create-cloudinary-react/.github/workflows/release.yml at b2bcdfd034636db992e42f806863bff604ac2ede · cloudinary-devs/create-cloudinary-react · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Release

on:
  workflow_dispatch:

permissions:
  contents: write
  id-token: write
  issues: write
  pull-requests: write

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - name: Verify admin permissions
        run: |
          # Use the repository's permission endpoint which works for both personal and org repos
          RESPONSE=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
            -H "Accept: application/vnd.github.v3+json" \
            "https://api.github.com/repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission")

          # Extract permission using jq if available, otherwise use grep
          if command -v jq &> /dev/null; then
            PERMISSION=$(echo "$RESPONSE" | jq -r '.permission // empty')
          else
            PERMISSION=$(echo "$RESPONSE" | grep -o '"permission":"[^"]*"' | head -1 | cut -d'"' -f4)
          fi

          if [ -z "$PERMISSION" ]; then
            echo "Warning: Could not determine permission level. Response: $RESPONSE"
            echo "Note: workflow_dispatch requires write access, proceeding..."
            exit 0
          fi

          if [ "$PERMISSION" != "admin" ]; then
            echo "Error: Only repository admins can trigger releases. Current permission: $PERMISSION"
            exit 1
          fi

          echo "✓ Verified admin permission for ${{ github.actor }}"

      - uses: actions/checkout@v4
        with:
          ref: main
          fetch-depth: 0

      - name: Setup git branch
        run: |
          git fetch --all --tags
          git checkout -B main
          git branch --set-upstream-to=origin/main main

      - name: Debug branch info
        run: |
          echo "Current branch: $(git branch --show-current)"
          echo "All branches: $(git branch -a)"
          echo "Git remote: $(git remote -v)"
          echo "Git status: $(git status)"

      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'
          always-auth: true

      - run: npm ci

      - run: npm test --if-present

      - name: Configure git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

      - name: Create initial tag if needed
        run: |
          if ! git rev-parse --verify "v1.0.0-beta.1" >/dev/null 2>&1; then
            echo "Creating initial tag v1.0.0-beta.1"
            git tag -a "v1.0.0-beta.1" -m "chore: initial beta release"
            git push origin "v1.0.0-beta.1" || echo "Tag push failed (may not have permission or tag exists)"
          else
            echo "Tag v1.0.0-beta.1 already exists"
          fi

      - name: Debug semantic-release config
        run: |
          echo "=== .releaserc.json ==="
          cat .releaserc.json
          echo ""
          echo "=== Git branches ==="
          git branch -a
          echo ""
          echo "=== Current branch ==="
          git branch --show-current
          echo ""
          echo "=== Git tags ==="
          git tag

      - name: Configure npm authentication for semantic-release
        run: |
          # actions/setup-node creates .npmrc in a temp location via NPM_CONFIG_USERCONFIG
          # We need to ensure semantic-release can find it
          if [ -f "$NPM_CONFIG_USERCONFIG" ]; then
            echo "Found npmrc at $NPM_CONFIG_USERCONFIG"
            # Copy to home directory for semantic-release to read
            mkdir -p ~/.npm
            cp "$NPM_CONFIG_USERCONFIG" ~/.npmrc
            echo "Copied .npmrc to ~/.npmrc"

            # Also extract token for NPM_TOKEN env var (semantic-release npm plugin requires it)
            # We mask the token value in logs for security
            TOKEN=$(grep -oP '(?<=//registry\.npmjs\.org/:_authToken=).*' ~/.npmrc 2>/dev/null || echo "")
            if [ -n "$TOKEN" ]; then
              echo "NPM_TOKEN=***" >> $GITHUB_ENV
              echo "::add-mask::$TOKEN"
              echo "NPM_TOKEN=$TOKEN" >> $GITHUB_ENV
              echo "NPM_TOKEN configured (masked in logs)"
            else
              echo "Warning: Could not extract token from .npmrc"
            fi
          else
            echo "Warning: NPM_CONFIG_USERCONFIG not found at $NPM_CONFIG_USERCONFIG"
          fi

          # Test npm auth (without exposing token)
          echo "Testing npm authentication..."
          npm whoami --registry=https://registry.npmjs.org >/dev/null 2>&1 && echo "✓ npm authentication successful" || echo "✗ npm authentication failed"

      - name: Release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: npx semantic-release