);
+
+    const result = await semanticRelease({
+      dryRun: process.env.DRYRUN === 'true',
+      extends: configFiles,
+    });
+
+    const { nextRelease, lastRelease } = result;
+
+    if (!nextRelease) {
+      core.notice('No release need to be published.');
+      core.summary.addRaw('No release need to be published.');
+      await core.summary.write();
+    } else {
+      core.info(`Published release: ${nextRelease.version}`);
+      core.setOutput('release_version', nextRelease.version);
+
+      // cnpm sync
+      try {
+        const res = await request(`https://registry-direct.npmmirror.com/-/package/${pkgInfo.name}/syncs`, {
+          method: 'PUT',
+          timeout: 30000,
+        });
+        const { id } = await res.body.json();
+        const logUrl = `https://registry.npmmirror.com/-/package/${pkgInfo.name}/syncs/${id}/log`;
+        core.setOutput('cnpm_sync_url', logUrl);
+        core.info(`cnpm sync log url: ${logUrl}`);
+
+        // write summary
+        core.summary.addRaw(`## [${pkgInfo.name}](https://github.com/${process.env.GITHUB_REPOSITORY})\n`);
+        core.summary.addRaw(`- Release: ${lastRelease?.version ?? ''} -> ${nextRelease.version}\n`);
+        core.summary.addRaw(`- Registry: ${registry}\n`);
+        core.summary.addRaw(`- CNPM Sync: ${logUrl}\n`);
+        core.summary.addRaw(`- DryRun: ${process.env.DRYRUN}\n`);
+      } catch (err) {
+        core.info(`cnpm sync ${pkgInfo.name} fail, ${err.message}`);
+        core.summary.addRaw(`- CNPM Sync ${pkgInfo.name} error: ${err.message}\n`);
+      }
+      core.summary.addRaw(nextRelease.notes);
+      await core.summary.write();
+    }
+    console.log('Result:', result);
+  } catch (error) {
+    console.error(error);
+    core.setFailed(error);
+  }
+}
+
+run();
diff --git a/scripts/npm-release/package.json b/scripts/npm-release/package.json
@@ -0,0 +1,21 @@
+{
+  "name": "ci-release",
+  "dependencies": {
+    "@actions/core": "^1.10.0",
+    "@actions/exec": "^1.1.1",
+    "@semantic-release/npm": "13.0.0-alpha.5",
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/exec": "^7.1.0",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/commit-analyzer": "^13.0.1",
+    "@semantic-release/release-notes-generator": "^14.0.3",
+    "@semantic-release/github": "^11.0.3",
+    "conventional-changelog-conventionalcommits": "^5.0.0",
+    "semantic-release": "25.0.0-alpha.4",
+    "undici": "^5.14.0"
+  },
+  "devDependencies": {
+    "@types/node": "24",
+    "@types/semantic-release": "21"
+  }
+}
diff --git a/scripts/npm-release/release.config.js b/scripts/npm-release/release.config.js
@@ -0,0 +1,20 @@
+module.exports = {
+  plugins: [
+    [ '@semantic-release/commit-analyzer', { preset: 'conventionalcommits' } ],
+    [ '@semantic-release/release-notes-generator', { preset: 'conventionalcommits' } ],
+    [ '@semantic-release/changelog', { changelogTitle: '# Changelog' } ],
+    [ '@semantic-release/npm', {} ],
+
+    [ '@semantic-release/git',
+      {
+        message: 'Release <%= nextRelease.version %>\n\n[skip ci]\n\n<%= nextRelease.notes %>',
+      },
+    ],
+
+    [ '@semantic-release/github',
+      {
+        addReleases: 'bottom',
+      },
+    ],
+  ],
+};
