fix: remove provenance=true from .npmrc — breaks local publish #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| # Triggered by a semver tag pushed from main, e.g. git tag v0.2.0 && git push origin v0.2.0 | |
| on: | |
| push: | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+" | |
| - "v[0-9]+.[0-9]+.[0-9]+-*" # allow pre-release tags like v1.0.0-beta.1 | |
| concurrency: | |
| group: release-${{ github.ref }} | |
| cancel-in-progress: false # never cancel an in-flight release | |
| jobs: | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Guard: run the full CI suite before publishing anything | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| ci: | |
| name: CI checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: pnpm/action-setup@v4 | |
| with: | |
| version: "10.11.0" | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| cache: "pnpm" | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Lint (Biome) | |
| run: pnpm check | |
| - name: Type-check | |
| run: pnpm type-check | |
| - name: Build all packages | |
| run: pnpm build | |
| - name: Run tests | |
| run: pnpm test | |
| # Persist the build artifacts for the publish job so we don't rebuild | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| # packages/*/dist — @cfxdevkit/* library dist outputs | |
| # devtools/devkit-ui/out — Next.js static export (needed by copy-ui.mjs) | |
| # devtools/devkit/dist — CLI bundle | |
| # devtools/devkit/ui — copied static UI assets (dist includes these via "files") | |
| path: | | |
| packages/*/dist | |
| devtools/devkit-ui/out | |
| devtools/devkit/dist | |
| devtools/devkit/ui | |
| retention-days: 1 | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Publish to npm via OIDC Trusted Publishing | |
| # | |
| # No NPM_TOKEN secret required. npm CLI automatically exchanges the GitHub | |
| # OIDC token for a short-lived npm credential during publish. | |
| # | |
| # Prerequisites (one-time setup): | |
| # Each package must have a Trusted Publisher configured on npmjs.com | |
| # pointing at this repository + "release.yml" workflow filename. | |
| # Use `npm trust add` for bulk configuration (npm CLI ≥11.10.0). | |
| # See: https://docs.npmjs.com/trusted-publishers | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| publish: | |
| name: Publish to npm | |
| runs-on: ubuntu-latest | |
| needs: ci | |
| permissions: | |
| contents: read | |
| id-token: write # required for OIDC token exchange with npm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: pnpm/action-setup@v4 | |
| with: | |
| version: "10.11.0" | |
| # registry-url tells setup-node (and therefore pnpm) which npm registry | |
| # to target. Do NOT pass a token here — OIDC handles auth automatically. | |
| # Trusted publishing requires npm CLI ≥11.5.1 and Node ≥22.14.0. | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22.14" | |
| registry-url: "https://registry.npmjs.org" | |
| cache: "pnpm" | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| # Restore pre-built artifacts from the ci job (avoids a full rebuild) | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| # ── 1. Publish all @cfxdevkit/* library packages ─────────────────────── | |
| # pnpm handles topological publish order (respects workspace:* deps). | |
| # --no-git-checks skips the "working tree must be clean" check that | |
| # fails on tag checkouts. | |
| # Provenance attestation is generated automatically by npm when publishing | |
| # via OIDC trusted publishing — no --provenance flag needed. | |
| - name: Publish @cfxdevkit/* packages | |
| run: | | |
| pnpm publish \ | |
| --filter './packages/*' \ | |
| --recursive \ | |
| --access public \ | |
| --no-git-checks \ | |
| --report-summary | |
| # ── 2. Publish the conflux-devkit CLI ────────────────────────────────── | |
| # Published separately (after the scoped packages) because its package.json | |
| # lists workspace:* deps that pnpm rewrites to real versions at publish time. | |
| # The CLI bundles all @cfxdevkit/* code via tsup noExternal so npm users | |
| # get a standalone binary — @cfxdevkit/* are in devDependencies, not deps. | |
| - name: Publish conflux-devkit CLI | |
| run: | | |
| pnpm publish \ | |
| --filter conflux-devkit \ | |
| --access public \ | |
| --no-git-checks \ | |
| --report-summary |