-
Notifications
You must be signed in to change notification settings - Fork 4
352 lines (340 loc) · 14.6 KB
/
release.yml
File metadata and controls
352 lines (340 loc) · 14.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
name: Release
on:
push:
tags:
- "v*"
permissions:
actions: read
contents: read
jobs:
verify:
name: Verify release candidate
runs-on: ubuntu-latest
timeout-minutes: 25
permissions:
actions: read
contents: read
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: "22.x"
cache: npm
- name: Pin npm version from packageManager
run: |
set -euo pipefail
PKG_MANAGER="$(node -p "JSON.parse(require('node:fs').readFileSync('package.json','utf8')).packageManager")"
case "${PKG_MANAGER}" in
npm@*) NPM_VERSION="${PKG_MANAGER#npm@}" ;;
*) echo "Unsupported packageManager: ${PKG_MANAGER}" >&2; exit 1 ;;
esac
corepack enable || true
corepack prepare "npm@${NPM_VERSION}" --activate || true
if [ "$(npm --version)" != "${NPM_VERSION}" ]; then
echo "npm version mismatch after corepack, falling back to npm install -g"
npm install -g "npm@${NPM_VERSION}"
fi
test "$(npm --version)" = "${NPM_VERSION}"
- name: Ensure tagged commit matches default branch tip
env:
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
run: |
set -euo pipefail
BRANCH="${DEFAULT_BRANCH:-main}"
git fetch --no-tags origin "${BRANCH}"
TAGGED_SHA="$(git rev-parse "${GITHUB_SHA}")"
BRANCH_HEAD_SHA="$(git rev-parse "origin/${BRANCH}")"
test "${TAGGED_SHA}" = "${BRANCH_HEAD_SHA}"
- name: Ensure required CI checks succeeded for tagged commit
env:
GH_TOKEN: ${{ github.token }}
REQUIRED_CI_WORKFLOW: ci.yml
REQUIRED_CI_JOBS_JSON: '["Verify (Node.js 22.x)","Package Smoke Test","Windows Compatibility Smoke","Security Audit"]'
run: |
set -euo pipefail
RUNS_JSON="$(gh run list \
--repo "${GITHUB_REPOSITORY}" \
--workflow "${REQUIRED_CI_WORKFLOW}" \
--commit "${GITHUB_SHA}" \
--event push \
--limit 20 \
--json databaseId,status,conclusion,headSha,createdAt,url)"
export RUNS_JSON
RUN_ID="$(node <<'NODE'
const runs = JSON.parse(process.env.RUNS_JSON || "[]")
const sha = process.env.GITHUB_SHA
const matching = Array.isArray(runs)
? runs.filter((run) => run && run.headSha === sha)
: []
matching.sort((left, right) => String(right.createdAt).localeCompare(String(left.createdAt)))
const latest = matching[0]?.databaseId
if (!latest) {
console.error(`No ci.yml push run found for ${sha}.`)
process.exit(1)
}
process.stdout.write(String(latest))
NODE
)"
DETAILS_JSON=""
STATUS=""
CONCLUSION=""
for attempt in $(seq 1 120); do
DETAILS_JSON="$(gh run view "${RUN_ID}" --repo "${GITHUB_REPOSITORY}" --json status,conclusion,jobs,url)"
STATUS="$(node -e 'const details = JSON.parse(process.argv[1] || "{}"); process.stdout.write(String(details.status ?? ""))' "${DETAILS_JSON}")"
CONCLUSION="$(node -e 'const details = JSON.parse(process.argv[1] || "{}"); process.stdout.write(String(details.conclusion ?? ""))' "${DETAILS_JSON}")"
if [ "${STATUS}" = "completed" ]; then
break
fi
sleep 10
done
if [ "${STATUS}" != "completed" ]; then
echo "Timed out waiting for ci.yml run ${RUN_ID} to complete."
exit 1
fi
export DETAILS_JSON
node <<'NODE'
const details = JSON.parse(process.env.DETAILS_JSON || "{}")
if (details.status !== "completed" || details.conclusion !== "success") {
throw new Error(
`Latest ci.yml push run is not green: status=${details.status ?? "unknown"}, conclusion=${details.conclusion ?? "unknown"} ${details.url ?? ""}`.trim()
)
}
const requiredJobs = JSON.parse(process.env.REQUIRED_CI_JOBS_JSON || "[]")
const jobs = Array.isArray(details.jobs) ? details.jobs : []
for (const requiredJob of requiredJobs) {
const match = jobs.find((job) => job && job.name === requiredJob)
if (!match) {
throw new Error(`Required CI job missing in ci.yml run: ${requiredJob}`)
}
if (match.conclusion !== "success") {
throw new Error(`Required CI job is not successful (${requiredJob}): ${match.conclusion ?? "unknown"}`)
}
}
NODE
- name: Ensure tag matches package version
run: |
set -euo pipefail
TAG_VERSION="${GITHUB_REF_NAME#v}"
PACKAGE_VERSION="$(node -p "JSON.parse(require('node:fs').readFileSync('package.json','utf8')).version")"
test "${TAG_VERSION}" = "${PACKAGE_VERSION}"
- name: Install dependencies
run: npm ci
- name: Verify npm version
run: npm --version
- name: Run verify
run: npm run verify
- name: Pack release tarball
run: |
set -euo pipefail
TARBALL="$(npm pack --silent)"
test -f "${TARBALL}"
mkdir -p release-artifact
mv "${TARBALL}" release-artifact/
- name: Upload release artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: npm-release-tarball
path: release-artifact/*.tgz
npm-publish:
name: Publish to npm
needs: verify
runs-on: ubuntu-latest
timeout-minutes: 15
environment: npm-release
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 1
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: "22.x"
registry-url: "https://registry.npmjs.org"
cache: npm
- name: Ensure OIDC publish runtime
run: |
set -euo pipefail
node - <<'NODE'
const [major, minor] = process.versions.node.split(".").map((value) => Number(value))
const isSupported = major > 22 || (major === 22 && minor >= 14)
if (!isSupported) {
console.error(`Node.js ${process.versions.node} is too old for OIDC trusted publishing (need >=22.14.0).`)
process.exit(1)
}
NODE
if ! node - "$(npm --version)" <<'NODE'
const input = String(process.argv[2] ?? "")
const [major, minor, patch] = input.split(".").map((value) => Number(value))
const isValid = Number.isFinite(major) && Number.isFinite(minor) && Number.isFinite(patch)
const isSupported = isValid && (major > 11 || (major === 11 && (minor > 5 || (minor === 5 && patch >= 1))))
if (!isSupported) process.exit(1)
NODE
then
echo "Upgrading npm to 11.5.1 for OIDC trusted publishing compatibility..."
npm install -g npm@11.5.1
fi
echo "Using Node $(node --version)"
echo "Using npm $(npm --version)"
- name: OIDC trusted publishing preflight
env:
EXPECTED_REPO: "iam-brain/opencode-codex-auth"
EXPECTED_WORKFLOW_FILE: ".github/workflows/release.yml"
EXPECTED_ENVIRONMENT: "npm-release"
run: |
set -euo pipefail
if [ "${GITHUB_REPOSITORY}" != "${EXPECTED_REPO}" ]; then
echo "Unexpected repository for trusted publishing: ${GITHUB_REPOSITORY}" >&2
echo "Expected repository: ${EXPECTED_REPO}" >&2
exit 1
fi
if [ -n "${GITHUB_WORKFLOW_REF:-}" ] && [[ "${GITHUB_WORKFLOW_REF}" != "${EXPECTED_REPO}/${EXPECTED_WORKFLOW_FILE}@"* ]]; then
echo "Unexpected workflow ref for trusted publishing: ${GITHUB_WORKFLOW_REF}" >&2
echo "Expected workflow file: ${EXPECTED_WORKFLOW_FILE}" >&2
exit 1
fi
if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
echo "Missing GitHub OIDC request metadata in job environment." >&2
echo "Expected ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN." >&2
echo "Verify workflow permissions include id-token: write and environment ${EXPECTED_ENVIRONMENT} is correctly configured." >&2
exit 1
fi
if [[ "${ACTIONS_ID_TOKEN_REQUEST_URL}" == *"?"* ]]; then
OIDC_URL="${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npmjs"
else
OIDC_URL="${ACTIONS_ID_TOKEN_REQUEST_URL}?audience=npmjs"
fi
OIDC_RESPONSE="$(curl --fail --silent --show-error --location \
-H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
"${OIDC_URL}")"
OIDC_TOKEN="$(OIDC_RESPONSE="${OIDC_RESPONSE}" node - <<'NODE'
const raw = process.env.OIDC_RESPONSE || ""
let parsed = {}
try {
parsed = JSON.parse(raw || "{}")
} catch {
console.error("GitHub OIDC token response is not valid JSON.")
process.exit(1)
}
const tokenCandidates = [parsed.value, parsed.token, parsed.id_token]
const token = tokenCandidates.find(
(candidate) => typeof candidate === "string" && candidate.trim().length > 0
)
if (!token) {
const keys =
parsed && typeof parsed === "object" && !Array.isArray(parsed)
? Object.keys(parsed).join(",")
: ""
console.error(
`GitHub OIDC token response missing expected token key (keys: ${keys || "<none>"}).`
)
process.exit(1)
}
process.stdout.write(token)
NODE
)"
if [ -z "${OIDC_TOKEN}" ]; then
echo "GitHub OIDC token response did not include a token value." >&2
exit 1
fi
EXPECTED_REPO="${EXPECTED_REPO}" \
EXPECTED_WORKFLOW_FILE="${EXPECTED_WORKFLOW_FILE}" \
EXPECTED_ENVIRONMENT="${EXPECTED_ENVIRONMENT}" \
OIDC_TOKEN="${OIDC_TOKEN}" \
node - <<'NODE'
const expectedRepo = process.env.EXPECTED_REPO || ""
const expectedWorkflowFile = process.env.EXPECTED_WORKFLOW_FILE || ""
const expectedEnvironment = process.env.EXPECTED_ENVIRONMENT || ""
const token = process.env.OIDC_TOKEN || ""
const segment = token.split(".")[1]
if (!segment) {
console.error("Unable to parse GitHub OIDC token payload.")
process.exit(1)
}
const padLength = (4 - (segment.length % 4)) % 4
const normalized = `${segment.replace(/-/g, "+").replace(/_/g, "/")}${"=".repeat(padLength)}`
const payload = JSON.parse(Buffer.from(normalized, "base64").toString("utf8"))
const repository = String(payload.repository || "")
const workflowRef = String(payload.job_workflow_ref || payload.workflow_ref || "")
const environment = String(payload.environment || "")
const errors = []
if (repository !== expectedRepo) {
errors.push(`OIDC claim repository mismatch: ${repository || "<missing>"} (expected ${expectedRepo})`)
}
const workflowPrefix = `${expectedRepo}/${expectedWorkflowFile}@`
if (!workflowRef.startsWith(workflowPrefix)) {
errors.push(
`OIDC claim workflow mismatch: ${workflowRef || "<missing>"} (expected prefix ${workflowPrefix})`
)
}
if (environment !== expectedEnvironment) {
errors.push(
`OIDC claim environment mismatch: ${environment || "<missing>"} (expected ${expectedEnvironment})`
)
}
if (errors.length > 0) {
for (const error of errors) {
console.error(error)
}
process.exit(1)
}
NODE
echo "OIDC preflight passed for ${EXPECTED_REPO} (${EXPECTED_WORKFLOW_FILE}, environment ${EXPECTED_ENVIRONMENT})."
- name: Download release artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: npm-release-tarball
path: release-artifact
- name: Publish to npm (Trusted Publishing, idempotent)
run: |
set -euo pipefail
PKG_NAME="$(node -p "JSON.parse(require('node:fs').readFileSync('package.json','utf8')).name")"
PKG_VERSION="$(node -p "JSON.parse(require('node:fs').readFileSync('package.json','utf8')).version")"
if npm view "${PKG_NAME}@${PKG_VERSION}" version >/dev/null 2>&1; then
echo "Package already published: ${PKG_NAME}@${PKG_VERSION}. Skipping npm publish."
exit 0
fi
TARBALL="$(ls -1 ./release-artifact/*.tgz | head -n 1)"
test -f "${TARBALL}"
PUBLISH_LOG="$(mktemp)"
set +e
npm publish "${TARBALL}" --access public --provenance >"${PUBLISH_LOG}" 2>&1
PUBLISH_STATUS=$?
set -e
cat "${PUBLISH_LOG}"
if [ ${PUBLISH_STATUS} -ne 0 ] && grep -Eiq "ENEEDAUTH|need auth" "${PUBLISH_LOG}"; then
echo "OIDC trusted publish returned ENEEDAUTH." >&2
echo "Verify npm Trusted Publisher mapping repo=iam-brain/opencode-codex-auth workflow=.github/workflows/release.yml environment=npm-release." >&2
fi
rm -f "${PUBLISH_LOG}"
exit ${PUBLISH_STATUS}
release:
name: Create GitHub Release
needs: npm-publish
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- name: Create release (idempotent)
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
TAG="${GITHUB_REF_NAME}"
echo "Tag: ${TAG}"
if gh release view "${TAG}" --repo "${GITHUB_REPOSITORY}" >/dev/null 2>&1; then
echo "Release already exists for ${TAG}; skipping."
exit 0
fi
gh release create "${TAG}" \
--repo "${GITHUB_REPOSITORY}" \
--verify-tag \
--generate-notes