chore: release v1.0.5 #6
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| # Triggered by a semver tag pushed from main, e.g. git tag v0.2.0 && git push origin v0.2.0 | |
| on: | |
| push: | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+" | |
| - "v[0-9]+.[0-9]+.[0-9]+-*" # allow pre-release tags like v1.0.0-beta.1 | |
| concurrency: | |
| group: release-${{ github.ref }} | |
| cancel-in-progress: false # never cancel an in-flight release | |
| jobs: | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Guard: run the full CI suite before publishing anything | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| ci: | |
| name: CI checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: pnpm/action-setup@v4 | |
| with: | |
| version: "10.11.0" | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| cache: "pnpm" | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Lint (Biome) | |
| run: pnpm check | |
| - name: Type-check | |
| run: pnpm type-check | |
| - name: Build all packages | |
| run: pnpm build | |
| - name: Run tests | |
| run: pnpm test | |
| # Persist the build artifacts for the publish job so we don't rebuild | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| # packages/*/dist — @cfxdevkit/* library dist outputs | |
| # devtools/devkit-ui/out — Next.js static export (needed by copy-ui.mjs) | |
| # devtools/devkit/dist — CLI bundle | |
| # devtools/devkit/ui — copied static UI assets (dist includes these via "files") | |
| path: | | |
| packages/*/dist | |
| devtools/devkit-ui/out | |
| devtools/devkit/dist | |
| devtools/devkit/ui | |
| retention-days: 1 | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Publish to npm via OIDC Trusted Publishing | |
| # | |
| # No NPM_TOKEN secret required. npm CLI automatically exchanges the GitHub | |
| # OIDC token for a short-lived npm credential during publish. | |
| # | |
| # Prerequisites (one-time setup): | |
| # Each package must have a Trusted Publisher configured on npmjs.com | |
| # pointing at this repository + "release.yml" workflow filename. | |
| # Use `npm trust add` for bulk configuration (npm CLI ≥11.10.0). | |
| # See: https://docs.npmjs.com/trusted-publishers | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| publish: | |
| name: Publish to npm | |
| runs-on: ubuntu-latest | |
| needs: ci | |
| permissions: | |
| contents: read | |
| id-token: write # required for OIDC token exchange with npm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: pnpm/action-setup@v4 | |
| with: | |
| version: "10.11.0" | |
| # registry-url tells setup-node (and therefore pnpm) which npm registry | |
| # to target. Do NOT pass a token here — OIDC handles auth automatically. | |
| # Trusted publishing requires npm CLI ≥11.5.1 and Node ≥22.14.0. | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22.14" | |
| registry-url: "https://registry.npmjs.org" | |
| cache: "pnpm" | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| # Restore pre-built artifacts from the ci job (avoids a full rebuild) | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| # ── 0. Upgrade npm so OIDC trusted publishing works reliably ──────────── | |
| # actions/setup-node writes `_authToken=${NODE_AUTH_TOKEN}` to .npmrc. | |
| # When NODE_AUTH_TOKEN is unset, some npm versions treat the empty value | |
| # as an invalid token ("Access token expired") instead of falling through | |
| # to OIDC. Upgrading npm to latest (11.x) and clearing the stale auth | |
| # entry ensures the OIDC exchange is always used for publishing. | |
| - name: Upgrade npm and clear stale auth | |
| run: | | |
| npm install -g npm@latest | |
| npm --version | |
| # Remove the empty _authToken written by actions/setup-node so npm | |
| # finds no static credential and uses the OIDC token instead. | |
| npm config delete "//registry.npmjs.org/:_authToken" || true | |
| # ── 1. Publish all @cfxdevkit/* library packages ─────────────────────── | |
| # IMPORTANT: Use `npm publish` (not `pnpm publish`) so the npm CLI can | |
| # automatically exchange the GitHub OIDC token for a short-lived npm | |
| # credential. `pnpm publish` does NOT trigger the OIDC token exchange, | |
| # which causes "Access token expired" + E404 even when trusted publishing | |
| # is correctly configured on npmjs.com. | |
| - name: Publish @cfxdevkit/* packages | |
| run: | | |
| set -e | |
| failed='' | |
| for pkg_dir in packages/*/; do | |
| pkg_name=$(node -p "require('./${pkg_dir}package.json').name") | |
| echo "\n--- Publishing ${pkg_name} ---" | |
| if ! npm publish "${pkg_dir}" --access public; then | |
| echo "::error::Failed to publish ${pkg_name}" | |
| failed="${failed} ${pkg_name}" | |
| fi | |
| done | |
| if [ -n "$failed" ]; then | |
| echo "::error::The following packages failed to publish:${failed}" | |
| exit 1 | |
| fi | |
| # ── 2. Publish the conflux-devkit CLI ────────────────────────────────── | |
| # `pnpm pack` normalises workspace:* dependency versions in package.json | |
| # to real semver before creating the tarball so the published package.json | |
| # is clean. We then hand the tarball to `npm publish` so the OIDC token | |
| # exchange still happens via the npm CLI. | |
| - name: Pack + Publish conflux-devkit CLI | |
| run: | | |
| pnpm pack -C devtools/devkit --pack-destination . | |
| npm publish ./conflux-devkit-*.tgz --access public |