From dcfdd2f36d580987d76b62563f289c36f78c8d2b Mon Sep 17 00:00:00 2001 From: Steve Konves Date: Sat, 15 Mar 2025 20:16:15 -0700 Subject: [PATCH] chore: support publishing with provenance --- .github/workflows/publish.yml | 57 +++++++++++++++++++++++++++++++++++ .github/workflows/version.yml | 56 ++++++++++++++++++++++++++++++++++ 2 files changed, 113 insertions(+) create mode 100644 .github/workflows/publish.yml create mode 100644 .github/workflows/version.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..1075fa1 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,57 @@ +name: Publish + +on: + pull_request: + types: + - closed + +jobs: + compare: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + outputs: + base_version: ${{ steps.base.outputs.version }} + current_version: ${{ steps.current.outputs.version }} + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.base.sha }} + - id: base + run: echo "version=$(jq -r .version < package.json)" >> "$GITHUB_OUTPUT" + - uses: actions/checkout@v3 + - id: current + run: echo "version=$(jq -r .version < package.json)" >> "$GITHUB_OUTPUT" + publish: + needs: compare + if: needs.compare.outputs.base_version != needs.compare.outputs.current_version + runs-on: ubuntu-latest + permissions: + contents: write + discussions: write + id-token: write + pull-requests: write + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 22 + registry-url: "https://registry.npmjs.org" + - name: Tag + run: | + git tag v$(jq -r .version < package.json) + git push origin v$(jq -r .version < package.json) + gh pr comment ${{ github.event.number }} --body "Created tag [v$(jq -r .version < package.json)](https://github.com/${{ github.repository }}/releases/tag/v$(jq -r .version < package.json))." + shell: bash + env: + GH_TOKEN: ${{ github.token }} + - name: Publish to NPM + run: | + npm ci + npm publish --provenance --tag $(if [[ $(jq .version < package.json) =~ [0-9]+\.[0-9]+\.[0-9]+\-([^\.]+) ]]; then echo ${BASH_REMATCH[1]}; else echo "latest"; fi) --access public + gh pr comment ${{ github.event.number }} --body "🎉 Successfully published version [$(jq -r .version < package.json)](https://www.npmjs.com/package/$(jq -r .name < package.json)/v/$(jq -r .version < package.json)) to NPM! + + Install this version: \`npm i $(jq -r .name < package.json)@$(if [[ $(jq .version < package.json) =~ [0-9]+\.[0-9]+\.[0-9]+\-([^\.]+) ]]; then echo ${BASH_REMATCH[1]}; else echo "latest"; fi)\`" + shell: bash + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml new file mode 100644 index 0000000..8e94537 --- /dev/null +++ b/.github/workflows/version.yml @@ -0,0 +1,56 @@ +name: Version + +on: + workflow_dispatch: + inputs: + newversion: + description: "npm version [ | major | minor | patch | premajor | preminor | prepatch | prerelease | from-git]" + required: true + preid: + description: 'The "prerelease identifier" to use as a prefix for the "prerelease" part of a semver.' + required: false + +jobs: + npm-version: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Prepare git + run: | + git config user.name "${GITHUB_ACTOR}" + git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" + shell: bash + - name: Bump version + run: | + npm version ${{ github.event.inputs.newversion }} --preid ${{ github.event.inputs.preid }} --git-tag-version false + if [[ -z $(git ls-remote origin $(jq -r .version < package.json)) ]]; then echo "Created new version $(jq -r .version < package.json)"; else echo "Tag $(jq -r .version < package.json) already exists!" && exit 1 ; fi + git checkout -b bump-version-$(jq -r .version < package.json) + shell: bash + - name: Commit + run: "git commit -am \"$(jq -r .version < package.json)\n\nCo-authored-by: github-actions[bot] \"" + shell: bash + - name: Push + run: git push origin $(git branch --show-current) + shell: bash + - name: Pull request + run: | + gh pr create --base ${{ github.ref_name }} --title "Bump version to $(jq -r .version < package.json)" --body "### If you merge this PR + + - The package version will be updated to \`$(jq -r .version < package.json)\` on branch \`${GITHUB_REF##*/}\`. + - The git tag \`v$(jq -r .version < package.json)\` will be created in this repository. + - \`$(jq -r .name < package.json)@$(jq -r .version < package.json)\` will be published to NPM. + $(if [[ $(jq .version < package.json) =~ [0-9]+\.[0-9]+\.[0-9]+\-([^\.]+) ]]; then echo " - dist-tag \`${BASH_REMATCH[1]}\` will point to version \`$(jq -r .version < package.json)\` + - dist-tag \`latest\` will remain unchanged + - [Learn more about NPM dist-tags](https://docs.npmjs.com/cli/commands/npm-dist-tag)"; fi) + + #### ⚠️ NOTICE ⚠️ + + The published package will contain all changes on branch \`${GITHUB_REF##*/}\` at the time this PR is merged _even if they were merged after this PR was created_. + + ### If you close this PR + + - The version will not change and nothing will be published. + - Future attempts to create the same version will fail until this branch is deleted." --assignee "${GITHUB_ACTOR}" + shell: bash + env: + GH_TOKEN: ${{ github.token }}