Release #28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| dry_run: | |
| description: 'Dry run only (no git push, no tags, no npm publish)' | |
| required: false | |
| default: true | |
| type: boolean | |
| permissions: | |
| contents: write | |
| id-token: write | |
| issues: write | |
| pull-requests: write | |
| # Allow GitHub Actions to bypass branch protection | |
| # This is required for semantic-release to push version updates | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Verify admin permissions | |
| run: | | |
| # Use the repository's permission endpoint which works for both personal and org repos | |
| RESPONSE=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission") | |
| # Extract permission using jq if available, otherwise use grep | |
| if command -v jq &> /dev/null; then | |
| PERMISSION=$(echo "$RESPONSE" | jq -r '.permission // empty') | |
| else | |
| PERMISSION=$(echo "$RESPONSE" | grep -o '"permission":"[^"]*"' | head -1 | cut -d'"' -f4) | |
| fi | |
| if [ -z "$PERMISSION" ]; then | |
| echo "Warning: Could not determine permission level. Response: $RESPONSE" | |
| echo "Note: workflow_dispatch requires write access, proceeding..." | |
| exit 0 | |
| fi | |
| if [ "$PERMISSION" != "admin" ]; then | |
| echo "Error: Only repository admins can trigger releases. Current permission: $PERMISSION" | |
| exit 1 | |
| fi | |
| echo "✓ Verified admin permission for ${{ github.actor }}" | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| token: ${{ secrets.RELEASE_TOKEN }} | |
| - name: Setup git branch | |
| run: | | |
| git fetch --all --tags --force | |
| git fetch origin '+refs/notes/*:refs/notes/*' || true | |
| git checkout -B main | |
| git branch --set-upstream-to=origin/main main | |
| - name: Ensure master branch exists (for semantic-release validation) | |
| run: | | |
| # semantic-release requires at least one release branch that exists; repo uses main, we declare "master" | |
| if ! git ls-remote --heads origin master 2>/dev/null | grep -q .; then | |
| git checkout -b master | |
| git push origin master | |
| git checkout main | |
| fi | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' | |
| always-auth: true | |
| - run: npm ci | |
| - run: npm test --if-present | |
| - name: Configure git | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| - name: Add semantic-release note (dry run only) | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| set -e | |
| if ! git rev-parse --verify v1.0.0-beta.1 >/dev/null 2>&1; then exit 0; fi | |
| git notes --ref semantic-release-v1.0.0-beta.1 add -f -m '{"channels":["beta"]}' v1.0.0-beta.1 | |
| echo "Added semantic-release note to v1.0.0-beta.1 (local only for dry run)." | |
| - name: Create initial tag if needed | |
| if: github.event.inputs.dry_run != 'true' | |
| run: | | |
| if ! git rev-parse --verify "v1.0.0-beta.1" >/dev/null 2>&1; then | |
| echo "Creating initial tag v1.0.0-beta.1" | |
| COMMIT=$(git rev-parse HEAD) | |
| git tag -a "v1.0.0-beta.1" "$COMMIT" -m "chore: initial beta release" | |
| git push origin "v1.0.0-beta.1" || echo "Tag push failed (may not have permission or tag exists)" | |
| # semantic-release treats a tag as "last release" for main (beta) only if it has this note | |
| git notes --ref semantic-release-v1.0.0-beta.1 add -f -m '{"channels":["beta"]}' v1.0.0-beta.1 | |
| git push origin refs/notes/semantic-release-v1.0.0-beta.1 | |
| else | |
| echo "Tag v1.0.0-beta.1 already exists" | |
| fi | |
| - name: Dry run mode notice | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| echo "==============================================" | |
| echo " DRY RUN MODE - No commits, tags, or publish" | |
| echo "==============================================" | |
| echo "Semantic-release will show what WOULD happen." | |
| echo "To perform a real release, run again and uncheck 'Dry run only'." | |
| echo "" | |
| - name: Ensure v1.0.0-beta.1 exists locally (dry run only) | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| if ! git rev-parse --verify "v1.0.0-beta.1" >/dev/null 2>&1; then | |
| # So semantic-release sees a "previous release" and suggests 1.0.0-beta.2 for new commits | |
| PARENT=$(git rev-parse HEAD~1 2>/dev/null || git rev-parse HEAD) | |
| git tag -a "v1.0.0-beta.1" "$PARENT" -m "chore: initial beta release (dry-run placeholder)" | |
| echo "Created local tag v1.0.0-beta.1 at $PARENT so semantic-release can compute next version (1.0.0-beta.2)." | |
| else | |
| echo "Tag v1.0.0-beta.1 already exists." | |
| fi | |
| - name: Get version before semantic-release | |
| id: version-before | |
| run: | | |
| VERSION_BEFORE=$(node -p "require('./package.json').version") | |
| echo "version=$VERSION_BEFORE" >> $GITHUB_OUTPUT | |
| echo "Current version: $VERSION_BEFORE" | |
| - name: Release with semantic-release | |
| id: release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| run: | | |
| set -e | |
| if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then | |
| echo "Running semantic-release in DRY RUN mode..." | |
| npx semantic-release --dry-run 2>&1 | tee semantic-release.log || true | |
| grep -oE "The next release version is [^[:space:]]+" semantic-release.log 2>/dev/null | sed 's/The next release version is //' > next-version.txt || echo "" > next-version.txt | |
| else | |
| # Prepare v1.0.0-beta.1 so semantic-release sees it as last release (avoids "tag already exists"). | |
| # semantic-release uses "git tag --merged main" and git notes ref semantic-release-<tag>; tag must be in main and have {"channels":["beta"]}. | |
| if git rev-parse --verify v1.0.0-beta.1 >/dev/null 2>&1; then | |
| if ! git tag --merged main | grep -qx v1.0.0-beta.1; then | |
| RELEASE_COMMIT=$(git log main -1 --format=%H --grep="chore(release): 1.0.0-beta.1" 2>/dev/null || true) | |
| if [ -z "$RELEASE_COMMIT" ]; then | |
| RELEASE_COMMIT=$(git merge-base main origin/master 2>/dev/null || git rev-parse HEAD~1) | |
| fi | |
| git tag -d v1.0.0-beta.1 2>/dev/null || true | |
| git tag -a v1.0.0-beta.1 "$RELEASE_COMMIT" -m "chore: 1.0.0-beta.1" | |
| git push origin v1.0.0-beta.1 --force | |
| echo "Moved v1.0.0-beta.1 to $RELEASE_COMMIT (was not in main history)." | |
| fi | |
| git notes --ref semantic-release-v1.0.0-beta.1 add -f -m '{"channels":["beta"]}' v1.0.0-beta.1 | |
| git push origin refs/notes/semantic-release-v1.0.0-beta.1 | |
| git fetch origin '+refs/tags/*:refs/tags/*' '+refs/notes/*:refs/notes/*' | |
| echo "Prepared v1.0.0-beta.1; state before semantic-release:" | |
| echo " Tags merged into main: $(git tag --merged main | tr '\n' ' ')" | |
| git notes --ref semantic-release-v1.0.0-beta.1 show v1.0.0-beta.1 2>/dev/null && echo " Note OK" || echo " (no note for v1.0.0-beta.1)" | |
| fi | |
| npx semantic-release | |
| fi | |
| - name: Publish to npm using trusted publishing | |
| if: github.event.inputs.dry_run != 'true' | |
| run: | | |
| echo "=== Publishing to npm with trusted publishing (OIDC) ===" | |
| # Ensure .npmrc is available (setup-node should have created it) | |
| if [ -f "$NPM_CONFIG_USERCONFIG" ]; then | |
| cp "$NPM_CONFIG_USERCONFIG" ~/.npmrc | |
| echo "✓ Using .npmrc for authentication" | |
| fi | |
| # Get versions | |
| VERSION_BEFORE="${{ steps.version-before.outputs.version }}" | |
| VERSION_AFTER=$(node -p "require('./package.json').version") | |
| echo "Version before: $VERSION_BEFORE" | |
| echo "Version after: $VERSION_AFTER" | |
| # Only publish if semantic-release created a new version | |
| if [ "$VERSION_BEFORE" != "$VERSION_AFTER" ]; then | |
| echo "✓ New version detected: $VERSION_AFTER" | |
| echo "Publishing to npm..." | |
| # Publish using npm publish which supports OIDC/trusted publishing | |
| npm publish --provenance --access public | |
| echo "✓ Published $VERSION_AFTER to npm" | |
| else | |
| echo "No version change detected (version: $VERSION_AFTER)" | |
| echo "Skipping npm publish - no new release was created" | |
| fi | |
| - name: Dry run - skip npm publish | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| echo "==============================================" | |
| echo " DRY RUN - Skipping npm publish" | |
| echo "==============================================" | |
| NEXT_VERSION=$(cat next-version.txt 2>/dev/null || echo "") | |
| if [ -n "$NEXT_VERSION" ]; then | |
| echo "Version that WOULD have been published: $NEXT_VERSION" | |
| else | |
| echo "Version that WOULD have been published: (check semantic-release output above; might be no new release)" | |
| echo "Current package.json: $(node -p "require('./package.json').version")" | |
| fi | |
| echo "" | |
| echo "To publish for real, run the workflow again with 'Dry run only' unchecked." |