|
1 | | -name: Publish |
| 1 | +# taken from https://github.com/alcuadrado/trusted-publishing-example/ |
| 2 | + |
| 3 | +name: Publish Package |
2 | 4 |
|
3 | 5 | on: |
4 | | - workflow_dispatch: |
5 | | - release: |
6 | | - types: [published] |
| 6 | + push: |
| 7 | + tags: |
| 8 | + - "v*" |
| 9 | + |
| 10 | +permissions: {} |
| 11 | + |
| 12 | +concurrency: |
| 13 | + group: publish-${{ github.ref }} |
| 14 | + cancel-in-progress: true |
| 15 | + |
| 16 | +env: |
| 17 | + NPM_TAG: latest |
7 | 18 |
|
8 | 19 | jobs: |
9 | | - publish: |
| 20 | + prepare: |
10 | 21 | runs-on: ubuntu-latest |
11 | 22 | permissions: |
12 | | - contents: read |
13 | | - id-token: write |
14 | | - |
| 23 | + contents: read # To clone the repository |
| 24 | + actions: write # To upload the package tarball to the artifacts |
| 25 | + outputs: |
| 26 | + packageName: ${{ steps.packageName.outputs.packageName }} |
| 27 | + filename: ${{ steps.pack.outputs.filename }} |
15 | 28 | steps: |
16 | | - - uses: actions/checkout@v4 |
17 | | - |
18 | | - - uses: pnpm/action-setup@v4 |
19 | | - |
20 | | - - uses: actions/setup-node@v4 |
| 29 | + - uses: actions/checkout@v5 |
| 30 | + - name: Install pnpm |
| 31 | + uses: pnpm/action-setup@v4 |
| 32 | + - uses: actions/setup-node@v5 |
21 | 33 | with: |
22 | | - node-version: 20 |
23 | | - registry-url: "https://registry.npmjs.org" |
| 34 | + node-version: "22" |
24 | 35 | cache: "pnpm" |
| 36 | + - name: Store package name |
| 37 | + id: packageName |
| 38 | + run: | |
| 39 | + PACKAGE_NAME=$(cat package.json | jq -r .name) |
| 40 | + echo "PACKAGE_NAME=$PACKAGE_NAME" |
| 41 | + echo "packageName=$PACKAGE_NAME" >> $GITHUB_OUTPUT |
| 42 | + - name: Install dependencies |
| 43 | + # No `--prefer-offline` flag here to allow pnpm to validate its cache |
| 44 | + # integrity. |
| 45 | + run: pnpm install --frozen-lockfile |
| 46 | + - name: List all dependencies for future reference |
| 47 | + run: pnpm list --depth=10000 |
| 48 | + - name: Build the project |
| 49 | + run: echo "This project doesn't have a build step" |
| 50 | + - name: Publish dry run for a light check of the package contents |
| 51 | + # Using --no-git-checks because we are releasing from a tag, |
| 52 | + # not a branch. Highly recommended to use the git-checks though. |
| 53 | + run: pnpm publish --dry-run --no-git-checks --tag ${{ env.NPM_TAG }} |
| 54 | + - name: Pack |
| 55 | + id: pack |
| 56 | + run: | |
| 57 | + FILENAME=$(pnpm pack --json | jq -r .filename) |
| 58 | + echo "FILENAME=$FILENAME" |
| 59 | + echo "filename=$FILENAME" >> $GITHUB_OUTPUT |
| 60 | + - name: Upload packed tarball |
| 61 | + uses: actions/upload-artifact@v4 |
| 62 | + with: |
| 63 | + name: ${{ steps.pack.outputs.filename }} |
| 64 | + path: ${{ steps.pack.outputs.filename }} |
| 65 | + retention-days: 2 |
| 66 | + overwrite: true |
| 67 | + if-no-files-found: error |
25 | 68 |
|
26 | | - - run: pnpm install --frozen-lockfile |
27 | | - |
28 | | - - run: pnpm lint |
29 | | - |
30 | | - - run: pnpm test |
| 69 | + review: |
| 70 | + needs: prepare |
| 71 | + runs-on: ubuntu-latest |
| 72 | + permissions: |
| 73 | + actions: read # To download the tarball to review |
| 74 | + steps: |
| 75 | + - name: Download packed tarball |
| 76 | + uses: actions/download-artifact@v4 |
| 77 | + with: |
| 78 | + name: ${{ needs.prepare.outputs.filename }} |
| 79 | + path: . |
| 80 | + - name: Download previous "@${{ env.NPM_TAG }}" version tarball |
| 81 | + run: | |
| 82 | + TARBALL_URL=$(npm view "${{ needs.prepare.outputs.packageName }}@${{ env.NPM_TAG }}" dist.tarball) |
| 83 | + curl -L "$TARBALL_URL" -o ${{ env.NPM_TAG }}.tgz |
| 84 | + TARBALL_NAME=$(basename "$TARBALL_URL") |
| 85 | + echo "Downloaded $TARBALL_NAME as ${{ env.NPM_TAG }}.tgz" |
| 86 | + - name: Prepare tarballs for comparisons |
| 87 | + run: | |
| 88 | + mkdir ${{ env.NPM_TAG }} |
| 89 | + tar -xzf ${{ env.NPM_TAG }}.tgz -C ${{ env.NPM_TAG }} |
| 90 | + mkdir proposed-version |
| 91 | + tar -xzf ${{ needs.prepare.outputs.filename }} -C proposed-version |
| 92 | + - name: List new, changed and deleted files |
| 93 | + run: | |
| 94 | + git diff --color=always --no-index --name-status ${{ env.NPM_TAG }} proposed-version || true |
| 95 | + - name: Compare package.json files |
| 96 | + run: | |
| 97 | + git diff --color=always --no-index ${{ env.NPM_TAG }}/package/package.json proposed-version/package/package.json || true |
31 | 98 |
|
32 | | - - name: Publish to npm |
| 99 | + publish: |
| 100 | + needs: [prepare, review] |
| 101 | + runs-on: ubuntu-latest |
| 102 | + environment: npm-publish |
| 103 | + permissions: |
| 104 | + actions: read # To download the tarball to publish |
| 105 | + id-token: write ## Needed for npm Trusted Publishing (OIDC) |
| 106 | + steps: |
| 107 | + - name: Download packed tarball |
| 108 | + uses: actions/download-artifact@v4 |
| 109 | + with: |
| 110 | + name: ${{ needs.prepare.outputs.filename }} |
| 111 | + path: . |
| 112 | + - name: Setup node to be able to update npm |
| 113 | + uses: actions/setup-node@v5 |
| 114 | + with: |
| 115 | + node-version: lts/* |
| 116 | + - name: Update npm to make sure it supports Trusted Publishing |
| 117 | + run: npm install -g npm@latest |
| 118 | + - name: Publish |
33 | 119 | run: | |
34 | | - VERSION=$(node -p "require('./package.json').version") |
35 | | - case $VERSION in |
36 | | - *-alpha.*) TAG="alpha" ;; |
37 | | - *-beta.*) TAG="beta" ;; |
38 | | - *-rc.*) TAG="next" ;; |
39 | | - *) TAG="latest" ;; |
40 | | - esac |
41 | | - pnpm publish --access public --no-git-checks --tag $TAG |
42 | | - env: |
43 | | - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
44 | | - NPM_CONFIG_PROVENANCE: true |
| 120 | + echo "Publishing ${{ needs.prepare.outputs.filename }}" |
| 121 | + npm publish "${{ needs.prepare.outputs.filename }}" --tag ${{ env.NPM_TAG }} |
0 commit comments