.github/workflows/release.yml

# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".

name: release
on:
  push:
    branches:
      - main
    paths-ignore:
      - examples/**
      - .github/ISSUE_TEMPLATE/**
      - .github/CODEOWNERS
      - .github/dependabot.yml
      - .github/**/*.md
  workflow_dispatch: {}
concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: false
jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    outputs:
      latest_commit: ${{ steps.git_remote.outputs.latest_commit }}
      tag_exists: ${{ steps.check_tag_exists.outputs.exists }}
    env:
      CI: "true"
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          fetch-depth: 0
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
        with:
          terraform_wrapper: false
      - name: Set git identity
        run: |-
          git config user.name "github-actions"
          git config user.email "github-actions@github.com"
      - name: Install dependencies
        run: yarn install --check-files --frozen-lockfile
      - name: release
        run: npx projen release
      - name: Check if version has already been tagged
        id: check_tag_exists
        run: |-
          TAG=$(cat dist/releasetag.txt)
          ([ ! -z "$TAG" ] && git ls-remote -q --exit-code --tags origin $TAG && (echo "exists=true" >> $GITHUB_OUTPUT)) || (echo "exists=false" >> $GITHUB_OUTPUT)
          cat $GITHUB_OUTPUT
      - name: Check for new commits
        id: git_remote
        run: |-
          echo "latest_commit=$(git ls-remote origin -h ${{ github.ref }} | cut -f1)" >> $GITHUB_OUTPUT
          cat $GITHUB_OUTPUT
      - name: Backup artifact permissions
        if: ${{ steps.git_remote.outputs.latest_commit == github.sha }}
        run: cd dist && getfacl -R . > permissions-backup.acl
        continue-on-error: true
      - name: Upload artifact
        if: ${{ steps.git_remote.outputs.latest_commit == github.sha }}
        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b
        with:
          name: build-artifact
          path: dist
          overwrite: true
  release_github:
    name: Publish to GitHub Releases
    needs:
      - release
      - release_npm
    runs-on: ubuntu-latest
    permissions:
      contents: write
    if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha
    steps:
      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
        with:
          node-version: lts/*
      - name: Download build artifacts
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
        with:
          name: build-artifact
          path: dist
      - name: Restore build artifact permissions
        run: cd dist && setfacl --restore=permissions-backup.acl
        continue-on-error: true
      - name: Release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          GITHUB_REF: ${{ github.sha }}
        run: errout=$(mktemp); gh release create $(cat dist/releasetag.txt) -R $GITHUB_REPOSITORY -F dist/changelog.md -t $(cat dist/releasetag.txt) --target $GITHUB_REF 2> $errout && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" $errout; then cat $errout; exit $exitcode; fi
  release_npm:
    name: Publish to npm
    needs: release
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha
    steps:
      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
        with:
          node-version: lts/*
      - name: Download build artifacts
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
        with:
          name: build-artifact
          path: dist
      - name: Restore build artifact permissions
        run: cd dist && setfacl --restore=permissions-backup.acl
        continue-on-error: true
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          path: .repo
      - name: Install Dependencies
        run: cd .repo && yarn install --check-files --frozen-lockfile
      - name: Extract build artifact
        run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo
      - name: Move build artifact out of the way
        run: mv dist dist.old
      - name: Create js artifact
        run: cd .repo && npx projen package:js
      - name: Collect js artifact
        run: mv .repo/dist dist
      - name: Release
        env:
          NPM_DIST_TAG: latest
          NPM_REGISTRY: registry.npmjs.org
          NPM_CONFIG_PROVENANCE: "true"
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: npx -p publib@latest publib-npm