-
Notifications
You must be signed in to change notification settings - Fork 268
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add workflow to publish npm packages
Add workflow to handle automatically publishing packages to the npm registry when the commit message matches the expected format: `Publish <version> of the @tektoncd/dashboard-* packages` For PRs it validates the PR is up-to-date with the base branch and that the PR title and commit message match. For both PRs and pushes it validates that the version in the commit message matches the version in the package.json files. Once all validation passes, it will publish the package (dry-run for PR). This simplifies the process of releasing new package versions as now it only requires running the `npm version --workspaces <version>` command and committing the result. The rest of the process, i.e. ensuring inter-workspace dependencies are updated to use the correct versions before publishing, is handled by the workflow. Also generate provenance statements for the packages. Skip all steps if commit message or PR title don't match expected format so the job passes and doesn't block unrelated PRs for dependency updates etc.
- Loading branch information
1 parent
0ca65ee
commit 3944f5d
Showing
7 changed files
with
147 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
name: Publish NPM packages | ||
|
||
permissions: | ||
contents: read | ||
|
||
on: | ||
pull_request: | ||
branches: ["main"] | ||
paths-ignore: | ||
- "**" | ||
- "!**/package.json" | ||
- "!**/package-lock.json" | ||
types: | ||
- opened | ||
- reopened | ||
- synchronize | ||
push: | ||
branches: ["main"] | ||
paths-ignore: | ||
- "**" | ||
- "!**/package.json" | ||
- "!**/package-lock.json" | ||
|
||
defaults: | ||
run: | ||
shell: bash | ||
|
||
jobs: | ||
publish: | ||
runs-on: ubuntu-24.04 | ||
permissions: | ||
contents: read | ||
# required for npm package provenance | ||
id-token: write | ||
steps: | ||
- name: Check for publish commit | ||
id: checkPublishCommit | ||
if: >- | ||
${{ | ||
( | ||
github.event_name == 'pull_request' && | ||
startsWith(github.event.pull_request.title, 'Publish v') && | ||
endsWith(github.event.pull_request.title, 'of the @tektoncd/dashboard-* packages') | ||
) || | ||
( | ||
github.event_name == 'push' && | ||
startsWith(github.event.head_commit.message, 'Publish v') && | ||
endsWith(github.event.head_commit.message, 'of the @tektoncd/dashboard-* packages') | ||
) | ||
}} | ||
run: | | ||
echo "Confirmed it's a publish commit" | ||
- name: Harden Runner | ||
if: ${{ steps.checkPublishCommit.outcome == 'success' }} | ||
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | ||
with: | ||
egress-policy: audit | ||
- name: Checkout | ||
if: ${{ steps.checkPublishCommit.outcome == 'success' }} | ||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
with: | ||
# for PRs checkout the head rather than the merge commit so we can get the original commit message | ||
ref: ${{ github.event.pull_request.head.sha || github.sha }} | ||
- name: Validate PR title and commit message match | ||
if: ${{ steps.checkPublishCommit.outcome == 'success' && github.event_name == 'pull_request' }} | ||
env: | ||
PR_TITLE: ${{ github.event.pull_request.title }} | ||
run: | | ||
COMMIT_MESSAGE="$(git log --pretty=%s -n 1)" | ||
if [ "$PR_TITLE" != "$COMMIT_MESSAGE" ]; then | ||
echo "::error::PR title and commit message mismatch" | ||
echo "Expected format: Publish <version> of the @tektoncd/dashboard-* packages" | ||
echo "PR_TITLE: $PR_TITLE" | ||
echo "COMMIT_MESSAGE: $COMMIT_MESSAGE" | ||
exit 1 | ||
else | ||
echo "PR title and commit message match, continuing…" | ||
fi | ||
- name: Get version | ||
id: get-version | ||
if: ${{ steps.checkPublishCommit.outcome == 'success' }} | ||
env: | ||
MESSAGE_WITH_VERSION: ${{ github.event.pull_request.title || github.event.head_commit.message }} | ||
run: | | ||
echo "Extracting version from commit message" | ||
VERSION=$(echo "$MESSAGE_WITH_VERSION" | grep -Po '(v\d+\.\d+\.\d+(\S)*)') | ||
echo "VERSION: $VERSION" | ||
echo "newPackageVersion=${VERSION}" >> $GITHUB_OUTPUT | ||
- name: Check version matches package.json | ||
if: ${{ steps.checkPublishCommit.outcome == 'success' }} | ||
run: | | ||
EXPECTED_VERSION="${{ steps.get-version.outputs.newPackageVersion }}" | ||
mismatch=false | ||
for packageJson in ./packages/*/package.json; do | ||
VERSION="v$(jq -r .version $packageJson)" | ||
PRIVATE="$(jq -r .private $packageJson)" | ||
if [ "$PRIVATE" == "false" ] && [ "$VERSION" != "$EXPECTED_VERSION" ]; then | ||
echo "::error::Version mismatch found in $packageJson: ${VERSION}" | ||
mismatch=true | ||
fi | ||
done | ||
if [ "$mismatch" == "true" ]; then | ||
exit 1 | ||
fi | ||
- name: Check PR is up-to-date | ||
if: ${{ steps.checkPublishCommit.outcome == 'success' && github.event_name == 'pull_request' }} | ||
env: | ||
GH_TOKEN: ${{ github.token }} | ||
run: | | ||
BASE_REF="${{github.event.pull_request.base.repo.owner.login}}:${{github.event.pull_request.base.ref}}" | ||
HEAD_REF="${{github.event.pull_request.head.repo.owner.login}}:${{github.event.pull_request.head.ref}}" | ||
STATUS=$(gh api \ | ||
-H "Accept: application/vnd.github+json" \ | ||
-H "X-GitHub-Api-Version: 2022-11-28" \ | ||
/repos/${{ github.repository }}/compare/${BASE_REF}...${HEAD_REF} | jq -r .status) | ||
if [ "$STATUS" != "ahead" ]; then | ||
echo "::error::Pull request not up-to-date with base branch, please rebase" | ||
exit 1 | ||
else | ||
echo "Pull request is up-to-date with base branch, continuing…" | ||
fi | ||
- name: Setup Node.js | ||
if: ${{ steps.checkPublishCommit.outcome == 'success' }} | ||
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | ||
with: | ||
node-version-file: .nvmrc | ||
- name: Publish dry run | ||
if: ${{ steps.checkPublishCommit.outcome == 'success' && github.event_name == 'pull_request' }} | ||
run: npm publish --workspaces --provenance --access public --dry-run | ||
- name: Publish | ||
if: ${{ steps.checkPublishCommit.outcome == 'success' && github.event_name == 'push' }} | ||
run: npm publish --workspaces --provenance --access public | ||
env: | ||
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters