Release #30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| dry_run: | |
| description: 'Dry run only (no git push, no tags, no npm publish)' | |
| required: false | |
| default: true | |
| type: boolean | |
| permissions: | |
| contents: write | |
| id-token: write | |
| issues: write | |
| pull-requests: write | |
| # Allow GitHub Actions to bypass branch protection | |
| # This is required for semantic-release to push version updates | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Verify admin permissions | |
| run: | | |
| # Use the repository's permission endpoint which works for both personal and org repos | |
| RESPONSE=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission") | |
| # Extract permission using jq if available, otherwise use grep | |
| if command -v jq &> /dev/null; then | |
| PERMISSION=$(echo "$RESPONSE" | jq -r '.permission // empty') | |
| else | |
| PERMISSION=$(echo "$RESPONSE" | grep -o '"permission":"[^"]*"' | head -1 | cut -d'"' -f4) | |
| fi | |
| if [ -z "$PERMISSION" ]; then | |
| echo "Warning: Could not determine permission level. Response: $RESPONSE" | |
| echo "Note: workflow_dispatch requires write access, proceeding..." | |
| exit 0 | |
| fi | |
| if [ "$PERMISSION" != "admin" ]; then | |
| echo "Error: Only repository admins can trigger releases. Current permission: $PERMISSION" | |
| exit 1 | |
| fi | |
| echo "✓ Verified admin permission for ${{ github.actor }}" | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| token: ${{ secrets.RELEASE_TOKEN }} | |
| - name: Setup git branch | |
| run: | | |
| git fetch --all --tags --force | |
| git fetch origin '+refs/notes/*:refs/notes/*' || true | |
| git checkout -B main | |
| git branch --set-upstream-to=origin/main main | |
| - name: Ensure master branch exists (for semantic-release validation) | |
| run: | | |
| # semantic-release requires at least one release branch that exists; repo uses main, we declare "master" | |
| if ! git ls-remote --heads origin master 2>/dev/null | grep -q .; then | |
| git checkout -b master | |
| git push origin master | |
| git checkout main | |
| fi | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' | |
| always-auth: true | |
| - run: npm ci | |
| - run: npm test --if-present | |
| - name: Configure git | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| - name: Add semantic-release note (dry run only) | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| set -e | |
| if ! git rev-parse --verify v1.0.0-beta.1 >/dev/null 2>&1; then exit 0; fi | |
| git notes --ref semantic-release-v1.0.0-beta.1 add -f -m '{"channels":["beta"]}' v1.0.0-beta.1 | |
| echo "Added semantic-release note to v1.0.0-beta.1 (local only for dry run)." | |
| # One-time fix: v1.0.0-beta.1 existed before semantic-release (manual publish). | |
| # It has no channel note, so semantic-release ignores it and tries to create the tag again → "tag already exists". | |
| # Fix: delete the broken tag so semantic-release can create it properly (with note). After this run, remove this step. | |
| - name: Remove broken v1.0.0-beta.1 tag so semantic-release can create it (one-time) | |
| if: github.event.inputs.dry_run != 'true' | |
| run: | | |
| set -e | |
| if git rev-parse --verify "v1.0.0-beta.1" >/dev/null 2>&1; then | |
| echo "Removing existing v1.0.0-beta.1 (no channel note); semantic-release will recreate it with note." | |
| git tag -d v1.0.0-beta.1 2>/dev/null || true | |
| git push origin ":refs/tags/v1.0.0-beta.1" || true | |
| git push origin ":refs/notes/semantic-release-v1.0.0-beta.1" 2>/dev/null || true | |
| echo "Done. semantic-release will create v1.0.0-beta.1 from scratch." | |
| else | |
| echo "Tag v1.0.0-beta.1 does not exist; semantic-release will create it." | |
| fi | |
| - name: Dry run mode notice | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| echo "==============================================" | |
| echo " DRY RUN MODE - No commits, tags, or publish" | |
| echo "==============================================" | |
| echo "Semantic-release will show what WOULD happen." | |
| echo "To perform a real release, run again and uncheck 'Dry run only'." | |
| echo "" | |
| - name: Ensure v1.0.0-beta.1 exists locally (dry run only) | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| if ! git rev-parse --verify "v1.0.0-beta.1" >/dev/null 2>&1; then | |
| # So semantic-release sees a "previous release" and suggests 1.0.0-beta.2 for new commits | |
| PARENT=$(git rev-parse HEAD~1 2>/dev/null || git rev-parse HEAD) | |
| git tag -a "v1.0.0-beta.1" "$PARENT" -m "chore: initial beta release (dry-run placeholder)" | |
| echo "Created local tag v1.0.0-beta.1 at $PARENT so semantic-release can compute next version (1.0.0-beta.2)." | |
| else | |
| echo "Tag v1.0.0-beta.1 already exists." | |
| fi | |
| - name: Get version before semantic-release | |
| id: version-before | |
| run: | | |
| VERSION_BEFORE=$(node -p "require('./package.json').version") | |
| echo "version=$VERSION_BEFORE" >> $GITHUB_OUTPUT | |
| echo "Current version: $VERSION_BEFORE" | |
| - name: Release with semantic-release | |
| id: release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| run: | | |
| set -e | |
| if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then | |
| echo "Running semantic-release in DRY RUN mode..." | |
| npx semantic-release --dry-run 2>&1 | tee semantic-release.log || true | |
| grep -oE "The next release version is [^[:space:]]+" semantic-release.log 2>/dev/null | sed 's/The next release version is //' > next-version.txt || echo "" > next-version.txt | |
| else | |
| # Tag + note are prepared in "Prepare v1.0.0-beta.1 for semantic-release" step | |
| npx semantic-release | |
| fi | |
| - name: Publish to npm using trusted publishing | |
| if: github.event.inputs.dry_run != 'true' | |
| run: | | |
| echo "=== Publishing to npm with trusted publishing (OIDC) ===" | |
| # Ensure .npmrc is available (setup-node should have created it) | |
| if [ -f "$NPM_CONFIG_USERCONFIG" ]; then | |
| cp "$NPM_CONFIG_USERCONFIG" ~/.npmrc | |
| echo "✓ Using .npmrc for authentication" | |
| fi | |
| # Get versions | |
| VERSION_BEFORE="${{ steps.version-before.outputs.version }}" | |
| VERSION_AFTER=$(node -p "require('./package.json').version") | |
| echo "Version before: $VERSION_BEFORE" | |
| echo "Version after: $VERSION_AFTER" | |
| # Only publish if semantic-release created a new version | |
| if [ "$VERSION_BEFORE" != "$VERSION_AFTER" ]; then | |
| echo "✓ New version detected: $VERSION_AFTER" | |
| echo "Publishing to npm..." | |
| # Publish using npm publish which supports OIDC/trusted publishing | |
| npm publish --provenance --access public | |
| echo "✓ Published $VERSION_AFTER to npm" | |
| else | |
| echo "No version change detected (version: $VERSION_AFTER)" | |
| echo "Skipping npm publish - no new release was created" | |
| fi | |
| - name: Dry run - skip npm publish | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| echo "==============================================" | |
| echo " DRY RUN - Skipping npm publish" | |
| echo "==============================================" | |
| NEXT_VERSION=$(cat next-version.txt 2>/dev/null || echo "") | |
| if [ -n "$NEXT_VERSION" ]; then | |
| echo "Version that WOULD have been published: $NEXT_VERSION" | |
| else | |
| echo "Version that WOULD have been published: (check semantic-release output above; might be no new release)" | |
| echo "Current package.json: $(node -p "require('./package.json').version")" | |
| fi | |
| echo "" | |
| echo "To publish for real, run the workflow again with 'Dry run only' unchecked." |