experience-sdk/.github/workflows/release.yml at 3e560154f0c21f3b3d630f2937176647d753e0c5 · prosdevlab/experience-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: Release

# This workflow runs after CI succeeds on the main branch.
# Uses OIDC Trusted Publishing (no NPM_TOKEN needed).
# See https://docs.npmjs.com/generating-provenance-statements

on:
  workflow_run:
    workflows: ["CI"]
    types:
      - completed
    branches:
      - main
  workflow_dispatch:
    inputs:
      force_publish:
        description: 'Force publish all packages'
        type: boolean
        default: false

concurrency: ${{ github.workflow }}-${{ github.ref }}

permissions:
  contents: write
  pull-requests: write
  id-token: write  # Required for OIDC trusted publishing

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    # Only run if CI workflow succeeded
    if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4
        with:
          # This makes Actions fetch all Git history so that Changesets can generate changelogs
          fetch-depth: 0

      - name: Setup pnpm
        uses: pnpm/action-setup@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: 'pnpm'
          registry-url: 'https://registry.npmjs.org'

      # Ensure npm 11.5.1+ for trusted publishing support
      - name: Update npm
        run: npm install -g npm@latest

      # Explicitly configure @prosdevlab scope to use npm registry
      - name: Configure npm registry
        run: |
          # Remove any project-level .npmrc that might route @prosdevlab to GitHub Packages
          rm -f .npmrc
          # Create .npmrc with explicit scoped registry for @prosdevlab
          echo "@prosdevlab:registry=https://registry.npmjs.org/" > .npmrc
          # Also configure pnpm to use npm registry for @prosdevlab scope
          pnpm config set @prosdevlab:registry https://registry.npmjs.org/

      - name: Install Dependencies
        run: pnpm install

      - name: Build Packages
        run: pnpm build

      - name: Create Release Pull Request or Publish to npm
        id: changesets
        uses: changesets/action@v1
        with:
          # This creates a "Version Packages" PR when changesets are added
          version: pnpm changeset version
          # This publishes to npm using OIDC trusted publishing (no NPM_TOKEN needed)
          publish: pnpm changeset publish
          # Commit message for version bumps
          commit: 'chore: release packages'
          # PR title for version bumps
          title: 'chore: release packages'
          # Create GitHub Releases with provenance
          createGithubReleases: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # No NPM_TOKEN needed - OIDC handles npm authentication!