11# This Manually Executable Workflow is for NPM Releases
2-
32name : Release [Manual]
43on : workflow_dispatch
4+
55permissions :
66 contents : write
7+ id-token : write # REQUIRED for trusted publishing
8+
79jobs :
810 Release :
911 runs-on : ubuntu-latest
12+ # Specify environment if you configured one in npm
13+ # environment: production # Uncomment if you set an environment name in npm trusted publisher settings
14+
1015 steps :
1116 - uses : actions/checkout@v3
1217 with :
1318 # fetch-depth is necessary to get all tags
1419 # otherwise lerna can't detect the changes and will end up bumping the versions for all packages
1520 fetch-depth : 0
1621 token : ${{ secrets.RELEASE_COMMIT_GH_PAT }}
22+
1723 - name : Setup Node
18- uses : actions/setup-node@v3
24+ uses : actions/setup-node@v4 # UPDATED to v4
1925 with :
20- node-version : ' 20.x'
26+ node-version : ' 22'
27+ registry-url : ' https://registry.npmjs.org'
28+ always-auth : false # important for trusted publishing
29+
2130 - name : Configure CI Git User
2231 run : |
2332 git config --global user.name $CONFIG_USERNAME
2433 git config --global user.email $CONFIG_EMAIL
25- git remote set-url origin https://$GITHUB_ACTOR:[email protected] /sourcefuse/loopback4-message-bus-connector 34+ git remote set-url origin https://$GITHUB_ACTOR:[email protected] /sourcefuse/loopback4-notifications 2635env :
2736 GITHUB_PAT : ${{ secrets.RELEASE_COMMIT_GH_PAT }}
2837 CONFIG_USERNAME : ${{ vars.RELEASE_COMMIT_USERNAME }}
2938 CONFIG_EMAIL : ${{ vars.RELEASE_COMMIT_EMAIL }}
30- - name : Authenticate with Registry
31- run : |
32- echo "@${NPM_USERNAME}:registry=https://registry.npmjs.org/" > .npmrc
33- echo "registry=https://registry.npmjs.org/" >> .npmrc
34- echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> .npmrc
35- npm whoami
36- env :
37- NPM_TOKEN : ${{ secrets.NPM_TOKEN }}
38- NPM_USERNAME : ${{ vars.NPM_USERNAME }}
3939
4040 - name : Install 📌
41- run : |
42- npm install
41+ run : npm install
42+
4343 - name : Test 🔧
4444 run : npm run test
45+
46+ # ✅ CHANGED THIS SECTION
4547 - name : Semantic Publish to NPM 🚀
46- # "HUSKY=0" disables pre-commit-msg check (Needed in order to allow semantic-release perform the release commit)
47- run : HUSKY=0 npx semantic-release
48+ run : |
49+ npm config set provenance true
50+
51+ HUSKY=0 npx semantic-release
4852env :
4953 GH_TOKEN : ${{ secrets.RELEASE_COMMIT_GH_PAT }}
50- NPM_TOKEN : ${{ secrets.NPM_TOKEN }}
54+ # REMOVED: NPM_TOKEN is not needed with trusted publishing
55+ # The id-token: write permission above handles authentication
56+
5157 - name : Changelog 📝
52- run : cd src/release_notes && HUSKY=0 node release-notes.js
58+ run : cd src/release_notes && HUSKY=0 node release-notes.js
0 commit comments