Release #29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| dry_run: | |
| description: 'Dry run only (no git push, no tags, no npm publish)' | |
| required: false | |
| default: true | |
| type: boolean | |
| permissions: | |
| contents: write | |
| id-token: write | |
| issues: write | |
| pull-requests: write | |
| # Allow GitHub Actions to bypass branch protection | |
| # This is required for semantic-release to push version updates | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Verify admin permissions | |
| run: | | |
| # Use the repository's permission endpoint which works for both personal and org repos | |
| RESPONSE=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission") | |
| # Extract permission using jq if available, otherwise use grep | |
| if command -v jq &> /dev/null; then | |
| PERMISSION=$(echo "$RESPONSE" | jq -r '.permission // empty') | |
| else | |
| PERMISSION=$(echo "$RESPONSE" | grep -o '"permission":"[^"]*"' | head -1 | cut -d'"' -f4) | |
| fi | |
| if [ -z "$PERMISSION" ]; then | |
| echo "Warning: Could not determine permission level. Response: $RESPONSE" | |
| echo "Note: workflow_dispatch requires write access, proceeding..." | |
| exit 0 | |
| fi | |
| if [ "$PERMISSION" != "admin" ]; then | |
| echo "Error: Only repository admins can trigger releases. Current permission: $PERMISSION" | |
| exit 1 | |
| fi | |
| echo "✓ Verified admin permission for ${{ github.actor }}" | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| token: ${{ secrets.RELEASE_TOKEN }} | |
| - name: Setup git branch | |
| run: | | |
| git fetch --all --tags --force | |
| git fetch origin '+refs/notes/*:refs/notes/*' || true | |
| git checkout -B main | |
| git branch --set-upstream-to=origin/main main | |
| - name: Ensure master branch exists (for semantic-release validation) | |
| run: | | |
| # semantic-release requires at least one release branch that exists; repo uses main, we declare "master" | |
| if ! git ls-remote --heads origin master 2>/dev/null | grep -q .; then | |
| git checkout -b master | |
| git push origin master | |
| git checkout main | |
| fi | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' | |
| always-auth: true | |
| - run: npm ci | |
| - run: npm test --if-present | |
| - name: Configure git | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| - name: Add semantic-release note (dry run only) | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| set -e | |
| if ! git rev-parse --verify v1.0.0-beta.1 >/dev/null 2>&1; then exit 0; fi | |
| git notes --ref semantic-release-v1.0.0-beta.1 add -f -m '{"channels":["beta"]}' v1.0.0-beta.1 | |
| echo "Added semantic-release note to v1.0.0-beta.1 (local only for dry run)." | |
| # One-time migration: v1.0.0-beta.1 existed before semantic-release was configured | |
| # with channel notes. Semantic-release prepares all other versions itself (tags + notes). | |
| # This step only fixes that one tag so semantic-release can see it as "last release". | |
| - name: Migrate v1.0.0-beta.1 tag for semantic-release (one-time) | |
| if: github.event.inputs.dry_run != 'true' | |
| run: | | |
| set -e | |
| echo "=== Migrating v1.0.0-beta.1 so semantic-release sees it as last release ===" | |
| # semantic-release treats a tag as "last release" only if: 1) tag is in "git tag --merged main", 2) tag has note {"channels":["beta"]} in ref semantic-release-<tag> | |
| if ! git rev-parse --verify "v1.0.0-beta.1" >/dev/null 2>&1; then | |
| echo "Tag v1.0.0-beta.1 does not exist; creating at HEAD." | |
| git tag -a "v1.0.0-beta.1" HEAD -m "chore: initial beta release" | |
| git push origin "v1.0.0-beta.1" | |
| git notes --ref semantic-release-v1.0.0-beta.1 add -f -m '{"channels":["beta"]}' v1.0.0-beta.1 | |
| git push origin refs/notes/semantic-release-v1.0.0-beta.1 | |
| echo "Created v1.0.0-beta.1 and note." | |
| else | |
| echo "Tag v1.0.0-beta.1 exists." | |
| if ! git tag --merged main | grep -qx v1.0.0-beta.1; then | |
| RELEASE_COMMIT=$(git log main -1 --format=%H --grep="chore(release): 1.0.0-beta.1" 2>/dev/null || true) | |
| [ -z "$RELEASE_COMMIT" ] && RELEASE_COMMIT=$(git merge-base main origin/master 2>/dev/null || git rev-parse HEAD~1) | |
| echo "Moving tag into main history (was not merged into main) to $RELEASE_COMMIT" | |
| git tag -d v1.0.0-beta.1 2>/dev/null || true | |
| git tag -a v1.0.0-beta.1 "$RELEASE_COMMIT" -m "chore: 1.0.0-beta.1" | |
| git push origin v1.0.0-beta.1 --force | |
| fi | |
| git notes --ref semantic-release-v1.0.0-beta.1 add -f -m '{"channels":["beta"]}' v1.0.0-beta.1 | |
| git push origin refs/notes/semantic-release-v1.0.0-beta.1 | |
| git fetch origin '+refs/tags/*:refs/tags/*' '+refs/notes/*:refs/notes/*' | |
| echo "Tags merged into main: $(git tag --merged main | tr '\n' ' ')" | |
| git notes --ref semantic-release-v1.0.0-beta.1 show v1.0.0-beta.1 2>/dev/null && echo "Note present for v1.0.0-beta.1" || echo "WARN: no note for v1.0.0-beta.1" | |
| fi | |
| echo "=== Done; semantic-release will see v1.0.0-beta.1 as last release ===" | |
| - name: Dry run mode notice | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| echo "==============================================" | |
| echo " DRY RUN MODE - No commits, tags, or publish" | |
| echo "==============================================" | |
| echo "Semantic-release will show what WOULD happen." | |
| echo "To perform a real release, run again and uncheck 'Dry run only'." | |
| echo "" | |
| - name: Ensure v1.0.0-beta.1 exists locally (dry run only) | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| if ! git rev-parse --verify "v1.0.0-beta.1" >/dev/null 2>&1; then | |
| # So semantic-release sees a "previous release" and suggests 1.0.0-beta.2 for new commits | |
| PARENT=$(git rev-parse HEAD~1 2>/dev/null || git rev-parse HEAD) | |
| git tag -a "v1.0.0-beta.1" "$PARENT" -m "chore: initial beta release (dry-run placeholder)" | |
| echo "Created local tag v1.0.0-beta.1 at $PARENT so semantic-release can compute next version (1.0.0-beta.2)." | |
| else | |
| echo "Tag v1.0.0-beta.1 already exists." | |
| fi | |
| - name: Get version before semantic-release | |
| id: version-before | |
| run: | | |
| VERSION_BEFORE=$(node -p "require('./package.json').version") | |
| echo "version=$VERSION_BEFORE" >> $GITHUB_OUTPUT | |
| echo "Current version: $VERSION_BEFORE" | |
| - name: Release with semantic-release | |
| id: release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| run: | | |
| set -e | |
| if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then | |
| echo "Running semantic-release in DRY RUN mode..." | |
| npx semantic-release --dry-run 2>&1 | tee semantic-release.log || true | |
| grep -oE "The next release version is [^[:space:]]+" semantic-release.log 2>/dev/null | sed 's/The next release version is //' > next-version.txt || echo "" > next-version.txt | |
| else | |
| # Tag + note are prepared in "Prepare v1.0.0-beta.1 for semantic-release" step | |
| npx semantic-release | |
| fi | |
| - name: Publish to npm using trusted publishing | |
| if: github.event.inputs.dry_run != 'true' | |
| run: | | |
| echo "=== Publishing to npm with trusted publishing (OIDC) ===" | |
| # Ensure .npmrc is available (setup-node should have created it) | |
| if [ -f "$NPM_CONFIG_USERCONFIG" ]; then | |
| cp "$NPM_CONFIG_USERCONFIG" ~/.npmrc | |
| echo "✓ Using .npmrc for authentication" | |
| fi | |
| # Get versions | |
| VERSION_BEFORE="${{ steps.version-before.outputs.version }}" | |
| VERSION_AFTER=$(node -p "require('./package.json').version") | |
| echo "Version before: $VERSION_BEFORE" | |
| echo "Version after: $VERSION_AFTER" | |
| # Only publish if semantic-release created a new version | |
| if [ "$VERSION_BEFORE" != "$VERSION_AFTER" ]; then | |
| echo "✓ New version detected: $VERSION_AFTER" | |
| echo "Publishing to npm..." | |
| # Publish using npm publish which supports OIDC/trusted publishing | |
| npm publish --provenance --access public | |
| echo "✓ Published $VERSION_AFTER to npm" | |
| else | |
| echo "No version change detected (version: $VERSION_AFTER)" | |
| echo "Skipping npm publish - no new release was created" | |
| fi | |
| - name: Dry run - skip npm publish | |
| if: github.event.inputs.dry_run == 'true' | |
| run: | | |
| echo "==============================================" | |
| echo " DRY RUN - Skipping npm publish" | |
| echo "==============================================" | |
| NEXT_VERSION=$(cat next-version.txt 2>/dev/null || echo "") | |
| if [ -n "$NEXT_VERSION" ]; then | |
| echo "Version that WOULD have been published: $NEXT_VERSION" | |
| else | |
| echo "Version that WOULD have been published: (check semantic-release output above; might be no new release)" | |
| echo "Current package.json: $(node -p "require('./package.json').version")" | |
| fi | |
| echo "" | |
| echo "To publish for real, run the workflow again with 'Dry run only' unchecked." |