From 4c78d5a6074dd92b8211ed60b788a77b468e0641 Mon Sep 17 00:00:00 2001 From: gnbm Date: Mon, 17 Nov 2025 12:43:58 +0000 Subject: [PATCH 1/5] Move and renamed publish-npm workflow --- .github/workflows/publish-npm.yml | 58 +++++++++++++++++++++++++++++ .github/workflows/release-ionic.yml | 16 ++++---- 2 files changed, 66 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/publish-npm.yml diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml new file mode 100644 index 00000000000..b4c174ba886 --- /dev/null +++ b/.github/workflows/publish-npm.yml @@ -0,0 +1,58 @@ +name: 'Release' +description: 'Releases a package' +inputs: + scope: + description: 'The package to release. Must match a package specified in lerna.json.' + version: + description: 'The type of version to release.' + tag: + description: 'The tag to publish to on NPM.' + preid: + description: "Prerelease identifier such as 'alpha', 'beta', 'rc', or 'next'. Leave blank to skip prerelease tagging." + working-directory: + description: 'The directory of the package.' + folder: + default: './' + description: 'A folder containing a package.json file.' + node-version: + description: 'Node.js version to use when publishing.' + required: false + default: '24.x' +runs: + using: 'composite' + steps: + - name: 🟒 Configure Node for Publish + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 + with: + node-version: ${{ inputs.node-version }} + registry-url: 'https://registry.npmjs.org' + # Provenance requires npm 9.5.0+ + - name: πŸ“¦ Install latest npm + run: npm install -g npm@latest + shell: bash + # This ensures the local version of Lerna is installed + # and that we do not use the global Lerna version + - name: πŸ•ΈοΈ Install root dependencies + run: npm ci + shell: bash + - name: πŸ“¦ Install Dependencies + run: npx lerna@5 bootstrap --include-dependencies --scope ${{ inputs.scope }} --ignore-scripts -- --legacy-peer-deps + shell: bash + working-directory: ${{ inputs.working-directory }} + - name: 🏷️ Set Version + run: | + if [ -z "${{ inputs.preid }}" ]; then + npx lerna@5 version ${{ inputs.version }} --yes --exact --no-changelog --no-push --no-git-tag-version + else + npx lerna@5 version ${{ inputs.version }} --yes --exact --no-changelog --no-push --no-git-tag-version --preid=${{ inputs.preid }} + fi + shell: bash + working-directory: ${{ inputs.working-directory }} + - name: πŸ—οΈ Run Build + run: npm run build + shell: bash + working-directory: ${{ inputs.working-directory }} + - name: πŸš€ Publish to NPM + run: npm publish ${{ inputs.folder }} --tag ${{ inputs.tag }} --provenance + shell: bash + working-directory: ${{ inputs.working-directory }} diff --git a/.github/workflows/release-ionic.yml b/.github/workflows/release-ionic.yml index dfac8f6f166..82d365b0a9c 100644 --- a/.github/workflows/release-ionic.yml +++ b/.github/workflows/release-ionic.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: ./.github/workflows/actions/publish-npm + - uses: ./.github/workflows/publish-npm.yml with: scope: '@ionic/core' tag: ${{ inputs.tag }} @@ -55,7 +55,7 @@ jobs: name: ionic-docs path: ./packages/docs filename: DocsBuild.zip - - uses: ./.github/workflows/actions/publish-npm + - uses: ./.github/workflows/publish-npm.yml with: scope: '@ionic/docs' tag: ${{ inputs.tag }} @@ -74,7 +74,7 @@ jobs: name: ionic-core path: ./core filename: CoreBuild.zip - - uses: ./.github/workflows/actions/publish-npm + - uses: ./.github/workflows/publish-npm.yml with: scope: '@ionic/angular' tag: ${{ inputs.tag }} @@ -100,7 +100,7 @@ jobs: name: ionic-core path: ./core filename: CoreBuild.zip - - uses: ./.github/workflows/actions/publish-npm + - uses: ./.github/workflows/publish-npm.yml with: scope: '@ionic/react' tag: ${{ inputs.tag }} @@ -125,7 +125,7 @@ jobs: name: ionic-core path: ./core filename: CoreBuild.zip - - uses: ./.github/workflows/actions/publish-npm + - uses: ./.github/workflows/publish-npm.yml with: scope: '@ionic/vue' tag: ${{ inputs.tag }} @@ -150,7 +150,7 @@ jobs: name: ionic-core path: ./core filename: CoreBuild.zip - - uses: ./.github/workflows/actions/publish-npm + - uses: ./.github/workflows/publish-npm.yml with: scope: '@ionic/angular-server' tag: ${{ inputs.tag }} @@ -176,7 +176,7 @@ jobs: name: ionic-react path: ./packages/react filename: ReactBuild.zip - - uses: ./.github/workflows/actions/publish-npm + - uses: ./.github/workflows/publish-npm.yml with: scope: '@ionic/react-router' tag: ${{ inputs.tag }} @@ -201,7 +201,7 @@ jobs: name: ionic-vue path: ./packages/vue filename: VueBuild.zip - - uses: ./.github/workflows/actions/publish-npm + - uses: ./.github/workflows/publish-npm.yml with: scope: '@ionic/vue-router' tag: ${{ inputs.tag }} From 57921bd9c0f8c4a9b812771c2f937e86b6ea480a Mon Sep 17 00:00:00 2001 From: gnbm Date: Mon, 17 Nov 2025 16:48:48 +0000 Subject: [PATCH 2/5] Apply orchestrator method for npm trusted publishers --- .../workflows/actions/publish-npm/action.yml | 58 --------------- .github/workflows/dev-build.yml | 5 ++ .github/workflows/nightly.yml | 5 ++ .github/workflows/publish-npm.yml | 1 + .github/workflows/release-orchestrator.yml | 73 +++++++++++++++++++ .github/workflows/release.yml | 38 ++++++++++ 6 files changed, 122 insertions(+), 58 deletions(-) delete mode 100644 .github/workflows/actions/publish-npm/action.yml create mode 100644 .github/workflows/release-orchestrator.yml diff --git a/.github/workflows/actions/publish-npm/action.yml b/.github/workflows/actions/publish-npm/action.yml deleted file mode 100644 index b4c174ba886..00000000000 --- a/.github/workflows/actions/publish-npm/action.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: 'Release' -description: 'Releases a package' -inputs: - scope: - description: 'The package to release. Must match a package specified in lerna.json.' - version: - description: 'The type of version to release.' - tag: - description: 'The tag to publish to on NPM.' - preid: - description: "Prerelease identifier such as 'alpha', 'beta', 'rc', or 'next'. Leave blank to skip prerelease tagging." - working-directory: - description: 'The directory of the package.' - folder: - default: './' - description: 'A folder containing a package.json file.' - node-version: - description: 'Node.js version to use when publishing.' - required: false - default: '24.x' -runs: - using: 'composite' - steps: - - name: 🟒 Configure Node for Publish - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 - with: - node-version: ${{ inputs.node-version }} - registry-url: 'https://registry.npmjs.org' - # Provenance requires npm 9.5.0+ - - name: πŸ“¦ Install latest npm - run: npm install -g npm@latest - shell: bash - # This ensures the local version of Lerna is installed - # and that we do not use the global Lerna version - - name: πŸ•ΈοΈ Install root dependencies - run: npm ci - shell: bash - - name: πŸ“¦ Install Dependencies - run: npx lerna@5 bootstrap --include-dependencies --scope ${{ inputs.scope }} --ignore-scripts -- --legacy-peer-deps - shell: bash - working-directory: ${{ inputs.working-directory }} - - name: 🏷️ Set Version - run: | - if [ -z "${{ inputs.preid }}" ]; then - npx lerna@5 version ${{ inputs.version }} --yes --exact --no-changelog --no-push --no-git-tag-version - else - npx lerna@5 version ${{ inputs.version }} --yes --exact --no-changelog --no-push --no-git-tag-version --preid=${{ inputs.preid }} - fi - shell: bash - working-directory: ${{ inputs.working-directory }} - - name: πŸ—οΈ Run Build - run: npm run build - shell: bash - working-directory: ${{ inputs.working-directory }} - - name: πŸš€ Publish to NPM - run: npm publish ${{ inputs.folder }} --tag ${{ inputs.tag }} --provenance - shell: bash - working-directory: ${{ inputs.working-directory }} diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml index 0f554f4d273..0231e43f663 100644 --- a/.github/workflows/dev-build.yml +++ b/.github/workflows/dev-build.yml @@ -2,6 +2,11 @@ name: 'Ionic Dev Build' on: workflow_dispatch: + workflow_call: + +permissions: + contents: read + id-token: write jobs: create-dev-hash: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 504a1b14aa5..e2f5d57c78c 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -5,6 +5,11 @@ on: # Run every Monday-Friday # at 6:00 UTC (6:00 am UTC) - cron: '00 06 * * 1-5' + workflow_call: + +permissions: + contents: read + id-token: write jobs: create-nightly-hash: diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index b4c174ba886..9730f0e43eb 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -26,6 +26,7 @@ runs: with: node-version: ${{ inputs.node-version }} registry-url: 'https://registry.npmjs.org' + scope: '@ionic' # Provenance requires npm 9.5.0+ - name: πŸ“¦ Install latest npm run: npm install -g npm@latest diff --git a/.github/workflows/release-orchestrator.yml b/.github/workflows/release-orchestrator.yml new file mode 100644 index 00000000000..f14706363ad --- /dev/null +++ b/.github/workflows/release-orchestrator.yml @@ -0,0 +1,73 @@ +name: 'Ionic Release' + +on: + schedule: + # Run every Monday-Friday + # at 6:00 UTC (6:00 am UTC) + - cron: '00 06 * * 1-5' + workflow_dispatch: + inputs: + release-type: + description: 'Which Ionic release workflow should run?' + required: true + type: choice + default: nightly + options: + - dev + - nightly + - production + version: + description: 'Which version should be published? (Only for production releases)' + required: false + type: choice + options: + - patch + - minor + - major + - prepatch + - preminor + - premajor + - prerelease + tag: + description: 'Which npm tag should this be published to? (Only for production releases)' + required: false + type: choice + default: latest + options: + - latest + - next + preid: + description: 'Which prerelease identifier should be used? (Only for production releases)' + required: false + type: choice + default: '' + options: + - '' + - alpha + - beta + - rc + - next + +permissions: + contents: read + id-token: write + +jobs: + run-nightly: + if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.release-type == 'nightly') }} + uses: ./.github/workflows/nightly.yml + secrets: inherit + + run-dev: + if: ${{ github.event_name == 'workflow_dispatch' && inputs.release-type == 'dev' }} + uses: ./.github/workflows/dev-build.yml + secrets: inherit + + run-production: + if: ${{ github.event_name == 'workflow_dispatch' && inputs.release-type == 'production' }} + uses: ./.github/workflows/release.yml + secrets: inherit + with: + version: ${{ inputs.version }} + tag: ${{ inputs.tag }} + preid: ${{ inputs.preid }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 93938b8bf9f..6b20b89689e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,9 +32,47 @@ on: - beta - rc - next + workflow_call: + inputs: + version: + description: 'Which version should be published?' + required: true + type: string + tag: + description: 'Which npm tag should this be published to?' + required: true + type: string + preid: + description: 'Which prerelease identifier should be used? This is only needed when version is "prepatch", "preminor", "premajor", or "prerelease".' + required: false + type: string + +permissions: + contents: read + id-token: write jobs: + validate_version: + name: βœ… Validate Version Input + runs-on: ubuntu-latest + steps: + - name: πŸ”Ž Ensure version is allowed + env: + VERSION: ${{ inputs.version }} + run: | + case "$VERSION" in + patch|minor|major|prepatch|preminor|premajor|prerelease) + exit 0 + ;; + *) + echo "::error::Invalid version input: '$VERSION'. Allowed values: patch, minor, major, prepatch, preminor, premajor, prerelease." + exit 1 + ;; + esac + shell: bash + release-ionic: + needs: [validate_version] permissions: contents: read id-token: write From 9a22077e4073309b65daa6708d8bdd367da2e2b6 Mon Sep 17 00:00:00 2001 From: gnbm Date: Mon, 17 Nov 2025 18:44:57 +0000 Subject: [PATCH 3/5] Fix permissions and adapt workflow triggers --- .github/workflows/dev-build.yml | 2 +- .github/workflows/nightly.yml | 5 +---- .github/workflows/release.yml | 31 ------------------------------- 3 files changed, 2 insertions(+), 36 deletions(-) diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml index 0231e43f663..154f1556175 100644 --- a/.github/workflows/dev-build.yml +++ b/.github/workflows/dev-build.yml @@ -1,7 +1,6 @@ name: 'Ionic Dev Build' on: - workflow_dispatch: workflow_call: permissions: @@ -30,6 +29,7 @@ jobs: release-ionic: needs: [create-dev-hash] permissions: + contents: read id-token: write uses: ./.github/workflows/release-ionic.yml with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index e2f5d57c78c..af5f64370ea 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -1,10 +1,6 @@ name: 'Ionic Nightly Build' on: - schedule: - # Run every Monday-Friday - # at 6:00 UTC (6:00 am UTC) - - cron: '00 06 * * 1-5' workflow_call: permissions: @@ -35,6 +31,7 @@ jobs: release-ionic: needs: [create-nightly-hash] permissions: + contents: read id-token: write uses: ./.github/workflows/release-ionic.yml with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6b20b89689e..02bcb16b4ac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,37 +1,6 @@ name: 'Ionic Production Release' on: - workflow_dispatch: - inputs: - version: - required: true - type: choice - description: Which version should be published? - options: - - patch - - minor - - major - - prepatch - - preminor - - premajor - - prerelease - tag: - required: true - type: choice - description: Which npm tag should this be published to? - options: - - latest - - next - preid: - type: choice - description: Which prerelease identifier should be used? This is only needed when version is "prepatch", "preminor", "premajor", or "prerelease". - default: '' - options: - - '' - - alpha - - beta - - rc - - next workflow_call: inputs: version: From 07e337151af742aec4640deb68afbd4084d71c17 Mon Sep 17 00:00:00 2001 From: gnbm Date: Mon, 17 Nov 2025 18:50:36 +0000 Subject: [PATCH 4/5] Update release-orchestrator.yml --- .github/workflows/release-orchestrator.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-orchestrator.yml b/.github/workflows/release-orchestrator.yml index f14706363ad..cbbed32290f 100644 --- a/.github/workflows/release-orchestrator.yml +++ b/.github/workflows/release-orchestrator.yml @@ -1,4 +1,4 @@ -name: 'Ionic Release' +name: 'Release - Ionic Framework' on: schedule: From a4bac8c0773c40824834c5797b67226ef0e53dfc Mon Sep 17 00:00:00 2001 From: gnbm Date: Mon, 17 Nov 2025 19:03:02 +0000 Subject: [PATCH 5/5] Fix issue running workflow Fixed the issue. Composite actions must be in .github/actions/, not .github/workflows/. --- .../publish-npm/action.yml} | 1 + .github/workflows/release-ionic.yml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 8 deletions(-) rename .github/{workflows/publish-npm.yml => actions/publish-npm/action.yml} (99%) diff --git a/.github/workflows/publish-npm.yml b/.github/actions/publish-npm/action.yml similarity index 99% rename from .github/workflows/publish-npm.yml rename to .github/actions/publish-npm/action.yml index 9730f0e43eb..3e58ba9bcc6 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/actions/publish-npm/action.yml @@ -57,3 +57,4 @@ runs: run: npm publish ${{ inputs.folder }} --tag ${{ inputs.tag }} --provenance shell: bash working-directory: ${{ inputs.working-directory }} + diff --git a/.github/workflows/release-ionic.yml b/.github/workflows/release-ionic.yml index 82d365b0a9c..7e37e93be15 100644 --- a/.github/workflows/release-ionic.yml +++ b/.github/workflows/release-ionic.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: ./.github/workflows/publish-npm.yml + - uses: ./.github/actions/publish-npm with: scope: '@ionic/core' tag: ${{ inputs.tag }} @@ -55,7 +55,7 @@ jobs: name: ionic-docs path: ./packages/docs filename: DocsBuild.zip - - uses: ./.github/workflows/publish-npm.yml + - uses: ./.github/actions/publish-npm with: scope: '@ionic/docs' tag: ${{ inputs.tag }} @@ -74,7 +74,7 @@ jobs: name: ionic-core path: ./core filename: CoreBuild.zip - - uses: ./.github/workflows/publish-npm.yml + - uses: ./.github/actions/publish-npm with: scope: '@ionic/angular' tag: ${{ inputs.tag }} @@ -100,7 +100,7 @@ jobs: name: ionic-core path: ./core filename: CoreBuild.zip - - uses: ./.github/workflows/publish-npm.yml + - uses: ./.github/actions/publish-npm with: scope: '@ionic/react' tag: ${{ inputs.tag }} @@ -125,7 +125,7 @@ jobs: name: ionic-core path: ./core filename: CoreBuild.zip - - uses: ./.github/workflows/publish-npm.yml + - uses: ./.github/actions/publish-npm with: scope: '@ionic/vue' tag: ${{ inputs.tag }} @@ -150,7 +150,7 @@ jobs: name: ionic-core path: ./core filename: CoreBuild.zip - - uses: ./.github/workflows/publish-npm.yml + - uses: ./.github/actions/publish-npm with: scope: '@ionic/angular-server' tag: ${{ inputs.tag }} @@ -176,7 +176,7 @@ jobs: name: ionic-react path: ./packages/react filename: ReactBuild.zip - - uses: ./.github/workflows/publish-npm.yml + - uses: ./.github/actions/publish-npm with: scope: '@ionic/react-router' tag: ${{ inputs.tag }} @@ -201,7 +201,7 @@ jobs: name: ionic-vue path: ./packages/vue filename: VueBuild.zip - - uses: ./.github/workflows/publish-npm.yml + - uses: ./.github/actions/publish-npm with: scope: '@ionic/vue-router' tag: ${{ inputs.tag }}