-
-
Notifications
You must be signed in to change notification settings - Fork 2
212 lines (175 loc) · 6.95 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
# https://help.github.com/en/categories/automating-your-workflow-with-github-actions
# See: https://github.com/JulianCataldo/gh-actions
# For matrix setup:
# https://github.com/withastro/astro/blob/main/.github/workflows/ci.yml
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow
name: CI / Release
on:
workflow_dispatch:
push:
paths-ignore:
- .github/**
- '!.github/workflows/release.yaml'
- '**/*.md'
branches:
- '([0-9])?(.{+([0-9]),x}).x'
- main
- next
- next-major
- alpha
- beta
- 'feat/*'
- 'fix/*'
# - to-integrate
# - to-integrate-next
permissions:
contents: read # for checkout
jobs:
release:
name: CI / Release
permissions:
contents: write # to be able to publish a GitHub release
issues: write # to be able to comment on released issues
pull-requests: write # to be able to comment on released pull requests
id-token: write # to enable use of OIDC for npm provenance
runs-on: ubuntu-latest
# TODO:
# runs-on: ${{ matrix.os }}
# timeout-minutes: 25
# # needs: build
# strategy:
# matrix:
# OS: [ubuntu-latest]
# NODE_VERSION: [18, 20]
# include:
# - os: macos-14
# NODE_VERSION: 18
# - os: windows-latest
# NODE_VERSION: 18
# fail-fast: false
# env:
# NODE_VERSION: ${{ matrix.NODE_VERSION }}
steps:
# MARK: Setup GH Action
- name: 'Harden Runner'
uses: 'step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142' # v2.7.0
with:
egress-policy: 'audit'
- name: Git checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
# run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
with:
fetch-depth: 0
# - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
# persist-credentials: false
# env:
# GIT_COMMITTER_NAME: "GitHub Actions Shell"
# GIT_AUTHOR_NAME: "GitHub Actions Shell"
# EMAIL: "github-actions[bot]@users.noreply.github.com"
# MARK: Setup Node env.
- name: Setup PNPM
uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
with:
run_install: false
- name: Use Node.js 22.2.0
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
# registry-url: "https://registry.npmjs.org"
node-version: 22.2.0
cache: pnpm
- name: Install packages
shell: bash
run: pnpm install --frozen-lockfile
# TODO: More tests
# - name: Syncpack Lint
# shell: bash
# run: node --run syncpack:lint
# NOTE: Audit is for prod only because a lot of root packages (like lerna etc.)
# are used old packages with intricate dependency trees, and they are
# never shipped to the user. But that's not 100% optimal, as devDeps could
# provoke some sec issues, too? A middleground is better than nothing and
# regularly blocked releases for obscure root mono-repo tooling deps.
- name: 'Verify the integrity of provenance attestations and registry signatures for installed [prod] dependencies'
run: 'node --run audit'
# MARK: Lint/Checks pre-build
- name: Lint last commit — Commitlint
shell: bash
run: node --run lint:commit
# - name: Lint CSS — Stylelint
# shell: bash
# run: node --run lint:css
- name: Check all formatting — Prettier
shell: bash
run: node --run format
# MARK: Build packages
- name: Setup Turbo cache
uses: dtinth/setup-github-actions-caching-for-turbo@a0e976d970c2a94366a26984efcef3030e2c0115 # v1.2.0
- name: Build all packages
shell: bash
run: node --run build
# MARK: Lint/Checks post-build
- name: Lint JS/TS — ESLint
shell: bash
run: node --run lint:es
# MARK:Tests
- name: Tests — Units
shell: bash
run: node --run test:unit
- name: Tests — Integration
shell: bash
run: node --run test:integration
# MARK: Publish packages
- name: Create temporary NPM identity # + Enable Provenance
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
# run: |
# echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN\nprovenance=true" > .npmrc
# echo "provenance=true" > .npmrc
run: |
echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc
- name: Git user configuration
run: |
git config --global user.name "${{ github.actor }}"
git config --global user.email "${{ github.actor }}@users.noreply.github.com"
# MARK: [MAIN]
- name: 'Lerna publish [main]'
# if: github.ref == 'refs/heads/to-integrate'
if: github.ref == 'refs/heads/main'
# https://github.com/lerna/lerna/issues/2532
id: graduateRelease
continue-on-error: true
env:
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
NPM_TOKEN: '${{ secrets.NPM_TOKEN }}' # Not really needed (already global)
run: |
pnpm lerna publish --message 'chore: publish [main] release [skip ci]' --create-release=github --conventional-graduate --yes
- name: Bump Prod Version Fallback
if: ${{ always() && steps.graduateRelease.outcome == 'failure' }}
env:
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
NPM_TOKEN: '${{ secrets.NPM_TOKEN }}'
run: |
echo Falling back to non-graduate release due to https://github.com/lerna/lerna/issues/2532
git stash
pnpm lerna publish --message 'chore: publish [main] release [skip ci]' --create-release=github --yes
# # TRY: https://www.jessesquires.com/blog/2021/10/17/github-actions-workflows-for-automatic-rebasing-and-merging/
# - name: Merge (rebase) back main into next
# env:
# GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
# run: |
# git checkout next
# git rebase main
# git push
# MARK: [NEXT]
- name: 'Lerna publish [next]'
if: github.ref == 'refs/heads/next'
# if: github.ref == 'refs/heads/to-integrate-next'
env:
NPM_TOKEN: '${{ secrets.NPM_TOKEN }}' # Not really needed (already global)
# --canary next
# https://github.com/lerna/lerna/issues/1433
# pnpm lerna publish --conventional-prerelease --dist-tag=next --preid=next --no-changelog --yes
# pnpm lerna publish --conventional-prerelease --pre-dist-tag=next --preid=next --yes
# pnpm lerna publish --force-publish='*' --canary --pre-dist-tag=next --preid=next --yes
run: |
pnpm lerna publish --message 'chore: publish [next] pre-release' --conventional-prerelease --pre-dist-tag=next --preid=next --yes