From c22d97bb91cb44aef8b47993da161792c9393c61 Mon Sep 17 00:00:00 2001 From: boronine-bot Date: Sun, 14 Jun 2026 15:23:20 +0000 Subject: [PATCH] Add npm provenance release workflow --- .github/workflows/nodeci.yml | 54 ++----------------------------- .github/workflows/npm-publish.yml | 44 +++++++++++++++++++++++++ README.md | 12 ++++--- 3 files changed, 54 insertions(+), 56 deletions(-) create mode 100644 .github/workflows/npm-publish.yml diff --git a/.github/workflows/nodeci.yml b/.github/workflows/nodeci.yml index e89f09f..7c7cdbc 100644 --- a/.github/workflows/nodeci.yml +++ b/.github/workflows/nodeci.yml @@ -18,61 +18,11 @@ jobs: # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ node-version: [ 18.x, 20.x, 22.x ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: ${{ matrix.node-version }} cache: 'npm' - run: npm ci - run: npm run build - - name: Store artifacts - if: matrix.node-version == '20.x' - uses: actions/upload-artifact@v4 - with: - name: build-assets - path: assets/ - release: - runs-on: ubuntu-latest - # Wait for build because we need the build artifacts here - needs: [ build ] - # Only run when pushing to main branch - if: github.event_name != 'pull_request' - steps: - - uses: actions/checkout@v4 - # Download artifact instead of rebuilding - - uses: actions/download-artifact@v4 - with: - name: build-assets - path: assets/ - - run: echo "HSLUV_VERSION=$(cat assets/VERSION)" >> ${{ github.env }} - - uses: rickstaa/action-create-tag@v1 - id: create-tag - # When tag already exists, do not fail the job - continue-on-error: true - with: - tag: "v${{ env.HSLUV_VERSION }}" - - uses: ncipollo/release-action@v1 - if: ${{ steps.create-tag.outcome == 'success' }} - with: - artifacts: assets/hsluv-${{ env.HSLUV_VERSION }}.min.js - tag: v${{ env.HSLUV_VERSION }} - draft: true - omitBody: true - prerelease: ${{ contains(env.HSLUV_VERSION, 'rc') }} - bodyFile: "body.md" - token: ${{ secrets.GITHUB_TOKEN }} - # https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages - - uses: actions/setup-node@v4 - if: ${{ steps.create-tag.outcome == 'success' }} - with: - node-version: '22.x' - registry-url: 'https://registry.npmjs.org' - - run: npm publish ./assets/hsluv-${{ env.HSLUV_VERSION }}.tgz --tag rc - if: ${{ steps.create-tag.outcome == 'success' && contains(env.HSLUV_VERSION, 'rc') }} - env: - NODE_AUTH_TOKEN: ${{ secrets.HSLUV_NPM_AUTOMATION_TOKEN }} - - run: npm publish ./assets/hsluv-${{ env.HSLUV_VERSION }}.tgz - if: ${{ steps.create-tag.outcome == 'success' && !contains(env.HSLUV_VERSION, 'rc') }} - env: - NODE_AUTH_TOKEN: ${{ secrets.HSLUV_NPM_AUTOMATION_TOKEN }} diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml new file mode 100644 index 0000000..c292f06 --- /dev/null +++ b/.github/workflows/npm-publish.yml @@ -0,0 +1,44 @@ +name: Publish to npm + +on: + release: + types: [published] + workflow_dispatch: + +permissions: + contents: read + id-token: write + +jobs: + publish: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Use Node.js + uses: actions/setup-node@v6 + with: + node-version: 24.x + registry-url: "https://registry.npmjs.org" + - run: npm ci + - name: Check release tag matches package version + if: github.event_name == 'release' + run: | + package_version="$(node -p "require('./package.json').version")" + release_version="${GITHUB_REF_NAME#v}" + if [ "$package_version" != "$release_version" ]; then + echo "Release tag ${GITHUB_REF_NAME} does not match package.json version ${package_version}" + exit 1 + fi + - run: npm run build + - name: Publish to npm + run: | + package_version="$(node -p "require('./package.json').version")" + tarball="./assets/hsluv-${package_version}.tgz" + if [[ "$package_version" =~ -([a-zA-Z]+) ]]; then + tag="${BASH_REMATCH[1]}" + echo "Publishing prerelease with dist-tag: $tag" + npm publish "$tarball" --provenance --access public --tag "$tag" + else + echo "Publishing stable release" + npm publish "$tarball" --provenance --access public + fi diff --git a/README.md b/README.md index a53ccc7..14070c8 100644 --- a/README.md +++ b/README.md @@ -78,10 +78,14 @@ Also available for [Stylus](http://stylus-lang.com/). See [here](https://github. ## Development -Our [GitHub Actions workflow](https://github.com/hsluv/hsluv-javascript/blob/main/.github/workflows/nodeci.yml) -will build and test every push and PR to the `main` branch. When a `main` branch receives a commit that -updates the project version in `package.json`, the workflow will tag the commit, create a draft release -on GitHub and publish the npm package. Mark your versions with the `-rc` suffix to create pre-releases. +Our [Node.js CI workflow](https://github.com/hsluv/hsluv-javascript/blob/main/.github/workflows/nodeci.yml) +will build and test every push and PR to the `main` branch. + +To publish a release, configure npm trusted publishing for the `hsluv/hsluv-javascript` repository and +`npm-publish.yml` workflow, then create a GitHub Release. The release tag must match the version in +`package.json`. The [Publish to npm workflow](https://github.com/hsluv/hsluv-javascript/blob/main/.github/workflows/npm-publish.yml) +will build the package and publish it to npm with provenance. Prerelease versions (for example `1.2.3-rc.1`) +are automatically published with the matching npm dist-tag. ## Changelog