0.5.0 #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish to npm | |
| # Auto-publishes @codeceptjs/reflection to npm on every GitHub release. | |
| # Uses npm provenance (sigstore transparency log) so the published package | |
| # is cryptographically linked to this repo (codeceptjs/reflection) and the | |
| # exact workflow run that built it. | |
| # | |
| # Tag the release with a plain SemVer tag like `0.4.0` or `0.5.0-beta.1` | |
| # (no `v` prefix). | |
| # - Stable tags (no prerelease suffix) publish under the default `latest` dist-tag. | |
| # - Prereleases (alpha/beta/rc) publish under the `beta` dist-tag. | |
| on: | |
| release: | |
| types: [published] | |
| # Required for npm provenance: id-token grants OIDC to the workflow so npm | |
| # can verify the build came from this repository's Actions runner. | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| publish: | |
| name: Publish @codeceptjs/reflection (provenance) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout codeceptjs/reflection at release ref | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.release.target_commitish }} | |
| # IMPORTANT: do NOT pass `registry-url` to setup-node here. | |
| # When registry-url is set, setup-node writes a .npmrc with | |
| # //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN} | |
| # and with no NODE_AUTH_TOKEN in env, npm sends an empty Bearer | |
| # header which short-circuits the trusted-publishing OIDC flow | |
| # (sigstore still works, but the final PUT gets rejected as 404). | |
| # Omitting registry-url lets npm use its default registry and | |
| # attempt OIDC automatically for packages with a configured | |
| # trusted publisher. | |
| - name: Setup Node 22 | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - name: Install dependencies | |
| run: npm install | |
| # NOTE: we intentionally do NOT run `npm install -g npm@latest` here. | |
| # Under Node 22.22+ that step hits a known arborist regression | |
| # (`Cannot find module 'promise-retry'`) that breaks the publish. | |
| # Node 22 already ships with npm >= 10.9, and npm has supported | |
| # --provenance since 9.5, so the upgrade was cosmetic. | |
| - name: Typecheck | |
| run: npm run typecheck | |
| - name: Run tests before publishing | |
| run: npm test | |
| - name: Set package version from release tag | |
| run: | | |
| VERSION="${{ github.event.release.tag_name }}" | |
| echo "Publishing @codeceptjs/reflection version $VERSION" | |
| npm version "$VERSION" --no-git-tag-version | |
| - name: Determine dist-tag | |
| id: disttag | |
| run: | | |
| if [[ "${{ github.event.release.prerelease }}" == "true" ]] \ | |
| || [[ "${{ github.event.release.tag_name }}" == *alpha* ]] \ | |
| || [[ "${{ github.event.release.tag_name }}" == *beta* ]] \ | |
| || [[ "${{ github.event.release.tag_name }}" == *rc* ]]; then | |
| echo "tag=beta" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "tag=latest" >> "$GITHUB_OUTPUT" | |
| fi | |
| # `--provenance` requires npm >= 9.5.0; Node 22's bundled npm is 10.9+. | |
| # Auth uses npm trusted publishing via OIDC (id-token: write above) — | |
| # no NPM_TOKEN secret needed. The published package gets a provenance | |
| # statement linking it to this workflow run at github.com/codeceptjs/reflection. | |
| - name: Publish to npm with provenance | |
| run: npm publish --provenance --access public --tag ${{ steps.disttag.outputs.tag }} |