chore(ci): Fixes for version checks upon release [backport to release/sdk/v0.4]

.github/workflows/reusable_deliver.yaml

@@ -0,0 +1,125 @@
+name: "Reusable worflow: Deliver Client to npm registry"
+
+on:
+  workflow_call:
+    secrets:
+      NPM_TOKEN:
+        required: true
+
+# Default empty permissions for all jobs
+permissions: {}
+
+jobs:
+  deliver-ghp:
+    permissions:
+      contents: write
+      packages: write
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout repo"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Setup node"
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+        with:
+          node-version: "22"
+          registry-url: https://npm.pkg.github.com
+
+      - name: "Check version number is same between tag, library, and/or release"
+        id: check-version
+        run: |
+          scripts/check-version-is.sh "${GITHUB_REF}"
+
+      - name: "Output build metadata"
+        id: guess-build-metadata
+        run: |
+          FULL_VERSION=$(.github/workflows/gh-semver.sh)
+          DIST_TAG=$(.github/workflows/guess-dist-tag.sh)
+
+          echo "FULL_VERSION=$FULL_VERSION" >> "$GITHUB_OUTPUT"
+          echo "DIST_TAG=$DIST_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: "Run: make doc"
+        run: |
+          make doc
+
+      - name: "Echo info"
+        env:
+          DIST_TAG: ${{ steps.guess-build-metadata.outputs.DIST_TAG }}
+          FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
+        run: |
+          echo "::notice file=lib/package.json::Will be published to \
+          [GitHub Packages](https://github.com/opentdf/web-sdk/pkgs/npm/client) \
+          as $DIST_TAG \
+          with version=[$FULL_VERSION]"
+
+      - name: "Deliver to GitHub Packages"
+        env:
+          DIST_TAG: ${{ steps.guess-build-metadata.outputs.DIST_TAG }}
+          FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
+          NODE_AUTH_TOKEN: ${{ github.token }}
+        run: |
+          bash scripts/deliver-to-npm-registry.sh "$FULL_VERSION" "$DIST_TAG"
+
+      - name: "Echo info to Run Summary"
+        run: |
+          {
+          echo "- [Client Library](https://github.com/opentdf/web-sdk/pkgs/npm/client)"
+          echo "- [Command Line Tool](https://github.com/opentdf/web-sdk/pkgs/npm/cli)"
+          } >>"$GITHUB_STEP_SUMMARY"
+
+      - name: "Publish documentation to gh-pages"
+        uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3
+        with:
+          branch: gh-pages
+          folder: lib/dist/docs
+
+  deliver-npmjs:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout repo"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Setup node"
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+        with:
+          node-version: "22"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: "Run: make all"
+        run: |
+          make all
+
+      - name: "Output build metadata"
+        id: guess-build-metadata
+        run: |
+          FULL_VERSION=$(.github/workflows/gh-semver.sh)
+          DIST_TAG=$(.github/workflows/guess-dist-tag.sh)
+
+          echo "FULL_VERSION=$FULL_VERSION" >> "$GITHUB_OUTPUT"
+          echo "DIST_TAG=$DIST_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: "Deliver to npmjs"
+        env:
+          DIST_TAG: ${{ steps.guess-build-metadata.outputs.DIST_TAG }}
+          FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          bash scripts/deliver-to-npm-registry.sh "$FULL_VERSION" "$DIST_TAG"
+
+      - name: "Echo info to Run Summary"
+        env:
+          FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
+        run: |
+          {
+          echo "- [Client Library](https://www.npmjs.com/package/@opentdf/sdk/v/$FULL_VERSION)"
+          echo "- [Command Line Tool](https://www.npmjs.com/package/@opentdf/ctl/v/$FULL_VERSION)"
+          echo "- [unpkg](https://unpkg.com/browse/@opentdf/sdk@$FULL_VERSION)"
+          } >>"$GITHUB_STEP_SUMMARY"

scripts/check-version-is.sh

@@ -1,15 +1,38 @@
 #!/usr/bin/env bash
 # Validate that version number is same across all expected files
+# If no parameter is found, validates that the lib/package.json is consistent throughout the repo.
+#
+# Expected usage:
+#   ./scripts/check-version-is.sh [expected_version, e.g. from branch or tag name]
+# Output:
+#   ::error file=Makefile,line=5::Incorrect version line, should be setting it to [1.0.0]
 
 set -euo pipefail
 
-lib_version="$(cd lib && node -p "require('./package.json').version")"
-
-expected_version="${1:-$lib_version}"
+# Parse github.ref context parameter if provided
+if [[ ${1:-} =~ refs/heads/release/sdk/v(.*) ]]; then
+  minor_version="${BASH_REMATCH[1]}"
+  lib_version="$(cd lib && node -p "require('./package.json').version")"
+  if [[ $lib_version != $minor_version* ]]; then
+    echo "::error file=lib/package.json::lib version [$lib_version] does not start with expected minor version [$minor_version]"
+    exit 1
+  fi
+  expected_version="$lib_version"
+elif [[ ${1:-} =~ refs/tags/sdk/v(.*) ]]; then
+  expected_version="${BASH_REMATCH[1]}"
+elif [[ ${1:-} =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)(-[0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$ ]]; then
+  expected_version="${1}"
+else
+  lib_version="$(cd lib && node -p "require('./package.json').version")"
+  if [[ -n ${1:-} ]]; then
+    echo "::error::Unrecognized ref '${1}'; ignored in favor of lib/package.json's version [${lib_version}]"
+  fi
+  expected_version="${lib_version}"
+fi
 
 if ! grep --fixed-strings --line-regexp --quiet "version=${expected_version}" "Makefile"; then
   if grep --quiet "^version=" "Makefile"; then
-    echo "::error file=Makefile,line=$(sed -n '/version/=' Makefile)::Incorrect version line, should be setting it to [${expected_version}]"
+    echo "::error file=Makefile,line=$(sed -n '/^version/=' Makefile)::Incorrect version line, should be setting it to [${expected_version}]"
   else
     echo "::error file=Makefile::Makefile missing version line [version=${expected_version}]"
   fi
@@ -18,7 +41,7 @@ fi
 
 if ! grep --fixed-strings --line-regexp --quiet "export const version = '${expected_version}'; // x-release-please-version" "lib/src/version.ts"; then
   if grep --quiet "^export const version" "lib/src/version.ts"; then
-    echo "::error file=lib/src/version.ts,line=$(sed -n '/export const version/=' lib/src/version.ts)::Incorrect version line, should be setting it to [${expected_version}]"
+    echo "::error file=lib/src/version.ts,line=$(sed -n '/^export const version/=' lib/src/version.ts)::Incorrect version line, should be setting it to [${expected_version}]"
   else
     echo "::error file=lib/src/version.ts::Missing version line [version=${expected_version}]"
   fi