-
Notifications
You must be signed in to change notification settings - Fork 119
91 lines (86 loc) · 4.05 KB
/
Copy pathpublish.yml
File metadata and controls
91 lines (86 loc) · 4.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# Release workflow for intercom-client.
#
# Publishing model: OIDC trusted publishing + npm staged publishing. CI authenticates to
# npm with a short-lived OIDC token (no stored npm token) and stages the release; a
# maintainer then promotes it from the npm staging area with 2FA. Replaces token-based publishing.
#
# Listed in .fernignore so it is not overwritten by code generation.
name: Publish (staged)
on:
release:
types: [published] # cutting a Release creates the tag AND fires this
permissions:
contents: read # workflow default (least privilege); only stage-publish also needs id-token, granted on that job
concurrency:
group: publish-${{ github.workflow }} # serialize publishes; no dist-tag races
cancel-in-progress: false # queue, don't kill an in-flight publish
jobs:
verify:
runs-on: ubuntu-latest
timeout-minutes: 5 # backstop a hung step (checkout/guards only; no install/build)
outputs:
sha: ${{ steps.resolve.outputs.sha }} # ancestry-checked commit, pinned for downstream
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
fetch-depth: 0 # full history for the ancestry check below
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '22' # staged publishing needs Node >= 22.14.0 (npm >= 11.15.0); repo has no .nvmrc
package-manager-cache: false # release-triggered: disable auto-cache (zizmor cache-poisoning)
- name: Assert Release tag matches package.json version
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
run: |
PKG="$(node -p "require('./package.json').version")"
[ "${RELEASE_TAG#v}" = "$PKG" ] || { echo "tag $RELEASE_TAG != package.json v$PKG"; exit 1; }
- name: Refuse releases not on the default branch
id: resolve
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
run: |
git merge-base --is-ancestor "$GITHUB_SHA" "origin/$DEFAULT_BRANCH" \
|| { echo "release $RELEASE_TAG not reachable from $DEFAULT_BRANCH — refusing"; exit 1; }
echo "sha=$GITHUB_SHA" >> "$GITHUB_OUTPUT" # downstream checks out this exact SHA, not the mutable tag
stage-publish:
needs: verify
runs-on: ubuntu-latest
timeout-minutes: 15 # cap a hung publish
permissions:
contents: read
id-token: write # OIDC trusted publishing: only this job mints the token
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
ref: ${{ needs.verify.outputs.sha }} # the ancestry-checked SHA, immune to tag re-pointing (TOCTOU)
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '22'
registry-url: 'https://registry.npmjs.org'
package-manager-cache: false
- run: corepack enable
- run: pnpm install --frozen-lockfile
- run: pnpm run build # mandatory: dist/ is gitignored, so the published artifact is built here
- run: npm install -g npm@11.15.0 # npm CLI: staged publishing needs npm >= 11.15.0
- name: Resolve dist-tag (a prerelease must never go to `latest`)
id: disttag
env:
ALPHA_TAG: alpha
BETA_TAG: beta
PRERELEASE_TAG: next
run: |
VERSION="$(node -p "require('./package.json').version")"
case "$VERSION" in
*-alpha.*) TAG="$ALPHA_TAG" ;;
*-beta.*) TAG="$BETA_TAG" ;;
*-*) TAG="$PRERELEASE_TAG" ;;
*) TAG="latest" ;;
esac
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
- name: Stage publish
env:
DIST_TAG: ${{ steps.disttag.outputs.tag }}
run: npm stage publish --tag "$DIST_TAG"