From 3594a8016bd6d93ba2c8d328c2188d1ec84d9e7c Mon Sep 17 00:00:00 2001 From: Atharva0506 Date: Mon, 13 Jul 2026 17:31:28 +0530 Subject: [PATCH] chore(ci): add npm publish job to version-release workflow Aligned with the AOSSIE npm package standard (IndexedDB-Import-Export): - Added maintainer verification step (checks write access) - Added auto-create fallback when no draft release exists - Added 'publish' job that runs after successful release: - Installs deps, builds, tests, verifies package contents - Syncs version from VERSION file to package.json - Publishes to npm with --provenance for supply-chain attestation - Requires NPMJS_TOKEN secret and 'npm' environment - Updated actions/checkout to v4, actions/github-script to v7 --- .github/workflows/version-release.yml | 138 ++++++++++++++++++++------ 1 file changed, 110 insertions(+), 28 deletions(-) diff --git a/.github/workflows/version-release.yml b/.github/workflows/version-release.yml index c58a429..6c6fab2 100644 --- a/.github/workflows/version-release.yml +++ b/.github/workflows/version-release.yml @@ -6,6 +6,11 @@ on: - main paths: - 'VERSION' + workflow_dispatch: + +concurrency: + group: version-release + cancel-in-progress: false permissions: contents: write @@ -14,12 +19,36 @@ jobs: release: if: ${{ github.repository_owner == 'AOSSIE-Org' }} runs-on: ubuntu-latest - + permissions: + contents: write + + outputs: + version: ${{ steps.get_version.outputs.version }} + released: ${{ steps.publish_release.outputs.released }} + steps: - name: Checkout code - uses: actions/checkout@v7 + uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: true + + - name: Verify actor is a maintainer + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({ + owner: context.repo.owner, + repo: context.repo.repo, + username: context.actor, + }).catch(() => ({ data: { permission: 'none' } })); + + if (permission.permission !== 'admin' && permission.permission !== 'write') { + core.setFailed(`Actor '${context.actor}' does not have write access to this repository. Aborting release.`); + } else { + console.log(`✓ Actor '${context.actor}' is a verified repository maintainer.`); + } - name: Read VERSION file id: get_version @@ -54,27 +83,31 @@ jobs: git tag -a "v$VERSION" -m "Release version $VERSION" git push origin "v$VERSION" echo "✓ Created and pushed tag v$VERSION" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Find and Publish Draft Release id: publish_release - uses: actions/github-script@v9 + uses: actions/github-script@v7 + env: + VERSION: v${{ steps.get_version.outputs.version }} with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const version = 'v${{ steps.get_version.outputs.version }}'; - + const version = process.env.VERSION; + // Get all releases const { data: releases } = await github.rest.repos.listReleases({ owner: context.repo.owner, repo: context.repo.repo, }); - + // Find the draft release const draftRelease = releases.find(release => release.draft === true); - + if (draftRelease) { console.log(`Found draft release: ${draftRelease.name}`); - + // Update and publish the draft release await github.rest.repos.updateRelease({ owner: context.repo.owner, @@ -84,24 +117,24 @@ jobs: name: version, draft: false, }); - + console.log(`✓ Published draft release as ${version}`); core.setOutput('released', 'true'); } else { - console.log('⚠️ No draft release found. Please ensure release-drafter has created a draft release first.'); - core.setOutput('released', 'false'); - core.setFailed('No draft release found to publish'); - - //Uncomment below to auto-create release if no draft exists but also check release-drafter config first(why not working) - // await github.rest.repos.createRelease({ - // owner: context.repo.owner, - // repo: context.repo.repo, - // tag_name: version, - // name: version, - // body: `## Release ${version}\n\nThis release was automatically created when the VERSION file was updated.`, - // draft: false, - // prerelease: false, - // }); + console.log('⚠️ No draft release found. Creating release automatically.'); + + await github.rest.repos.createRelease({ + owner: context.repo.owner, + repo: context.repo.repo, + tag_name: version, + name: version, + body: `## Release ${version}\n\nThis release was automatically created when the VERSION file was updated.`, + draft: false, + prerelease: false, + }); + + console.log(`✓ Created and published release ${version}`); + core.setOutput('released', 'true'); } - name: Release Summary @@ -115,9 +148,58 @@ jobs: else echo "- **GitHub Release:** ✗ (no draft found)" >> $GITHUB_STEP_SUMMARY fi + + publish: + needs: release + if: ${{ github.repository_owner == 'AOSSIE-Org' && needs.release.outputs.released == 'true' }} + runs-on: ubuntu-latest + + permissions: + contents: read + id-token: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + registry-url: 'https://registry.npmjs.org' + + - name: Install dependencies + run: npm ci + + - name: Build + run: npm run build + + - name: Run tests + run: npm test + + - name: Verify package contents + run: npm pack --dry-run + + - name: Sync version from VERSION file + env: + VERSION: ${{ needs.release.outputs.version }} + run: | + echo "Syncing package.json version to $VERSION" + npm version "$VERSION" --no-git-tag-version --allow-same-version + echo "✓ package.json version set to $VERSION" + + - name: Publish to npm + run: npm publish --provenance --access public + env: + NODE_AUTH_TOKEN: ${{ secrets.NPMJS_TOKEN }} + + - name: Publish Summary + run: | + echo "### npm Publish Summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY - if [ "${{ steps.publish_release.outputs.released }}" = "true" ]; then - echo "Release completed successfully!" >> $GITHUB_STEP_SUMMARY - else - echo "Release failed - no draft release was found to publish" >> $GITHUB_STEP_SUMMARY - fi + echo "- **Package:** @aossie/thrubox-client" >> $GITHUB_STEP_SUMMARY + echo "- **Version:** ${{ needs.release.outputs.version }}" >> $GITHUB_STEP_SUMMARY + echo "- **Registry:** https://www.npmjs.com/package/@aossie/thrubox-client" >> $GITHUB_STEP_SUMMARY + echo "- **Provenance:** ✓ (supply-chain attestation enabled)" >> $GITHUB_STEP_SUMMARY