internal: add 17.x.x publish automation

Author: yaacovCR

.github/CONTRIBUTING.md

@@ -86,28 +86,18 @@ Feel free to reach out via the [graphql-js channel](https://discord.com/channels
 
 ## Release on NPM
 
-_Only core contributors may release to NPM._
-
-To release a new version on NPM, first ensure all tests pass with `npm test`,
-then use `npm version patch|minor|major` in order to increment the version in
-package.json and tag and commit a release. Then `git push && git push --tags`
-to sync this change with source control. Then `npm publish npmDist` to actually
-publish the release to NPM.
-Once published, add [release notes](https://github.com/graphql/graphql-js/releases).
-Use [semver](https://semver.org/) to determine which version part to increment.
-
-Example for a patch release:
-
-```sh
-npm ci
-npm test
-npm version patch --ignore-scripts=false
-git push --follow-tags
-cd npmDist && npm publish
-npm run changelog
+Releases on `17.x.x` are managed by local scripts and GitHub Actions:
+
+```bash
+git switch 17.x.x
+git switch -c <my_release_branch>
+export GH_TOKEN=<token> # required to build changelog via GitHub API requests
+npm run release:prepare -- 17.x.x patch
 ```
 
-Then upload the changelog to [https://github.com/graphql/graphql-js/releases](https://github.com/graphql/graphql-js/releases).
+Push `<my_release_branch>`, open a PR from `<my_release_branch>` to `17.x.x`, wait for CI to pass, and merge.
+
+After merge, GitHub Actions runs the publish flow automatically. It is currently configured as a dry-run for testing.
 
 ## License
 

.github/workflows/release.yml

@@ -0,0 +1,120 @@
+name: Release
+on:
+  push:
+    branches:
+      - 17.x.x
+permissions: {}
+jobs:
+  check-publish:
+    name: Check for publish need and prepare artifacts
+    # Keep this guard on every job for defense-in-depth in case job dependencies are refactored.
+    if: ${{ !github.event.repository.fork && github.repository == 'graphql/graphql-js' && github.ref_name == '17.x.x' }}
+    runs-on: ubuntu-latest
+    outputs:
+      should_publish: ${{ steps.release_metadata.outputs.should_publish }}
+      tag: ${{ steps.release_metadata.outputs.tag }}
+      tarball_name: ${{ steps.release_metadata.outputs.tarball_name }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref_name }}
+      cancel-in-progress: true
+    permissions:
+      contents: read # for actions/checkout
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          cache: npm
+          node-version-file: '.node-version'
+
+      - name: Install Dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Read release metadata
+        id: release_metadata
+        run: |
+          npm run --silent release:metadata >> "${GITHUB_OUTPUT}"
+
+      - name: Log publish decision
+        run: |
+          if [ "${{ steps.release_metadata.outputs.should_publish }}" = "true" ]; then
+            echo "${{ steps.release_metadata.outputs.package_spec }} is not published yet."
+          else
+            echo "${{ steps.release_metadata.outputs.package_spec }} is already published."
+          fi
+
+      - name: Build NPM package
+        if: steps.release_metadata.outputs.should_publish == 'true'
+        run: npm run build:npm
+
+      - name: Pack npmDist package
+        if: steps.release_metadata.outputs.should_publish == 'true'
+        run: npm pack ./npmDist --pack-destination . > /dev/null
+
+      - name: Upload npm package tarball
+        if: steps.release_metadata.outputs.should_publish == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: npmDist-tarball
+          path: ./${{ steps.release_metadata.outputs.tarball_name }}
+
+  publish-release:
+    name: Publish, tag, and create release
+    needs: check-publish
+    # Keep this guard on every job for defense-in-depth in case job dependencies are refactored.
+    if: ${{ !github.event.repository.fork && github.repository == 'graphql/graphql-js' && github.ref_name == '17.x.x' && needs.check-publish.outputs.should_publish == 'true' && needs.check-publish.result == 'success' }}
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      contents: write # for creating/pushing tag and creating GitHub release
+      id-token: write # for npm trusted publishing via OIDC
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.node-version'
+
+      - name: Download npmDist package
+        uses: actions/download-artifact@v4
+        with:
+          name: npmDist-tarball
+          path: ./artifacts
+
+      - name: Verify package tarball is present
+        run: |
+          tarball="./artifacts/${{ needs.check-publish.outputs.tarball_name }}"
+          if [ ! -f "${tarball}" ]; then
+            echo "::error::Expected package tarball ${tarball} is missing."
+            exit 1
+          fi
+
+      - name: Create release if needed
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          release_notes_file="./artifacts/release-notes.md"
+          gh api "repos/${GITHUB_REPOSITORY}/commits/${GITHUB_SHA}" --jq '.commit.message' > "${release_notes_file}"
+          if [ ! -s "${release_notes_file}" ]; then
+            printf '## Release %s\n' "${{ needs.check-publish.outputs.tag }}" > "${release_notes_file}"
+          fi
+
+          if gh release view "${{ needs.check-publish.outputs.tag }}" > /dev/null 2>&1; then
+            echo "GitHub release ${{ needs.check-publish.outputs.tag }} already exists."
+          else
+            gh release create "${{ needs.check-publish.outputs.tag }}" \
+              --target "${GITHUB_SHA}" \
+              --title "${{ needs.check-publish.outputs.tag }}" \
+              --notes-file "${release_notes_file}"
+          fi
+
+      - name: Dry-run npm publish
+        run: npm publish --provenance --dry-run "./artifacts/${{ needs.check-publish.outputs.tarball_name }}"

package.json

@@ -33,6 +33,8 @@
     "version": "node --import ./resources/register-ts-node.js  resources/gen-version.ts && npm test && git add src/version.ts",
     "fuzzonly": "mocha --full-trace src/**/__tests__/**/*-fuzz.ts",
     "changelog": "node --import ./resources/register-ts-node.js  resources/gen-changelog.ts",
+    "release:prepare": "node --import ./resources/register-ts-node.js resources/release-prepare.ts",
+    "release:metadata": "node --import ./resources/register-ts-node.js resources/release-metadata.ts",
     "benchmark": "node --import ./resources/register-ts-node.js  resources/benchmark.ts",
     "test": "npm run lint && npm run check && npm run testonly:cover && npm run prettier:check && npm run check:spelling && npm run check:integrations",
     "lint": "eslint --cache --max-warnings 0 .",

resources/release-metadata.ts

@@ -0,0 +1,31 @@
+import { npm, readPackageJSON } from './utils.js';
+
+try {
+  const packageJSON = readPackageJSON();
+  const { version } = packageJSON;
+
+  if (typeof version !== 'string' || version === '') {
+    throw new Error('package.json is missing a valid "version" field.');
+  }
+
+  const tag = `v${version}`;
+  const packageSpec = `graphql@${version}`;
+  const tarballName = `graphql-${version}.tgz`;
+
+  const versionsJSON = npm().view('graphql', 'versions', '--json');
+  const parsedVersions = JSON.parse(versionsJSON) as unknown;
+  const versions = Array.isArray(parsedVersions)
+    ? parsedVersions
+    : [parsedVersions];
+  const shouldPublish = versions.includes(version) ? 'false' : 'true';
+
+  process.stdout.write(`version=${version}\n`);
+  process.stdout.write(`tag=${tag}\n`);
+  process.stdout.write(`package_spec=${packageSpec}\n`);
+  process.stdout.write(`tarball_name=${tarballName}\n`);
+  process.stdout.write(`should_publish=${shouldPublish}\n`);
+} catch (error) {
+  const message = error instanceof Error ? error.message : String(error);
+  process.stderr.write(message + '\n');
+  process.exit(1);
+}

resources/release-prepare.ts

@@ -0,0 +1,146 @@
+import { git, npm, readPackageJSON } from './utils.js';
+
+let args: ParsedArgs;
+try {
+  args = parseArgs(process.argv.slice(2));
+  ensureGitHubToken();
+  validateBranchState(args.releaseBranch);
+} catch (error) {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exit(1);
+}
+
+console.log('Running npm version without creating a tag...');
+npm().version(...args.npmVersionArgs, '--no-git-tag-version');
+
+const { version } = readPackageJSON();
+console.log(`Generating changelog for v${version}...`);
+const releaseChangelog = npm().runOutput('--silent', 'changelog');
+
+console.log('Creating release commit...');
+git().add('package.json', 'package-lock.json', 'src/version.ts');
+git().commit('-m', releaseChangelog);
+
+const currentBranch = git({ quiet: true }).revParse('--abbrev-ref', 'HEAD');
+
+console.log('');
+console.log(`Release commit created for v${version}.`);
+console.log(
+  `Next steps: push "${currentBranch}", open a PR to "${args.releaseBranch}", wait for CI, then merge.`,
+);
+
+interface ParsedArgs {
+  releaseBranch: string;
+  npmVersionArgs: Array<string>;
+}
+
+function parseArgs(rawArgs: ReadonlyArray<string>): ParsedArgs {
+  const releaseBranch = rawArgs[0];
+  if (releaseBranch == null || releaseBranch.trim() === '') {
+    throwUsage('Missing required release branch as the first argument.');
+  }
+
+  const npmVersionArgs = rawArgs.slice(1);
+  if (npmVersionArgs.length === 0) {
+    throwUsage(
+      'Missing npm version arguments (e.g. patch, major, prerelease --preid alpha).',
+    );
+  }
+
+  return {
+    releaseBranch,
+    npmVersionArgs,
+  };
+}
+
+function validateBranchState(releaseBranch: string): void {
+  const checkedBranch = git({ quiet: true }).revParse('--abbrev-ref', 'HEAD');
+  if (checkedBranch === 'HEAD') {
+    throw new Error(
+      'Git is in detached HEAD state (not on a local branch). ' +
+        'Switch to a local branch based on the release branch first, for example:\n' +
+        `  git switch -c release-${releaseBranch.replace(/[^a-zA-Z0-9._-]/g, '-')} ${releaseBranch}`,
+    );
+  }
+  if (checkedBranch === releaseBranch) {
+    throw new Error(
+      `Release prepare must not run on "${releaseBranch}". Create a local release branch first.`,
+    );
+  }
+
+  const status = git().status('--porcelain').trim();
+  if (status !== '') {
+    throw new Error(
+      'Working directory must be clean before running release:prepare.',
+    );
+  }
+
+  let releaseBranchHead: string;
+  try {
+    releaseBranchHead = git({ quiet: true }).revParse(releaseBranch);
+  } catch {
+    throw new Error(
+      `Release branch "${releaseBranch}" does not exist locally.`,
+    );
+  }
+
+  let releaseBranchUpstream: string;
+  try {
+    releaseBranchUpstream = git({ quiet: true }).revParse(
+      '--abbrev-ref',
+      `${releaseBranch}@{upstream}`,
+    );
+  } catch {
+    throw new Error(
+      `Release branch "${releaseBranch}" does not track a remote branch. ` +
+        'Set one first (for example: git branch --set-upstream-to ' +
+        `<remote>/${releaseBranch} ${releaseBranch}).`,
+    );
+  }
+
+  const upstreamRemote = releaseBranchUpstream.split('/')[0];
+  try {
+    git().fetch('--quiet', upstreamRemote, releaseBranch);
+  } catch {
+    throw new Error(
+      `Failed to fetch "${releaseBranchUpstream}". ` +
+        'Verify network access and git remote configuration, then retry.',
+    );
+  }
+
+  const upstreamReleaseBranchHead = git({ quiet: true }).revParse(
+    `${releaseBranch}@{upstream}`,
+  );
+  if (releaseBranchHead !== upstreamReleaseBranchHead) {
+    throw new Error(
+      `Local "${releaseBranch}" is not up to date with "${releaseBranchUpstream}". ` +
+        `Update it first (for example: git switch ${releaseBranch} && git pull --ff-only).`,
+    );
+  }
+
+  const currentHead = git({ quiet: true }).revParse('HEAD');
+  if (currentHead !== releaseBranchHead) {
+    throw new Error(
+      `Current branch "${checkedBranch}" must match "${releaseBranch}" before preparing a release.`,
+    );
+  }
+}
+
+function ensureGitHubToken(): void {
+  if (process.env.GH_TOKEN == null || process.env.GH_TOKEN.trim() === '') {
+    throw new Error(
+      'Missing GH_TOKEN environment variable.\n' +
+        'Example: GH_TOKEN=<token> npm run release:prepare -- 17.x.x patch',
+    );
+  }
+}
+
+function throwUsage(message: string): never {
+  throw new Error(
+    `${message}\n` +
+      'Usage: npm run release:prepare -- <release-branch> <npm version args>\n' +
+      'Examples:\n' +
+      '  npm run release:prepare -- 17.x.x patch\n' +
+      '  npm run release:prepare -- 17.x.x prerelease --preid alpha',
+  );
+}