From 9c11103090a22068634cf8d5597a2385a45a9728 Mon Sep 17 00:00:00 2001 From: Bohdan Struk Date: Tue, 9 Jun 2026 12:17:53 -0700 Subject: [PATCH 1/3] ci: npm trusted publishing --- .github/workflows/prerelease.yml | 1 - .github/workflows/publish.yml | 2 +- .github/workflows/release.yml | 1 - .releaserc.cjs | 2 +- 4 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index a84ad8e69..3be6ba072 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -24,6 +24,5 @@ jobs: - name: Release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} BRANCH_NAME: ${{ github.head_ref || github.ref_name }} run: yarn run semantic-release diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index dcbf13d46..124bf30ec 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,4 +23,4 @@ jobs: - run: npm ci - run: npm run build --if-present - run: npm test - - run: npm publish # Or: npm stage publish + - run: npm publish --provenance diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 93ad803da..14e0a7f13 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,6 @@ jobs: - name: Release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} BRANCH_NAME: ${{ github.head_ref || github.ref_name }} run: yarn run semantic-release - name: Rebase master diff --git a/.releaserc.cjs b/.releaserc.cjs index 62a1036d8..c57aecf03 100644 --- a/.releaserc.cjs +++ b/.releaserc.cjs @@ -46,7 +46,7 @@ const gitSetting = [ const npmRelease = [ '@semantic-release/npm', { - npmPublish: true, + npmPublish: false, }, ]; From 6bac702b85a7db6a40e32ab66053d38039ec39ab Mon Sep 17 00:00:00 2001 From: Bohdan Struk Date: Tue, 9 Jun 2026 12:56:05 -0700 Subject: [PATCH 2/3] ci: npm trusted publishing --- .github/workflows/prerelease.yml | 28 ------------------ .github/workflows/publish.yml | 50 +++++++++++++++++++++++++------- .github/workflows/release.yml | 33 --------------------- 3 files changed, 39 insertions(+), 72 deletions(-) delete mode 100644 .github/workflows/prerelease.yml delete mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml deleted file mode 100644 index 3be6ba072..000000000 --- a/.github/workflows/prerelease.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Prerelease -on: - push: - branches: - - master -jobs: - release: - name: Prerelease - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: 22.x - cache: yarn - - name: Install dependencies - run: yarn install --frozen-lockfile - - name: Build library - run: yarn build:prod - - name: Release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - BRANCH_NAME: ${{ github.head_ref || github.ref_name }} - run: yarn run semantic-release diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 124bf30ec..52904cb61 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,26 +1,54 @@ -name: Publish Package +name: Release on: push: + branches: + - master + - release tags: - 'v*' permissions: - id-token: write # Required for OIDC - contents: read + id-token: write # Required for OIDC publishing + contents: write # Required for semantic-release to push tags/commits jobs: - publish: + release: + name: Release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Checkout + uses: actions/checkout@v6 + with: + fetch-depth: 0 - - uses: actions/setup-node@v6 + - name: Setup Node.js + uses: actions/setup-node@v6 with: node-version: '24' registry-url: 'https://registry.npmjs.org' - package-manager-cache: false # never use caching in release builds - - run: npm ci - - run: npm run build --if-present - - run: npm test - - run: npm publish --provenance + cache: yarn + + - name: Install dependencies + run: yarn install --frozen-lockfile + + - name: Build + run: yarn build:prod + + - name: Version & Tag + if: github.ref_type == 'branch' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BRANCH_NAME: ${{ github.ref_name }} + run: yarn run semantic-release + + - name: Publish + if: github.ref_type == 'tag' + run: npm publish --provenance + + - name: Rebase master + if: github.ref_name == 'release' && github.ref_type == 'branch' + run: | + git checkout master && + git rebase release && + git push origin master diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 14e0a7f13..000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Release -on: - push: - branches: - - release -jobs: - release: - name: Release - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: 22.x - cache: yarn - - name: Install dependencies - run: yarn install --frozen-lockfile - - name: Build library - run: yarn build:prod - - name: Release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - BRANCH_NAME: ${{ github.head_ref || github.ref_name }} - run: yarn run semantic-release - - name: Rebase master - run: | - git checkout master && - git rebase release && - git push origin master From 6886f84c976ed19f72f6d371c41c286f80895b81 Mon Sep 17 00:00:00 2001 From: Bohdan Struk Date: Wed, 10 Jun 2026 09:24:25 -0700 Subject: [PATCH 3/3] fix: review comment --- .github/workflows/publish.yml | 14 +++++++++++--- .releaserc.cjs | 1 + 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 52904cb61..4efe893f0 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -18,12 +18,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '24' registry-url: 'https://registry.npmjs.org' @@ -44,7 +44,15 @@ jobs: - name: Publish if: github.ref_type == 'tag' - run: npm publish --provenance + run: | + VERSION="${GITHUB_REF_NAME#v}" + npm version "$VERSION" --no-git-tag-version + if [[ "$VERSION" == *"-"* ]]; then + DIST_TAG=$(echo "$VERSION" | grep -oP '(?<=-)[a-zA-Z]+') + npm publish --provenance --tag "$DIST_TAG" + else + npm publish --provenance --tag latest + fi - name: Rebase master if: github.ref_name == 'release' && github.ref_type == 'branch' diff --git a/.releaserc.cjs b/.releaserc.cjs index c57aecf03..f4bf28077 100644 --- a/.releaserc.cjs +++ b/.releaserc.cjs @@ -72,6 +72,7 @@ if (process.env && process.env.BRANCH_NAME === 'release') { changelogGen, releaseNotesGen, npmRelease, + gitSetting, ]; }