managed-auth-react/.github/workflows/release.yaml at main · kernel/managed-auth-react · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: Release

# Changesets-driven release flow:
#   1. Contributors include `.changeset/*.md` files in their PRs describing
#      the version bump (patch | minor | major) and the change.
#   2. When PRs land on main, this workflow runs and the changesets bot
#      either:
#        a. Opens (or updates) a single "Version Packages" PR that bumps
#           package.json versions, regenerates CHANGELOG.md, and deletes
#           the consumed changeset files. Reviewers approve + merge it
#           when ready to ship.
#        b. If no pending changesets exist (i.e. the Version PR was just
#           merged), runs `bun run release` which builds the package and
#           runs `changeset publish` — that calls `npm publish` for every
#           package version not yet on the registry, then tags + GitHub
#           releases each.
#
# No manual git tags, no manual package.json edits, no main-branch
# bypasses. Releases go through the normal PR + status-check + approval
# flow like any other change.
#
# Publish includes npm provenance (NPM_CONFIG_PROVENANCE=true). Provenance
# attestations require the source repo to be public on GitHub, which this
# repo is, and they prove the artifact was built from this commit by this
# workflow — no separate signing key needed.

on:
  push:
    branches: [main]

permissions:
  contents: write       # opening/merging the version PR + tagging releases
  pull-requests: write  # opening the version PR
  id-token: write       # npm OIDC trusted publishing

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: "1.2.21"

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'

      # OIDC trusted publishing requires npm >= 11.5.1; the version
      # bundled with Node 20 is older.
      - name: Ensure latest npm
        run: npm install -g npm@latest

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Build package
        run: bun run --filter '@onkernel/managed-auth-react' build

      # The package's `files: ["dist", "README.md", "LICENSE"]` references
      # a LICENSE that lives at the repo root, not in the package directory.
      - name: Copy LICENSE into package
        run: cp LICENSE packages/managed-auth-react/LICENSE

      - name: Create release PR or publish
        uses: changesets/action@v1
        with:
          publish: bunx changeset publish
          title: "chore: version packages"
          commit: "chore: version packages"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # changeset publish shells out to `npm publish` per package; npm
          # picks up NPM_CONFIG_PROVENANCE from the env and adds a SLSA
          # build provenance attestation to each tarball. Combined with our
          # OIDC trusted publisher config on npm this gives us tokenless,
          # signed, attested releases.
          NPM_CONFIG_PROVENANCE: "true"