internal: add 17.x.x publish automation

Author: yaacovCR

.github/CONTRIBUTING.md

@@ -86,28 +86,18 @@ Feel free to reach out via the [graphql-js channel](https://discord.com/channels
 
 ## Release on NPM
 
-_Only core contributors may release to NPM._
-
-To release a new version on NPM, first ensure all tests pass with `npm test`,
-then use `npm version patch|minor|major` in order to increment the version in
-package.json and tag and commit a release. Then `git push && git push --tags`
-to sync this change with source control. Then `npm publish npmDist` to actually
-publish the release to NPM.
-Once published, add [release notes](https://github.com/graphql/graphql-js/releases).
-Use [semver](https://semver.org/) to determine which version part to increment.
-
-Example for a patch release:
-
-```sh
-npm ci
-npm test
-npm version patch --ignore-scripts=false
-git push --follow-tags
-cd npmDist && npm publish
-npm run changelog
+Releases on `17.x.x` are managed by local scripts and GitHub Actions:
+
+```bash
+git switch 17.x.x
+git switch -c <my_release_branch>
+export GH_TOKEN=<token> # required to build changelog via GitHub API requests
+npm run release:prepare -- 17.x.x patch
 ```
 
-Then upload the changelog to [https://github.com/graphql/graphql-js/releases](https://github.com/graphql/graphql-js/releases).
+Push `<my_release_branch>`, open a PR from `<my_release_branch>` to `17.x.x`, wait for CI to pass, and merge.
+
+After merge, GitHub Actions runs the publish flow automatically. It is currently configured as a dry-run for testing.
 
 ## License
 

.github/workflows/release.yml

@@ -0,0 +1,120 @@
+name: Release
+on:
+  push:
+    branches:
+      - 17.x.x
+permissions: {}
+jobs:
+  check-publish:
+    name: Check for publish need and prepare artifacts
+    # Keep this guard on every job for defense-in-depth in case job dependencies are refactored.
+    if: ${{ !github.event.repository.fork && github.repository == 'graphql/graphql-js' && github.ref_name == '17.x.x' }}
+    runs-on: ubuntu-latest
+    outputs:
+      should_publish: ${{ steps.release_metadata.outputs.should_publish }}
+      tag: ${{ steps.release_metadata.outputs.tag }}
+      tarball_name: ${{ steps.release_metadata.outputs.tarball_name }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref_name }}
+      cancel-in-progress: true
+    permissions:
+      contents: read # for actions/checkout
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          cache: npm
+          node-version-file: '.node-version'
+
+      - name: Install Dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Read release metadata
+        id: release_metadata
+        run: |
+          npm run --silent release:metadata >> "${GITHUB_OUTPUT}"
+
+      - name: Log publish decision
+        run: |
+          if [ "${{ steps.release_metadata.outputs.should_publish }}" = "true" ]; then
+            echo "${{ steps.release_metadata.outputs.package_spec }} is not published yet."
+          else
+            echo "${{ steps.release_metadata.outputs.package_spec }} is already published."
+          fi
+
+      - name: Build NPM package
+        if: steps.release_metadata.outputs.should_publish == 'true'
+        run: npm run build:npm
+
+      - name: Pack npmDist package
+        if: steps.release_metadata.outputs.should_publish == 'true'
+        run: npm pack ./npmDist --pack-destination . > /dev/null
+
+      - name: Upload npm package tarball
+        if: steps.release_metadata.outputs.should_publish == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: npmDist-tarball
+          path: ./${{ steps.release_metadata.outputs.tarball_name }}
+
+  publish-release:
+    name: Publish, tag, and create release
+    needs: check-publish
+    # Keep this guard on every job for defense-in-depth in case job dependencies are refactored.
+    if: ${{ !github.event.repository.fork && github.repository == 'graphql/graphql-js' && github.ref_name == '17.x.x' && needs.check-publish.outputs.should_publish == 'true' && needs.check-publish.result == 'success' }}
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      contents: write # for creating/pushing tag and creating GitHub release
+      id-token: write # for npm trusted publishing via OIDC
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.node-version'
+
+      - name: Download npmDist package
+        uses: actions/download-artifact@v4
+        with:
+          name: npmDist-tarball
+          path: ./artifacts
+
+      - name: Verify package tarball is present
+        run: |
+          tarball="./artifacts/${{ needs.check-publish.outputs.tarball_name }}"
+          if [ ! -f "${tarball}" ]; then
+            echo "::error::Expected package tarball ${tarball} is missing."
+            exit 1
+          fi
+
+      - name: Create release if needed
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          release_notes_file="./artifacts/release-notes.md"
+          gh api "repos/${GITHUB_REPOSITORY}/commits/${GITHUB_SHA}" --jq '.commit.message' > "${release_notes_file}"
+          if [ ! -s "${release_notes_file}" ]; then
+            printf '## Release %s\n' "${{ needs.check-publish.outputs.tag }}" > "${release_notes_file}"
+          fi
+
+          if gh release view "${{ needs.check-publish.outputs.tag }}" > /dev/null 2>&1; then
+            echo "GitHub release ${{ needs.check-publish.outputs.tag }} already exists."
+          else
+            gh release create "${{ needs.check-publish.outputs.tag }}" \
+              --target "${GITHUB_SHA}" \
+              --title "${{ needs.check-publish.outputs.tag }}" \
+              --notes-file "${release_notes_file}"
+          fi
+
+      - name: Dry-run npm publish
+        run: npm publish --provenance --dry-run "./artifacts/${{ needs.check-publish.outputs.tarball_name }}"

package.json

@@ -33,6 +33,8 @@
     "version": "node --import ./resources/register-ts-node.js  resources/gen-version.ts && npm test && git add src/version.ts",
     "fuzzonly": "mocha --full-trace src/**/__tests__/**/*-fuzz.ts",
     "changelog": "node --import ./resources/register-ts-node.js  resources/gen-changelog.ts",
+    "release:prepare": "node --import ./resources/register-ts-node.js resources/release-prepare.ts",
+    "release:metadata": "node --import ./resources/register-ts-node.js resources/release-metadata.ts",
     "benchmark": "node --import ./resources/register-ts-node.js  resources/benchmark.ts",
     "test": "npm run lint && npm run check && npm run testonly:cover && npm run prettier:check && npm run check:spelling && npm run check:integrations",
     "lint": "eslint --cache --max-warnings 0 .",

resources/gen-changelog.ts

@@ -55,19 +55,36 @@ const { githubOrg, githubRepo } = repoURLMatch.groups;
 
 process.stdout.write(await genChangeLog());
 
+function parseFromRevArg(rawArgs: ReadonlyArray<string>): string | null {
+  if (rawArgs.length === 0) {
+    return null;
+  }
+
+  if (rawArgs.length === 1 && rawArgs[0].trim() !== '') {
+    return rawArgs[0];
+  }
+
+  throw new Error(
+    'Usage: npm run changelog [-- <fromRev>]\n' +
+      'Example: npm run changelog -- d41f59bbfdfc207712a2fc3778934694a3410ddf',
+  );
+}
+
 async function genChangeLog(): Promise<string> {
   const { version } = packageJSON;
   const releaseTag = `v${version}`;
-  let tag: string | null = null;
-  let commitsList: Array<string>;
-  try {
-    commitsList = git().revList('--reverse', `${releaseTag}..`);
-  } catch {
+  const releaseTagExists = git().tagExists(releaseTag);
+  const tag = releaseTagExists ? null : releaseTag;
+  let baseRef = parseFromRevArg(process.argv.slice(2));
+  if (releaseTagExists) {
+    baseRef ??= releaseTag;
+  } else if (baseRef == null) {
     const parentPackageJSON = git().catFile('blob', 'HEAD~1:package.json');
     const parentVersion = JSON.parse(parentPackageJSON).version;
-    commitsList = git().revList('--reverse', `v${parentVersion}..HEAD~1`);
-    tag = releaseTag;
+    baseRef = `v${parentVersion}`;
   }
+  const commitsRange = releaseTagExists ? `${baseRef}..` : `${baseRef}..HEAD~1`;
+  const commitsList = git().revList('--reverse', commitsRange);
 
   const allPRs = await getPRsInfo(commitsList);
   const date = git().log('-1', '--format=%cd', '--date=short');

resources/release-metadata.ts

@@ -0,0 +1,31 @@
+import { npm, readPackageJSON } from './utils.js';
+
+try {
+  const packageJSON = readPackageJSON();
+  const { version } = packageJSON;
+
+  if (typeof version !== 'string' || version === '') {
+    throw new Error('package.json is missing a valid "version" field.');
+  }
+
+  const tag = `v${version}`;
+  const packageSpec = `graphql@${version}`;
+  const tarballName = `graphql-${version}.tgz`;
+
+  const versionsJSON = npm().view('graphql', 'versions', '--json');
+  const parsedVersions = JSON.parse(versionsJSON) as unknown;
+  const versions = Array.isArray(parsedVersions)
+    ? parsedVersions
+    : [parsedVersions];
+  const shouldPublish = versions.includes(version) ? 'false' : 'true';
+
+  process.stdout.write(`version=${version}\n`);
+  process.stdout.write(`tag=${tag}\n`);
+  process.stdout.write(`package_spec=${packageSpec}\n`);
+  process.stdout.write(`tarball_name=${tarballName}\n`);
+  process.stdout.write(`should_publish=${shouldPublish}\n`);
+} catch (error) {
+  const message = error instanceof Error ? error.message : String(error);
+  process.stderr.write(message + '\n');
+  process.exit(1);
+}