fix: trusted publishing #143
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build-Test-Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| build-test-release: | |
| runs-on: windows-latest | |
| permissions: | |
| contents: write | |
| pages: write | |
| id-token: write | |
| # Many steps are duplicated in buildAndTest.yml. Changes made here may need to be made in both | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| # Keep in sync with the version specified for volta in the root package.json | |
| node-version: 22 | |
| registry-url: https://registry.npmjs.org/ | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Upgrade npm for trusted publishing | |
| run: npm install -g npm@^11.5.1 | |
| - name: Install playwright browsers for e2e tests | |
| run: npx playwright install chromium --with-deps | |
| # Extract new messages, upload to Crowdin, download latest translations | |
| - name: Extract messages | |
| run: npm run l10n:extract | |
| - name: Upload source strings to Crowdin | |
| run: npm run l10n:upload | |
| env: | |
| ETHNOLIB_CROWDIN_TOKEN: ${{ secrets.ETHNOLIB_CROWDIN_TOKEN }} | |
| - name: Download translations from Crowdin | |
| run: npm run l10n:download | |
| env: | |
| ETHNOLIB_CROWDIN_TOKEN: ${{ secrets.ETHNOLIB_CROWDIN_TOKEN }} | |
| - name: Update locales list | |
| run: npm run l10n:update-locales | |
| - name: Compile messages | |
| run: npm run l10n:compile | |
| # We've configured nx to update version numbers in the primary package.json files (rather than in the dist builds to be published) | |
| # Therefore this step must be done before build so that the new version numbers are copied to dist/package.json | |
| - name: Update version numbers in the persistent package.json files | |
| run: npx nx release version | |
| - name: Build package | |
| run: npx nx build @ethnolib/language-chooser-react-mui | |
| # find-language is a dependency of language-chooser-react-mui so it will have been built in the build step | |
| - name: Run unit tests | |
| run: npx nx run-many --all --target=test | |
| - name: Run e2e tests | |
| run: npx nx run-many --all --target=e2e | |
| - name: Set name and email for git so we can commit and tag | |
| run: | | |
| git config user.name "Github Actions" | |
| git config user.email "no-reply@ethnolib-build.com" | |
| - name: Publish | |
| env: | |
| NPM_CONFIG_PROVENANCE: true | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| echo "Node: $(node --version)" | |
| echo "npm: $(npm --version)" | |
| # Ensure we use npm Trusted Publisher (OIDC) rather than a static token. | |
| # If NODE_AUTH_TOKEN (or NPM_TOKEN) is set, npm may attempt token auth instead. | |
| if [[ -n "${NODE_AUTH_TOKEN:-}" ]]; then echo "NODE_AUTH_TOKEN is set (will unset)."; else echo "NODE_AUTH_TOKEN is not set."; fi | |
| if [[ -n "${NPM_TOKEN:-}" ]]; then echo "NPM_TOKEN is set (will unset)."; else echo "NPM_TOKEN is not set."; fi | |
| unset NODE_AUTH_TOKEN || true | |
| unset NPM_TOKEN || true | |
| # With npm Trusted Publishers (OIDC), avoid relying on a NODE_AUTH_TOKEN placeholder | |
| # that actions/setup-node can write into ~/.npmrc when registry-url is configured. | |
| npm config set registry "https://registry.npmjs.org/" | |
| npm config delete //registry.npmjs.org/:_authToken || true | |
| npm config set provenance true | |
| echo "npm registry: $(npm config get registry)" | |
| echo "npm userconfig: $(npm config get userconfig)" | |
| echo "npm provenance: $(npm config get provenance)" | |
| if [[ -n "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]]; then echo "ACTIONS_ID_TOKEN_REQUEST_URL is set."; else echo "ACTIONS_ID_TOKEN_REQUEST_URL is NOT set."; fi | |
| if [[ -n "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]]; then echo "ACTIONS_ID_TOKEN_REQUEST_TOKEN is set."; else echo "ACTIONS_ID_TOKEN_REQUEST_TOKEN is NOT set."; fi | |
| npx nx release --yes 2>&1 | tee nx-release.log | |
| # Nx was failing without propagating a failing exit code. | |
| # Fail the step (and therefore the job) if the output indicates publish failed. | |
| if grep -Eqi "npm publish error:|Failed tasks:|nx-release-publish.*failed" nx-release.log; then | |
| echo "Detected publish failure in nx output." | |
| exit 1 | |
| fi | |
| - name: Push the release commit (with version number update and changelog) | |
| run: git push | |
| - name: Push the release tag | |
| run: git push --tags | |
| - name: Build storybook | |
| run: npx nx build-storybook @ethnolib/language-chooser-react-mui | |
| - name: Upload for deploy to github pages | |
| uses: actions/upload-pages-artifact@v3 | |
| with: | |
| path: components/language-chooser/react/language-chooser-react-mui/storybook-static | |
| - name: Deploy to GitHub Pages | |
| uses: actions/deploy-pages@v4 | |
| with: | |
| token: ${{ github.token }} |