id-token global #82
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| tags: | |
| - '[0-9]+.[0-9]+.[0-9]+*' | |
| name: AutoRelease | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| release_maven: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| name: Build and release to Maven | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '11' | |
| - run: scripts/setup-signing-key.sh | |
| env: | |
| DECRYPTER: ${{ secrets.DECRYPTER }} | |
| SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | |
| PASSPHRASE: ${{ secrets.PASSPHRASE }} | |
| GRADLE_PUBLISH_KEY: ${{ secrets.GRADLE_PUBLISH_KEY }} | |
| GRADLE_PUBLISH_SECRET: ${{ secrets.GRADLE_PUBLISH_SECRET }} | |
| - name: Build and Release | |
| run: ./gradlew -Pversion=${{ github.ref_name }} clean check # publishMavenPublicationToSonatype closeAndReleaseSonatypeStagingRepository | |
| env: | |
| SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} | |
| SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Configure npm for OIDC authentication with trusted publishing | |
| # This must be done after CI setup to ensure npm is properly configured | |
| # setup-node@v4 with registry-url automatically configures OIDC when id-token: write is set | |
| - name: Setup Node.js for npm publishing | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "24" | |
| registry-url: "https://registry.npmjs.org" | |
| - name: Build NPM package | |
| run: | | |
| ./gradlew -Pversion=${{ github.ref_name }} tools:cli-application:shadowJar | |
| cp rmf-codegen.jar node/rmf-codegen/bin | |
| - name: Verify npm OIDC configuration | |
| run: | | |
| # Verify registry is set correctly | |
| echo "Registry: $(npm config get registry)" | |
| # Ensure no token-based auth is configured (OIDC should be used automatically) | |
| npm config delete //registry.npmjs.org/:_authToken || true | |
| # Verify npm can access the registry (this will use OIDC if configured) | |
| echo "npm OIDC authentication configured via setup-node action" | |
| # - name: Creating .npmrc | |
| # run: | | |
| # cat << EOF > "$HOME/.npmrc" | |
| # email=npmjs@commercetools.com | |
| # //registry.npmjs.org/:_authToken=$NPM_TOKEN | |
| # EOF | |
| # env: | |
| # NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| - name: Publish npm package | |
| working-directory: node/rmf-codegen | |
| run: yarn publish --no-git-tag-version --minor | |
| bump_version: | |
| name: Bump NPM version | |
| needs: [release_maven] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| actions: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "18" | |
| - name: Publish npm package | |
| working-directory: node/rmf-codegen | |
| run: yarn version --no-git-tag-version --minor | |
| - uses: stefanzweifel/git-auto-commit-action@v4.6.0 | |
| with: | |
| file_pattern: "node/rmf-codegen/package.json" | |
| commit_message: "Bump codegen version" | |
| commit_user_name: Auto Mation | |
| commit_user_email: automation@commercetools.com | |
| commit_author: Auto Mation <automation@commercetools.com> |