authforge-node/.github/workflows/release.yml at main · AuthForgeCC/authforge-node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
name: Release

on:
  push:
    tags: ["v*"]

jobs:
  build-and-publish:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "20.x"
          registry-url: "https://registry.npmjs.org"
      - name: Install latest npm (required for OIDC)
        run: npm install -g npm@latest
      - name: Verify tag matches package version
        shell: bash
        run: |
          set -euo pipefail
          TAG="${GITHUB_REF#refs/tags/v}"
          TAG="${TAG//$'\r'/}"
          PKG=$(node -p "require('./package.json').version")
          if [ "$TAG" != "$PKG" ]; then
            echo "Tag v$TAG does not match package.json version $PKG"
            exit 1
          fi
      - name: Run tests
        run: node --test authforge.test.mjs
      # After a manual first publish, CI must not run `npm publish` again for the same version
      # (E403). `npm view` is unreliable here with setup-node's registry config; use the registry API.
      - name: Publish to npm
        shell: bash
        run: |
          set -euo pipefail
          VERSION=$(node -p "require('./package.json').version")
          URL="https://registry.npmjs.org/@authforgecc%2Fsdk/${VERSION}"
          CODE=$(curl -sS -o /dev/null -w "%{http_code}" "$URL")
          if [ "$CODE" = "200" ]; then
            echo "@authforgecc/sdk@${VERSION} is already on the registry; skipping publish."
            exit 0
          fi
          if [ "$CODE" != "404" ]; then
            echo "Unexpected HTTP ${CODE} from ${URL} (expected 200 if published, 404 if not)"
            exit 1
          fi
          npm publish --provenance --access public