-
-
Notifications
You must be signed in to change notification settings - Fork 625
121 lines (99 loc) · 3.63 KB
/
release.yml
File metadata and controls
121 lines (99 loc) · 3.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: Release Packages
on:
push:
branches:
- master
permissions:
# Jobs requiring OIDC (e.g., npm publish) must request `id-token: write` at the job level.
contents: read
pages: write
jobs:
publish:
# let's ignore release commits, otherwise it'll try to run twice
if: |
!startsWith(github.event.head_commit.message , 'chore(release):') &&
!startsWith(github.event.head_commit.message , 'chore(repo):')
permissions:
# Required for `versioner` to push release commits/tags and for npm OIDC publish.
contents: write
id-token: write
runs-on: ubuntu-latest
name: release
steps:
- name: Checkout Commit
uses: actions/checkout@v4
with:
fetch-depth: 2
token: ${{ secrets.GH_TOKEN }}
- name: Update Master
run: |
set -euo pipefail
DEFAULT_BRANCH="${{ github.event.repository.default_branch }}"
# Avoid implicit merges; update the remote-tracking ref explicitly
git fetch --no-tags --force origin "+refs/heads/${DEFAULT_BRANCH}:refs/remotes/origin/${DEFAULT_BRANCH}"
git checkout "${DEFAULT_BRANCH}"
git fetch --tags
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: 20
registry-url: https://registry.npmjs.org/
- name: Install PNPM
uses: pnpm/action-setup@v4
- name: ESLint Cache
uses: actions/cache@v3
with:
path: ./.eslintcache
key: ${{ runner.os }}-eslintcache-${{ hashFiles('./eslintcache') }}
restore-keys: |
${{ runner.os }}-eslintcache-
- name: Sanity Check
run: |
echo git `git version`;
echo branch `git branch --show-current`;
echo node `node -v`;
echo pnpm `pnpm -v`
echo `moon --version`
- name: Initliaze .npmrc
run: >
echo -e "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}\n$(cat .npmrc)" > .npmrc
&& cat -n .npmrc
- name: Set Git Config
run: |
git config pull.rebase false
git config --global user.email "release-workflow@rollup.dev"
git config --global user.name "Release Workflow"
git remote set-url origin https://github.com/${{ github.repository }}
- name: pnpm install
run: pnpm install --frozen-lockfile
- name: Build Packages
run: pnpm --recursive build
- name: Lint Monorepo
run: pnpm lint
- name: Run Tests
run: pnpm --filter [HEAD^] test
- name: OIDC Preflight
shell: bash
run: |
if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
echo "Missing GitHub Actions OIDC env vars (ACTIONS_ID_TOKEN_REQUEST_URL/TOKEN)." >&2
echo "Ensure the job requests permissions: id-token: write." >&2
exit 1
fi
echo "OIDC env vars detected."
- name: Release and Publish Packages
run: pnpm --filter [HEAD^] --workspace-concurrency=1 release
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Push Release and Cleanup
run: |
set -euo pipefail
DEFAULT_BRANCH="${{ github.event.repository.default_branch }}"
pnpm lint:docs
git checkout .npmrc
git add . && git commit --amend --no-edit
git pull origin "${DEFAULT_BRANCH}" --no-edit
git rebase
git push origin HEAD:"${DEFAULT_BRANCH}"
git push origin HEAD:"${DEFAULT_BRANCH}" --tags