b3a7f98e5a
CI / E2E Cloudflare (4/8) (push) Failing after 0s
CI / E2E Cloudflare (8/8) (push) Failing after 1s
CI / Lint (push) Failing after 1s
Auto Extract / Extract (push) Failing after 4s
CI / Version Check (push) Failing after 9s
CI / Integration Tests (push) Failing after 1s
CI / E2E tests (1/8) (push) Failing after 1s
CI / E2E tests (2/8) (push) Failing after 2s
CI / E2E tests (3/8) (push) Failing after 2s
CI / Browser Tests (push) Failing after 1s
CI / E2E tests (5/8) (push) Failing after 1s
CI / E2E Cloudflare (2/8) (push) Failing after 2s
CI / Typecheck (push) Failing after 1s
CI / Changeset Validation (push) Failing after 2s
CI / E2E Cloudflare (5/8) (push) Failing after 1s
CI / E2E Cloudflare (6/8) (push) Failing after 1s
CI / E2E Cloudflare (7/8) (push) Failing after 1s
CodeQL / Analyze (javascript-typescript) (push) Failing after 1s
Format / Format (push) Failing after 0s
CodeQL / Analyze (actions) (push) Failing after 4s
CI / E2E tests (4/8) (push) Failing after 1s
CI / E2E tests (6/8) (push) Failing after 1s
CI / E2E tests (7/8) (push) Failing after 2s
CI / E2E tests (8/8) (push) Failing after 1s
CI / E2E Cloudflare (1/8) (push) Failing after 1s
CI / E2E Cloudflare (3/8) (push) Failing after 2s
Preview Releases / Publish Preview (push) Failing after 0s
zizmor / Run zizmor (push) Failing after 1s
Release / Release (push) Failing after 2s
CI / Smoke Tests (push) Failing after 5m36s
CI / Tests (push) Failing after 6m36s
Release / Sync Templates (push) Has been skipped
CI / E2E Tests (push) Has been cancelled
118 lines
4.1 KiB
YAML
118 lines
4.1 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
workflow_dispatch:
|
|
inputs:
|
|
publish-only:
|
|
description: "Skip versioning, just publish current versions"
|
|
type: boolean
|
|
default: false
|
|
|
|
concurrency: ${{ github.workflow }}-${{ github.ref }}
|
|
|
|
# Default-deny at the workflow level. Each job scopes its own permissions:
|
|
# - `release` declares contents/id-token/pull-requests below.
|
|
# - `sync-templates` calls a reusable workflow whose own job-level
|
|
# permissions block (contents: read) takes precedence over the caller's
|
|
# inherited permissions.
|
|
permissions: {}
|
|
|
|
jobs:
|
|
release:
|
|
name: Release
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
published: ${{ steps.changesets.outputs.published }}
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
pull-requests: write
|
|
steps:
|
|
- name: Generate token
|
|
id: app-token
|
|
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
|
|
with:
|
|
app-id: ${{ secrets.APP_ID }}
|
|
private-key: ${{ secrets.APP_PRIVATE_KEY }}
|
|
# changesets/action pushes release commits/tags and opens the
|
|
# release PR (contents + pull-requests). npm publish auth is the
|
|
# separate NODE_AUTH_TOKEN; OIDC provenance is the job's id-token.
|
|
permission-contents: write
|
|
permission-pull-requests: write
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
fetch-depth: 0
|
|
token: ${{ steps.app-token.outputs.token }}
|
|
# Intentional: changesets/action pushes the release PR / tags
|
|
# using this credential.
|
|
persist-credentials: true
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
|
|
|
|
- name: Setup Node
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: 24
|
|
cache: pnpm
|
|
registry-url: https://registry.npmjs.org
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Build packages
|
|
run: pnpm build
|
|
|
|
- name: Block 1.x releases (we are in 0.x)
|
|
run: node .github/scripts/check-no-major.mjs
|
|
|
|
- name: Create Release Pull Request or Publish
|
|
if: ${{ !inputs.publish-only }}
|
|
id: changesets
|
|
uses: changesets/action@a45c4d594aa4e2c509dc14a9f2b3b67ba3780d0d # v1.9.0
|
|
with:
|
|
version: node .github/scripts/release.mjs version
|
|
publish: node .github/scripts/release.mjs publish
|
|
commit: "ci: release"
|
|
title: "ci: release"
|
|
env:
|
|
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
|
|
# Attach sandboxed-plugin tarballs to the releases changesets just
|
|
# created, so the decentralized registry has a stable public URL to
|
|
# point each release record at. See the script header for details.
|
|
# Only the changesets path is covered: the publish-only recovery path
|
|
# below neither runs changesets/action nor creates GitHub releases, so
|
|
# assets for that path must be backfilled manually.
|
|
- name: Attach plugin tarballs to releases
|
|
if: ${{ steps.changesets.outputs.published == 'true' }}
|
|
run: node .github/scripts/attach-plugin-tarballs.mjs
|
|
env:
|
|
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
GITHUB_REPOSITORY: ${{ github.repository }}
|
|
PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
|
|
|
|
- name: Publish (manual)
|
|
if: ${{ inputs.publish-only }}
|
|
run: node .github/scripts/release.mjs publish
|
|
|
|
sync-templates:
|
|
name: Sync Templates
|
|
needs: release
|
|
if: >-
|
|
needs.release.outputs.published == 'true' ||
|
|
inputs.publish-only
|
|
permissions:
|
|
contents: read
|
|
uses: ./.github/workflows/sync-templates.yml
|
|
# Pass only the secrets sync-templates actually uses, not the full set
|
|
# available to this release workflow.
|
|
secrets:
|
|
APP_ID: ${{ secrets.APP_ID }}
|
|
APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
|