-
Notifications
You must be signed in to change notification settings - Fork 2
123 lines (112 loc) · 3.63 KB
/
nx-release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: release
on:
push:
branches:
- 'main'
jobs:
security:
permissions:
contents: read
checks: read
statuses: read
security-events: write
uses: affinidi/pipeline-security/.github/workflows/security-scanners.yml@feat/check-inherit
with:
config-path: .github/labeler.yml
secrets: inherit
release:
concurrency: release
runs-on: ubuntu-latest
environment: main
permissions:
# IMPORTANT: this permission is mandatory for trusted publishing
id-token: write
contents: read
needs: ['security']
steps:
- name: Generate token from app token #https://github.com/tibdex/github-app-token
id: generate_token
uses: tibdex/github-app-token@v2
with:
app_id: ${{ secrets.RELEASE_BOT_APP_ID }}
private_key: ${{ secrets.RELEASE_BOT_PKEY }}
- uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.generate_token.outputs.token }}
- name: configure git
run: |
git config user.name "${GITHUB_ACTOR}"
git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
# Setup cache, npm
- uses: actions/setup-node@v4
with:
node-version: 18
cache: 'npm'
registry-url: 'https://registry.npmjs.org'
scope: '@affinidi-tdk'
- run: npm ci
# Generate tag/changelog with semantic release
# setting parallel higher than one might cause problems with locking git repo
- run: npx nx run-many -t semantic-release --parallel=false
name: semantic release
env:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
publish:
concurrency: publish
runs-on: ubuntu-latest
environment: main
permissions:
# IMPORTANT: this permission is mandatory for trusted publishing
id-token: write
contents: read
needs: ['release']
steps:
- name: Generate token from app token #https://github.com/tibdex/github-app-token
id: generate_token
uses: tibdex/github-app-token@v2
with:
app_id: ${{ secrets.RELEASE_BOT_APP_ID }}
private_key: ${{ secrets.RELEASE_BOT_PKEY }}
- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.ref }}
- uses: actions/setup-node@v4
with:
node-version: 18
cache: 'npm'
registry-url: 'https://registry.npmjs.org'
scope: '@affinidi-tdk'
- run: npm ci
- name: Set up Python
uses: actions/setup-python@v3
with:
python-version: '3.x'
- name: install python tools
run: |
pip install twine
pip install poetry
- name: Mint pypi token
id: mint
uses: tschm/token-mint-action@v1.0.3
- name: Set version for non-js client packages
run: npx nx run-many -t set-version
- name: build
run: |
npx nx run-many -t build --parallel=false
- name: package
run: |
npx nx run-many -t package
# Publish to npm,pypi with new nx release publish functionality
- run: |
npx nx release publish --verbose
name: publish
env:
TWINE_USERNAME: '__token__'
TWINE_PASSWORD: ${{ steps.mint.outputs.api-token }}
POETRY_PYPI_TOKEN_PYPI: ${{ steps.mint.outputs.api-token }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} #publib-npm expects this
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}