charter/.github/workflows/release.yml at main · Stackbilt-dev/charter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: Release

on:
  push:
    tags:
      - 'v*'
    branches-ignore:
      - '**'
  workflow_dispatch:
    inputs:
      tag:
        description: 'Existing tag to publish (for backfill), e.g. v0.4.2'
        required: true
        type: string

permissions:
  contents: write

jobs:
  publish-release:
    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Resolve tag
        id: tag
        shell: bash
        run: |
          if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
            TAG="${{ inputs.tag }}"
          else
            TAG="${GITHUB_REF_NAME}"
          fi

          if [[ -z "${TAG}" ]]; then
            echo "Tag could not be resolved." >&2
            exit 1
          fi

          echo "value=${TAG}" >> "$GITHUB_OUTPUT"

      - name: Verify tag
        shell: bash
        run: |
          TAG="${{ steps.tag.outputs.value }}"
          if [[ ! "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Invalid tag format: ${TAG}. Expected v<major>.<minor>.<patch>" >&2
            exit 1
          fi

          if [[ "${GITHUB_EVENT_NAME}" == "push" ]]; then
            PKG_VERSION="$(node -p "require('./packages/cli/package.json').version")"
            EXPECTED_TAG="v${PKG_VERSION}"

            if [[ "${TAG}" != "${EXPECTED_TAG}" ]]; then
              echo "Tag/version mismatch on push: got ${TAG}, expected ${EXPECTED_TAG}" >&2
              exit 1
            fi
          else
            if ! git rev-parse -q --verify "refs/tags/${TAG}" >/dev/null; then
              echo "Tag not found in repository: ${TAG}" >&2
              exit 1
            fi
          fi

      - name: Build release notes from CHANGELOG
        shell: bash
        run: |
          TAG="${{ steps.tag.outputs.value }}"
          VERSION="${TAG#v}"

          awk -v version="${VERSION}" '
            BEGIN { in_section=0 }
            $0 ~ "^## \\[" version "\\]" { in_section=1; print; next }
            in_section && $0 ~ "^## \\[" { exit }
            in_section { print }
          ' CHANGELOG.md > release_notes.md

          if [[ ! -s release_notes.md ]]; then
            echo "## ${TAG}" > release_notes.md
            echo >> release_notes.md
            echo "See CHANGELOG.md for release details." >> release_notes.md
          fi

      - name: Create or update GitHub Release
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
        with:
          tag_name: ${{ steps.tag.outputs.value }}
          name: ${{ steps.tag.outputs.value }}
          body_path: release_notes.md
          generate_release_notes: true

  publish-npm:
    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          ref: ${{ inputs.tag || github.ref }}

      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0

      # No registry-url: setup-node would otherwise write ~/.npmrc with a
      # _authToken line, which makes npm CLI prefer token auth over the
      # OIDC flow that trusted publishers require.
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: '20'
          cache: 'pnpm'

      # npm 11.5.1+ required for trusted-publisher OIDC auth on publish.
      # The version bundled with Node 20 on setup-node is ~10.x.
      - name: Upgrade npm for trusted-publisher support
        run: npm install -g npm@latest

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Build
        run: pnpm run build

      # Enforces unified workspace versioning — every packages/*/package.json must match the tag.
      - name: Verify workspace versions match tag
        shell: bash
        run: |
          TAG="${{ github.event.inputs.tag || github.ref_name }}"
          EXPECTED="${TAG#v}"
          FAIL=0
          for p in packages/*/package.json; do
            V=$(node -p "require('./$p').version")
            N=$(node -p "require('./$p').name")
            if [[ "$V" != "$EXPECTED" ]]; then
              echo "::error::$N version $V does not match tag $EXPECTED"
              FAIL=1
            fi
          done
          if [[ $FAIL -ne 0 ]]; then exit 1; fi

      # Auth is OIDC via npm trusted publishers — no NPM_TOKEN needed.
      # See: https://docs.npmjs.com/trusted-publishers
      - name: Publish to npm
        run: npm publish --workspaces --access public --provenance