From 540f14f49c914acbd3d67f0a2beeaac20b797d72 Mon Sep 17 00:00:00 2001 From: SushilMallRC Date: Thu, 9 Apr 2026 15:52:44 +0530 Subject: [PATCH 1/3] Simulation --- .github/workflows/oidc-publish-dry-run.yml | 114 +++++++++++++++++++++ .github/workflows/test.yml | 2 +- 2 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/oidc-publish-dry-run.yml diff --git a/.github/workflows/oidc-publish-dry-run.yml b/.github/workflows/oidc-publish-dry-run.yml new file mode 100644 index 0000000..5c48b2b --- /dev/null +++ b/.github/workflows/oidc-publish-dry-run.yml @@ -0,0 +1,114 @@ +name: OIDC Publish Dry Run + +on: + push: + branches: + - "**" + tags-ignore: + - "**" + pull_request: + workflow_dispatch: + +permissions: + id-token: write # required for npm trusted publishing (OIDC) + contents: read + +concurrency: + group: oidc-publish-dry-run-${{ github.ref }} + cancel-in-progress: true + +jobs: + dry-run: + runs-on: ubuntu-latest + # Avoid running in forks where npm Trusted Publisher won't match. + if: ${{ github.repository == 'ringcentral/ringcentral-js' }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Use Node.js + uses: actions/setup-node@v4 + with: + node-version: "22.14.0" + registry-url: "https://registry.npmjs.org" + + - run: node --version + + - name: Enable Yarn (Corepack) + run: | + corepack enable + corepack prepare yarn@1.22.22 --activate + yarn --version + + - name: Upgrade npm for trusted publishing compatibility + run: | + npm i -g npm@^11.5.1 + npm --version + + - run: yarn install + - run: npm run build + + - name: Dry-run publish packages to npm (OIDC) + env: + NODE_AUTH_TOKEN: "" + NPM_CONFIG_PROVENANCE: "true" + run: | + set -euo pipefail + + VERSION="0.0.0-dryrun.${GITHUB_SHA:0:7}" + export VERSION + echo "Dry-run publishing version: ${VERSION}" + + unset NODE_AUTH_TOKEN + + # Informational only; may fail locally but helps debug in CI. + npm whoami --registry=https://registry.npmjs.org || true + + node - <<'NODE' + const fs = require('fs'); + const path = require('path'); + const { spawnSync } = require('child_process'); + + const version = process.env.VERSION; + if (!version || version.trim() === '') { + console.error('Missing VERSION'); + process.exit(1); + } + + const rootPkg = JSON.parse(fs.readFileSync('package.json', 'utf8')); + const workspaces = rootPkg.workspaces || []; + + function run(cmd, args, cwd) { + const res = spawnSync(cmd, args, { cwd, stdio: 'inherit' }); + if (res.status) process.exit(res.status); + } + + const publishTargets = []; + for (const ws of workspaces) { + const pkgJsonPath = path.join(ws, 'package.json'); + if (!fs.existsSync(pkgJsonPath)) continue; + const pkg = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8')); + if (pkg.private) continue; + if (!pkg.name) continue; + publishTargets.push({ dir: ws, name: pkg.name }); + } + + if (publishTargets.length === 0) { + console.log('No public workspaces found to dry-run publish.'); + process.exit(0); + } + + console.log('Dry-run publish targets:'); + for (const t of publishTargets) console.log(`- ${t.name} (${t.dir})`); + + // Set versions consistently (no git tags/commits in CI). + for (const t of publishTargets) { + run('npm', ['version', version, '--no-git-tag-version'], t.dir); + } + + // Dry-run publish each package using npm OIDC trusted publishing. + for (const t of publishTargets) { + run('npm', ['publish', '--dry-run', '--provenance', '--access', 'public'], t.dir); + } + NODE + diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 29ac49f..452ed2f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,6 +1,6 @@ name: Test Code -on: [push, pull_request] +on: [ pull_request] jobs: Test: From e668391bf2dafc321009b630a595a925921bf608 Mon Sep 17 00:00:00 2001 From: SushilMallRC Date: Thu, 9 Apr 2026 16:07:08 +0530 Subject: [PATCH 2/3] Test --- .github/workflows/oidc-publish-dry-run.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/oidc-publish-dry-run.yml b/.github/workflows/oidc-publish-dry-run.yml index 5c48b2b..4aab1a9 100644 --- a/.github/workflows/oidc-publish-dry-run.yml +++ b/.github/workflows/oidc-publish-dry-run.yml @@ -62,7 +62,7 @@ jobs: unset NODE_AUTH_TOKEN # Informational only; may fail locally but helps debug in CI. - npm whoami --registry=https://registry.npmjs.org || true + npm whoami --registry=https://registry.npmjs.org || echo "npm whoami failed (expected in OIDC/no-token dry-run); continuing" node - <<'NODE' const fs = require('fs'); @@ -108,7 +108,7 @@ jobs: // Dry-run publish each package using npm OIDC trusted publishing. for (const t of publishTargets) { - run('npm', ['publish', '--dry-run', '--provenance', '--access', 'public'], t.dir); + run('npm', ['publish', '--dry-run', '--provenance', '--access', 'public', '--tag', 'dry-run'], t.dir); } NODE From 8a80563853388f5e40226714df18fdf70481ba69 Mon Sep 17 00:00:00 2001 From: SushilMallRC Date: Thu, 9 Apr 2026 16:22:16 +0530 Subject: [PATCH 3/3] Fix: Github action to handshake npm with oidc --- .github/workflows/oidc-publish-dry-run.yml | 114 --------------------- .github/workflows/release-with-tag.yml | 78 +++++++++++++- .github/workflows/test.yml | 2 +- 3 files changed, 75 insertions(+), 119 deletions(-) delete mode 100644 .github/workflows/oidc-publish-dry-run.yml diff --git a/.github/workflows/oidc-publish-dry-run.yml b/.github/workflows/oidc-publish-dry-run.yml deleted file mode 100644 index 4aab1a9..0000000 --- a/.github/workflows/oidc-publish-dry-run.yml +++ /dev/null @@ -1,114 +0,0 @@ -name: OIDC Publish Dry Run - -on: - push: - branches: - - "**" - tags-ignore: - - "**" - pull_request: - workflow_dispatch: - -permissions: - id-token: write # required for npm trusted publishing (OIDC) - contents: read - -concurrency: - group: oidc-publish-dry-run-${{ github.ref }} - cancel-in-progress: true - -jobs: - dry-run: - runs-on: ubuntu-latest - # Avoid running in forks where npm Trusted Publisher won't match. - if: ${{ github.repository == 'ringcentral/ringcentral-js' }} - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Use Node.js - uses: actions/setup-node@v4 - with: - node-version: "22.14.0" - registry-url: "https://registry.npmjs.org" - - - run: node --version - - - name: Enable Yarn (Corepack) - run: | - corepack enable - corepack prepare yarn@1.22.22 --activate - yarn --version - - - name: Upgrade npm for trusted publishing compatibility - run: | - npm i -g npm@^11.5.1 - npm --version - - - run: yarn install - - run: npm run build - - - name: Dry-run publish packages to npm (OIDC) - env: - NODE_AUTH_TOKEN: "" - NPM_CONFIG_PROVENANCE: "true" - run: | - set -euo pipefail - - VERSION="0.0.0-dryrun.${GITHUB_SHA:0:7}" - export VERSION - echo "Dry-run publishing version: ${VERSION}" - - unset NODE_AUTH_TOKEN - - # Informational only; may fail locally but helps debug in CI. - npm whoami --registry=https://registry.npmjs.org || echo "npm whoami failed (expected in OIDC/no-token dry-run); continuing" - - node - <<'NODE' - const fs = require('fs'); - const path = require('path'); - const { spawnSync } = require('child_process'); - - const version = process.env.VERSION; - if (!version || version.trim() === '') { - console.error('Missing VERSION'); - process.exit(1); - } - - const rootPkg = JSON.parse(fs.readFileSync('package.json', 'utf8')); - const workspaces = rootPkg.workspaces || []; - - function run(cmd, args, cwd) { - const res = spawnSync(cmd, args, { cwd, stdio: 'inherit' }); - if (res.status) process.exit(res.status); - } - - const publishTargets = []; - for (const ws of workspaces) { - const pkgJsonPath = path.join(ws, 'package.json'); - if (!fs.existsSync(pkgJsonPath)) continue; - const pkg = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8')); - if (pkg.private) continue; - if (!pkg.name) continue; - publishTargets.push({ dir: ws, name: pkg.name }); - } - - if (publishTargets.length === 0) { - console.log('No public workspaces found to dry-run publish.'); - process.exit(0); - } - - console.log('Dry-run publish targets:'); - for (const t of publishTargets) console.log(`- ${t.name} (${t.dir})`); - - // Set versions consistently (no git tags/commits in CI). - for (const t of publishTargets) { - run('npm', ['version', version, '--no-git-tag-version'], t.dir); - } - - // Dry-run publish each package using npm OIDC trusted publishing. - for (const t of publishTargets) { - run('npm', ['publish', '--dry-run', '--provenance', '--access', 'public', '--tag', 'dry-run'], t.dir); - } - NODE - diff --git a/.github/workflows/release-with-tag.yml b/.github/workflows/release-with-tag.yml index 3e71462..6fec15f 100644 --- a/.github/workflows/release-with-tag.yml +++ b/.github/workflows/release-with-tag.yml @@ -19,13 +19,16 @@ jobs: node-version: ${{ matrix.node-version }} registry-url: "https://registry.npmjs.org" - run: node --version + - name: Enable Yarn (Corepack) + run: | + corepack enable + corepack prepare yarn@1.22.22 --activate + yarn --version - name: Upgrade npm for trusted publishing compatibility run: | npm i -g npm@^11.5.1 npm --version - run: yarn install - - run: node --version - - run: npm --version - run: DEBUG=eslint:cli-engine npm run lint:all - run: npm run build - run: npm run test:browser @@ -47,16 +50,83 @@ jobs: with: node-version: ${{ matrix.node-version }} registry-url: "https://registry.npmjs.org" + - run: node --version + - name: Enable Yarn (Corepack) + run: | + corepack enable + corepack prepare yarn@1.22.22 --activate + yarn --version - name: Upgrade npm for trusted publishing compatibility run: | npm i -g npm@^11.5.1 npm --version - run: yarn install - run: npm run build - - run: git status && git stash - run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV - - run: npm run publish:release -- $TAG --yes + - name: Publish packages to npm (OIDC) if: ${{ env.TAG != '' && !contains(env.TAG, '/') && github.repository == 'ringcentral/ringcentral-js' }} + env: + # Prevent any repo/org secret from forcing token-based publishing. + NODE_AUTH_TOKEN: "" + NPM_CONFIG_PROVENANCE: "true" + run: | + set -euo pipefail + + VERSION="${TAG#v}" + export VERSION + echo "Publishing version: ${VERSION}" + + unset NODE_AUTH_TOKEN + + node - <<'NODE' + const fs = require('fs'); + const path = require('path'); + const { spawnSync } = require('child_process'); + + const version = process.env.VERSION; + if (!version || version.trim() === '') { + console.error('Missing VERSION'); + process.exit(1); + } + const publishTag = version.includes('-') ? 'next' : 'latest'; + console.log(`npm dist-tag: ${publishTag}`); + + const rootPkg = JSON.parse(fs.readFileSync('package.json', 'utf8')); + const workspaces = rootPkg.workspaces || []; + + function run(cmd, args, cwd) { + const res = spawnSync(cmd, args, { cwd, stdio: 'inherit' }); + if (res.status) process.exit(res.status); + } + + const publishTargets = []; + for (const ws of workspaces) { + const pkgJsonPath = path.join(ws, 'package.json'); + if (!fs.existsSync(pkgJsonPath)) continue; + const pkg = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8')); + if (pkg.private) continue; + if (!pkg.name) continue; + publishTargets.push({ dir: ws, name: pkg.name }); + } + + if (publishTargets.length === 0) { + console.log('No public workspaces found to publish.'); + process.exit(0); + } + + console.log('Publish targets:'); + for (const t of publishTargets) console.log(`- ${t.name} (${t.dir})`); + + // Ensure versions are set consistently before publishing. + for (const t of publishTargets) { + run('npm', ['version', version, '--no-git-tag-version'], t.dir); + } + + // Publish each package using npm OIDC trusted publishing. + for (const t of publishTargets) { + run('npm', ['publish', '--provenance', '--access', 'public', '--tag', publishTag], t.dir); + } + NODE - name: Release if: ${{ env.TAG != '' && !contains(env.TAG, '/') && github.repository == 'ringcentral/ringcentral-js' }} uses: softprops/action-gh-release@v1 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 452ed2f..29ac49f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,6 +1,6 @@ name: Test Code -on: [ pull_request] +on: [push, pull_request] jobs: Test: