From 7482255951ca91826de7150248e491b537ad1d5e Mon Sep 17 00:00:00 2001 From: Robin Drexler Date: Tue, 28 Apr 2026 14:08:07 -0400 Subject: [PATCH] more prep for oidc --- .github/workflows/deploy.yml | 84 ++++++++++++++++++++++++-- .github/workflows/preview-versions.yml | 39 ------------ .github/workflows/snapit.yml | 27 --------- .nvmrc | 2 +- 4 files changed, 81 insertions(+), 71 deletions(-) delete mode 100644 .github/workflows/preview-versions.yml delete mode 100644 .github/workflows/snapit.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 139ec852..d65d4838 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -2,19 +2,26 @@ name: Deploy on: push: - branches: [main] + branches: + - main + - changeset-release/main + workflow_dispatch: + # Snapit trigger - runs when /snapit comment is made on a PR + issue_comment: + types: + - created -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true +concurrency: ${{ github.workflow }}-${{ github.ref }} jobs: checks: name: Checks 📝 + if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} uses: ./.github/workflows/checks.yml deploy: name: Deploy 🚀 + if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} needs: [checks] runs-on: ubuntu-latest timeout-minutes: 5 @@ -24,8 +31,77 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/workflows/actions/prepare + - name: Update npm to 11.7 + run: npm install -g npm@11.7 - run: pnpm run type-check - run: pnpm run build - run: pnpm run deploy env: NPM_TOKEN: '' # Empty string forces OIDC + NPM_CONFIG_PROVENANCE: true + + preview: + name: Preview 🔮 + if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'changeset-release/main') }} + runs-on: ubuntu-latest + timeout-minutes: 5 + permissions: + contents: read + id-token: write # Required for OIDC authentication + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: ./.github/workflows/actions/prepare + - name: Update npm to 11.7 + run: npm install -g npm@11.7 + + # Changeset entries are consumed on this branch. We need to reset the + # changeset files so that the snapshot command knows the correct packages, + # and does not accidentally publish the new, non-preview version numbers + # prematurely. + - name: Reset changeset entries + run: | + git fetch origin main + git checkout origin/main -- .changeset + + - run: pnpm run type-check + - run: pnpm run build + + - name: Deploy preview versions to NPM + run: | + pnpm changeset version --snapshot preview + pnpm changeset publish --tag preview --no-git-tag + env: + GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }} + NPM_TOKEN: '' # Empty string forces OIDC + NPM_CONFIG_PROVENANCE: true + + # Snapit job - runs when /snapit comment is made on a PR + snapit: + name: Snapit + if: ${{ github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == '/snapit' }} + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + id-token: write # Required for OIDC authentication + steps: + # WARNING: DO NOT RUN ANY CUSTOM LOCAL SCRIPT BEFORE RUNNING THE SNAPIT ACTION + # This action can be executed by 3rd party users and it should not be able to run arbitrary code from a PR. + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + token: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }} + + - uses: ./.github/workflows/actions/prepare + + - name: Update npm to 11.7 + run: npm install -g npm@11.7 + + - name: Create snapshot + uses: Shopify/snapit@v0.1.0 + env: + GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }} + NPM_TOKEN: '' # Empty string forces OIDC + NPM_CONFIG_PROVENANCE: true + with: + build_script: pnpm build:snapit + comment_command: /snapit diff --git a/.github/workflows/preview-versions.yml b/.github/workflows/preview-versions.yml deleted file mode 100644 index 1c1d6bdc..00000000 --- a/.github/workflows/preview-versions.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: Preview versions - -on: - workflow_dispatch: - push: - branches: - - changeset-release/main - -jobs: - preview: - name: Preview 🔮 - runs-on: ubuntu-latest - timeout-minutes: 5 - permissions: - contents: read - id-token: write # Required for OIDC authentication - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: ./.github/workflows/actions/prepare - - # Changeset entries are consumed on this branch. We need to reset the - # changeset files so that the snapshot command knows the correct packages, - # and does not accidentally publish the new, non-preview version numbers - # prematurely. - - name: Reset changeset entries - run: | - git fetch origin main - git checkout origin/main -- .changeset - - - run: pnpm run type-check - - run: pnpm run build - - - name: Deploy preview versions to NPM - run: | - pnpm changeset version --snapshot preview - pnpm changeset publish --tag preview --no-git-tag - env: - GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }} - NPM_TOKEN: '' # Empty string forces OIDC diff --git a/.github/workflows/snapit.yml b/.github/workflows/snapit.yml deleted file mode 100644 index dc7d95b7..00000000 --- a/.github/workflows/snapit.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Snapit - -on: - issue_comment: - types: - - created - -jobs: - snapit: - name: Snapit - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - token: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }} - - - uses: ./.github/workflows/actions/prepare - - - name: Create snapshot - uses: Shopify/snapit@v0.0.14 - env: - GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - with: - build_script: pnpm build:snapit - comment_command: /snapit diff --git a/.nvmrc b/.nvmrc index 7ea6a59d..953490f5 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -v20.11.0 +v20.20.0