fix(ci): match shadcn/ui changesets pattern, drop bun.binary workaround #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| # Changesets-driven release flow: | |
| # 1. Contributors include `.changeset/*.md` files in their PRs describing | |
| # the version bump (patch | minor | major) and the change. | |
| # 2. When PRs land on main, this workflow runs and the changesets bot | |
| # either: | |
| # a. Opens (or updates) a single "Version Packages" PR that bumps | |
| # package.json versions, regenerates CHANGELOG.md, and deletes | |
| # the consumed changeset files. Reviewers approve + merge it | |
| # when ready to ship. | |
| # b. If no pending changesets exist (i.e. the Version PR was just | |
| # merged), runs `bun run release` which builds the package and | |
| # runs `changeset publish` — that calls `npm publish` for every | |
| # package version not yet on the registry, then tags + GitHub | |
| # releases each. | |
| # | |
| # No manual git tags, no manual package.json edits, no main-branch | |
| # bypasses. Releases go through the normal PR + status-check + approval | |
| # flow like any other change. | |
| # | |
| # `--provenance` is intentionally omitted from the publish: npm requires | |
| # a public source repository for provenance attestations and this repo | |
| # is `internal`-visibility. Re-add via .changeset/config.json once the | |
| # repo flips public. | |
| on: | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: write # opening/merging the version PR + tagging releases | |
| pull-requests: write # opening the version PR | |
| id-token: write # npm OIDC trusted publishing | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: "1.2.21" | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' | |
| # OIDC trusted publishing requires npm >= 11.5.1; the version | |
| # bundled with Node 20 is older. | |
| - name: Ensure latest npm | |
| run: npm install -g npm@latest | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| # Build outside the changesets/action so the action's `publish` | |
| # command stays a single npm call, matching the shadcn/ui pattern. | |
| - name: Build package | |
| run: bun run --filter '@onkernel/managed-auth-react' build | |
| # The package's `files: ["dist", "README.md", "LICENSE"]` references | |
| # a LICENSE that lives at the repo root, not in the package directory. | |
| - name: Copy LICENSE into package | |
| run: cp LICENSE packages/managed-auth-react/LICENSE | |
| - name: Create release PR or publish | |
| uses: changesets/action@v1 | |
| with: | |
| # Bun's script runner doesn't surface node_modules/.bin/changeset | |
| # on PATH consistently inside chained `&&` commands, so we use | |
| # `npx` here — same pattern shadcn/ui uses with pnpm. Works | |
| # because Node is already on the runner for the npm OIDC step. | |
| publish: npx changeset publish | |
| title: "chore: version packages" | |
| commit: "chore: version packages" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |