ci(release): re-enable npm provenance now that the repo is public #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| # Changesets-driven release flow: | |
| # 1. Contributors include `.changeset/*.md` files in their PRs describing | |
| # the version bump (patch | minor | major) and the change. | |
| # 2. When PRs land on main, this workflow runs and the changesets bot | |
| # either: | |
| # a. Opens (or updates) a single "Version Packages" PR that bumps | |
| # package.json versions, regenerates CHANGELOG.md, and deletes | |
| # the consumed changeset files. Reviewers approve + merge it | |
| # when ready to ship. | |
| # b. If no pending changesets exist (i.e. the Version PR was just | |
| # merged), runs `bun run release` which builds the package and | |
| # runs `changeset publish` — that calls `npm publish` for every | |
| # package version not yet on the registry, then tags + GitHub | |
| # releases each. | |
| # | |
| # No manual git tags, no manual package.json edits, no main-branch | |
| # bypasses. Releases go through the normal PR + status-check + approval | |
| # flow like any other change. | |
| # | |
| # Publish includes npm provenance (NPM_CONFIG_PROVENANCE=true). Provenance | |
| # attestations require the source repo to be public on GitHub, which this | |
| # repo is, and they prove the artifact was built from this commit by this | |
| # workflow — no separate signing key needed. | |
| on: | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: write # opening/merging the version PR + tagging releases | |
| pull-requests: write # opening the version PR | |
| id-token: write # npm OIDC trusted publishing | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: "1.2.21" | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' | |
| # OIDC trusted publishing requires npm >= 11.5.1; the version | |
| # bundled with Node 20 is older. | |
| - name: Ensure latest npm | |
| run: npm install -g npm@latest | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| # `bun install` skips the standard node_modules/.bin/changeset shim | |
| # that npm/pnpm/yarn create, so neither npx nor PATH-based lookups | |
| # find the binary. Installing @changesets/cli globally via npm gives | |
| # us a clean `changeset` on PATH for the action below. We keep using | |
| # bun for the workspace install so the project lockfile stays in use. | |
| - name: Install changesets CLI (global, for binary on PATH) | |
| run: npm install -g @changesets/cli | |
| - name: Build package | |
| run: bun run --filter '@onkernel/managed-auth-react' build | |
| # The package's `files: ["dist", "README.md", "LICENSE"]` references | |
| # a LICENSE that lives at the repo root, not in the package directory. | |
| - name: Copy LICENSE into package | |
| run: cp LICENSE packages/managed-auth-react/LICENSE | |
| - name: Create release PR or publish | |
| uses: changesets/action@v1 | |
| with: | |
| publish: changeset publish | |
| title: "chore: version packages" | |
| commit: "chore: version packages" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # changeset publish shells out to `npm publish` per package; npm | |
| # picks up NPM_CONFIG_PROVENANCE from the env and adds a SLSA | |
| # build provenance attestation to each tarball. Combined with our | |
| # OIDC trusted publisher config on npm this gives us tokenless, | |
| # signed, attested releases. | |
| NPM_CONFIG_PROVENANCE: "true" |