From 38fc680309dba0eff30082a07a9d492e25b3eb9c Mon Sep 17 00:00:00 2001 From: Subin Lee Date: Thu, 16 Apr 2026 16:32:32 +0900 Subject: [PATCH] feat(ci): unify release workflows for npm Trusted Publishers OIDC Merge release-please.yml and release-please-beta.yml into a single release.yml to enable npm Trusted Publishers, which requires exactly one workflow filename per package. This must exist on the default branch (master) for npm OIDC validation. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release-please.yml | 246 ------------------ .../{release-please-beta.yml => release.yml} | 57 ++-- 2 files changed, 32 insertions(+), 271 deletions(-) delete mode 100644 .github/workflows/release-please.yml rename .github/workflows/{release-please-beta.yml => release.yml} (83%) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml deleted file mode 100644 index 4d0795b3..00000000 --- a/.github/workflows/release-please.yml +++ /dev/null @@ -1,246 +0,0 @@ -name: Release - -on: - push: - branches: [master] - workflow_dispatch: - -permissions: {} - -concurrency: - group: release-please-master - cancel-in-progress: false - -env: - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true - -jobs: - wait-for-ci: - name: Wait for CI - if: ${{ github.event_name == 'push' }} - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - with: - persist-credentials: false - - - name: Wait for CI workflow to succeed - env: - BRANCH: ${{ github.ref_name }} - COMMIT_SHA: ${{ github.sha }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: bash .github/scripts/wait-for-workflow.sh ci.yml "$BRANCH" "$COMMIT_SHA" - - release-please: - name: Release Please - needs: wait-for-ci - if: ${{ always() && github.ref_name == 'master' && (github.event_name != 'push' || needs.wait-for-ci.result == 'success') }} - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - issues: write - outputs: - release_created: ${{ steps.release.outputs.release_created }} - tag_name: ${{ steps.release.outputs.tag_name }} - pr_head_sha: ${{ steps.pr-sha.outputs.sha }} - steps: - - name: Release Please - id: release - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Update release title with date - if: ${{ steps.release.outputs.release_created }} - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - TAG: ${{ steps.release.outputs.tag_name }} - REPO: ${{ github.repository }} - run: | - DATE=$(date -u +"%Y/%m/%d") - gh release edit "$TAG" --repo "$REPO" --title "$TAG ($DATE)" - - - name: Get PR head SHA - id: pr-sha - if: ${{ steps.release.outputs.release_created != 'true' }} - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO: ${{ github.repository }} - run: | - SHA=$(gh pr list --repo "$REPO" --head release-please--branches--master--components--solapi --state open --json headRefOid --jq '.[0].headRefOid // empty') - echo "sha=${SHA:-}" >> "$GITHUB_OUTPUT" - - test-release-pr: - name: Test (Release PR) - needs: release-please - if: ${{ needs.release-please.result == 'success' && needs.release-please.outputs.release_created != 'true' && needs.release-please.outputs.pr_head_sha != '' }} - runs-on: ubuntu-latest - permissions: - contents: read - statuses: write - steps: - - name: Set pending status - continue-on-error: true - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SHA: ${{ needs.release-please.outputs.pr_head_sha }} - REPO: ${{ github.repository }} - run: | - gh api "repos/$REPO/statuses/$SHA" \ - -f state=pending -f context="Test" -f description="Running tests..." - - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - with: - ref: ${{ needs.release-please.outputs.pr_head_sha }} - persist-credentials: false - - - name: Setup pnpm - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 - with: - run_install: false - - - name: Setup Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 - with: - node-version: 18 - - - name: Install dependencies - run: pnpm install --frozen-lockfile - - - name: Test (unit only) - run: pnpm test:ci - - - name: Build - run: pnpm tsup - - - name: Report success - if: success() - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SHA: ${{ needs.release-please.outputs.pr_head_sha }} - REPO: ${{ github.repository }} - run: | - gh api "repos/$REPO/statuses/$SHA" \ - -f state=success -f context="Test" -f description="Tests passed" - - - name: Report failure - if: failure() - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SHA: ${{ needs.release-please.outputs.pr_head_sha }} - REPO: ${{ github.repository }} - run: | - gh api "repos/$REPO/statuses/$SHA" \ - -f state=failure -f context="Test" -f description="Tests failed" - - lint-release-pr: - name: Lint (Release PR) - needs: release-please - if: ${{ needs.release-please.result == 'success' && needs.release-please.outputs.release_created != 'true' && needs.release-please.outputs.pr_head_sha != '' }} - runs-on: ubuntu-latest - permissions: - contents: read - statuses: write - steps: - - name: Set pending status - continue-on-error: true - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SHA: ${{ needs.release-please.outputs.pr_head_sha }} - REPO: ${{ github.repository }} - run: | - gh api "repos/$REPO/statuses/$SHA" \ - -f state=pending -f context="Lint" -f description="Running lint..." - - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - with: - ref: ${{ needs.release-please.outputs.pr_head_sha }} - persist-credentials: false - - - name: Setup pnpm - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 - with: - run_install: false - - - name: Setup Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 - with: - node-version: 18 - - - name: Install dependencies - run: pnpm install --frozen-lockfile - - - name: Lint - run: pnpm lint:ci - - - name: Report success - if: success() - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SHA: ${{ needs.release-please.outputs.pr_head_sha }} - REPO: ${{ github.repository }} - run: | - gh api "repos/$REPO/statuses/$SHA" \ - -f state=success -f context="Lint" -f description="Lint passed" - - - name: Report failure - if: failure() - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SHA: ${{ needs.release-please.outputs.pr_head_sha }} - REPO: ${{ github.repository }} - run: | - gh api "repos/$REPO/statuses/$SHA" \ - -f state=failure -f context="Lint" -f description="Lint failed" - - publish: - name: Publish to npm - needs: release-please - if: ${{ needs.release-please.result == 'success' && needs.release-please.outputs.release_created == 'true' }} - runs-on: ubuntu-latest - environment: release - env: - HAS_NPM_TOKEN: ${{ secrets.NPM_TOKEN != '' }} - permissions: - contents: read - id-token: write - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - with: - ref: ${{ needs.release-please.outputs.tag_name }} - persist-credentials: false - - - name: Setup pnpm - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 - with: - run_install: false - - - name: Setup Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 - with: - node-version: 18 - registry-url: https://registry.npmjs.org - - - name: Install dependencies - run: pnpm install --frozen-lockfile - - - name: Build - run: pnpm tsup - - - name: Publish with trusted publishing - if: ${{ env.HAS_NPM_TOKEN != 'true' }} - run: npm publish --provenance --access public - - - name: Publish with provenance token fallback - if: ${{ env.HAS_NPM_TOKEN == 'true' }} - run: npm publish --provenance --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release-please-beta.yml b/.github/workflows/release.yml similarity index 83% rename from .github/workflows/release-please-beta.yml rename to .github/workflows/release.yml index c5fd4c20..10104e1c 100644 --- a/.github/workflows/release-please-beta.yml +++ b/.github/workflows/release.yml @@ -1,14 +1,14 @@ -name: Beta Release +name: Release on: push: - branches: [beta] + branches: [master, beta] workflow_dispatch: permissions: {} concurrency: - group: release-please-beta + group: release-${{ github.ref_name }} cancel-in-progress: false env: @@ -36,9 +36,12 @@ jobs: run: bash .github/scripts/wait-for-workflow.sh ci.yml "$BRANCH" "$COMMIT_SHA" release-please: - name: Release Please (Beta) + name: Release Please needs: wait-for-ci - if: ${{ always() && github.ref_name == 'beta' && (github.event_name != 'push' || needs.wait-for-ci.result == 'success') }} + if: >- + always() + && (github.ref_name == 'master' || github.ref_name == 'beta') + && (github.event_name != 'push' || needs.wait-for-ci.result == 'success') runs-on: ubuntu-latest permissions: contents: write @@ -54,9 +57,9 @@ jobs: uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4 with: token: ${{ secrets.GITHUB_TOKEN }} - target-branch: beta - config-file: release-please-config-beta.json - manifest-file: .release-please-manifest-beta.json + target-branch: ${{ github.ref_name }} + config-file: ${{ github.ref_name == 'beta' && 'release-please-config-beta.json' || 'release-please-config.json' }} + manifest-file: ${{ github.ref_name == 'beta' && '.release-please-manifest-beta.json' || '.release-please-manifest.json' }} - name: Update release title with date if: ${{ steps.release.outputs.release_created }} @@ -74,20 +77,25 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} REPO: ${{ github.repository }} + BRANCH: ${{ github.ref_name }} run: | - SHA=$(gh pr list --repo "$REPO" --head release-please--branches--beta --state open --json headRefOid --jq '.[0].headRefOid // empty') + SHA=$(gh pr list --repo "$REPO" --head "release-please--branches--${BRANCH}--components--solapi" --state open --json headRefOid --jq '.[0].headRefOid // empty') echo "sha=${SHA:-}" >> "$GITHUB_OUTPUT" test-release-pr: - name: Test (Beta Release PR) + name: Test (Release PR) needs: release-please - if: ${{ needs.release-please.result == 'success' && needs.release-please.outputs.release_created != 'true' && needs.release-please.outputs.pr_head_sha != '' }} + if: >- + needs.release-please.result == 'success' + && needs.release-please.outputs.release_created != 'true' + && needs.release-please.outputs.pr_head_sha != '' runs-on: ubuntu-latest permissions: contents: read statuses: write steps: - name: Set pending status + continue-on-error: true env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} SHA: ${{ needs.release-please.outputs.pr_head_sha }} @@ -147,15 +155,19 @@ jobs: || echo "::warning::Failed to report failure status on $SHA" lint-release-pr: - name: Lint (Beta Release PR) + name: Lint (Release PR) needs: release-please - if: ${{ needs.release-please.result == 'success' && needs.release-please.outputs.release_created != 'true' && needs.release-please.outputs.pr_head_sha != '' }} + if: >- + needs.release-please.result == 'success' + && needs.release-please.outputs.release_created != 'true' + && needs.release-please.outputs.pr_head_sha != '' runs-on: ubuntu-latest permissions: contents: read statuses: write steps: - name: Set pending status + continue-on-error: true env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} SHA: ${{ needs.release-please.outputs.pr_head_sha }} @@ -212,13 +224,13 @@ jobs: || echo "::warning::Failed to report failure status on $SHA" publish: - name: Publish to npm (Beta) + name: Publish to npm needs: release-please - if: ${{ needs.release-please.result == 'success' && needs.release-please.outputs.release_created == 'true' }} + if: >- + needs.release-please.result == 'success' + && needs.release-please.outputs.release_created == 'true' runs-on: ubuntu-latest environment: release - env: - HAS_NPM_TOKEN: ${{ secrets.NPM_TOKEN != '' }} permissions: contents: read id-token: write @@ -246,15 +258,10 @@ jobs: - name: Build run: pnpm tsup - - name: Publish beta with trusted publishing - if: ${{ env.HAS_NPM_TOKEN != 'true' }} - run: npm publish --provenance --access public --tag beta - - - name: Publish with provenance token fallback (beta) - if: ${{ env.HAS_NPM_TOKEN == 'true' }} - run: npm publish --provenance --access public --tag beta + - name: Publish env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_TAG: ${{ github.ref_name == 'beta' && 'beta' || 'latest' }} + run: npm publish --tag "$NPM_TAG" - name: Report publish failure if: failure()