rmf-codegen/.github/workflows/release.yml at main · commercetools/rmf-codegen · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
on:
  workflow_dispatch:
  push:
    tags:
      - '[0-9]+.[0-9]+.[0-9]+*'

name: AutoRelease

permissions: {}

jobs:
  release_maven:
    permissions:
      contents: write
      actions: write
      id-token: write

    name: Build and release

    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: '11'

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: "18"

      - run: scripts/setup-signing-key.sh
        env:
          DECRYPTER: ${{ secrets.DECRYPTER }}
          SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
          PASSPHRASE: ${{ secrets.PASSPHRASE }}
          GRADLE_PUBLISH_KEY: ${{ secrets.GRADLE_PUBLISH_KEY }}
          GRADLE_PUBLISH_SECRET: ${{ secrets.GRADLE_PUBLISH_SECRET }}
      - name: Build and Release
        run: export VERSION="1.0.0-`date '+%Y%m%d%H%M%S'`"; ./gradlew -Pversion=$VERSION clean check publishMavenPublicationToSonatype closeAndReleaseSonatypeStagingRepository writeVersionToReadme
        env:
          SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
          SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - uses: stefanzweifel/git-auto-commit-action@v4.6.0
        with:
          file_pattern: "scripts/install.sh"
          commit_message: "TASK: Updating version in README"
          commit_user_name: Auto Mation
          commit_user_email: automation@commercetools.com
          commit_author: Auto Mation <automation@commercetools.com>

  release_tag:
    permissions:
      id-token: write
      contents: read

    name: Build and release to Maven
    if: startsWith( github.ref, 'refs/tags/')

    runs-on: ubuntu-latest
    needs: [release_maven]
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: '11'

      - run: scripts/setup-signing-key.sh
        env:
          DECRYPTER: ${{ secrets.DECRYPTER }}
          SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
          PASSPHRASE: ${{ secrets.PASSPHRASE }}
          GRADLE_PUBLISH_KEY: ${{ secrets.GRADLE_PUBLISH_KEY }}
          GRADLE_PUBLISH_SECRET: ${{ secrets.GRADLE_PUBLISH_SECRET }}

      - name: Build and Release
        run: ./gradlew -Pversion=${{ github.ref_name }} clean check publishMavenPublicationToSonatype closeAndReleaseSonatypeStagingRepository
        env:
          SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
          SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      # Configure npm for OIDC authentication with trusted publishing
      # This must be done after CI setup to ensure npm is properly configured

      # setup-node@v4 with registry-url automatically configures OIDC when id-token: write is set
      - name: Setup Node.js for npm publishing
        uses: actions/setup-node@v4
        with:
          node-version: "24"
          registry-url: "https://registry.npmjs.org"

      - name: Build NPM package
        run: |
          ./gradlew -Pversion=${{ github.ref_name }} tools:cli-application:shadowJar
          cp rmf-codegen.jar node/rmf-codegen/bin

      - name: Verify npm OIDC configuration
        run: |
          # Verify registry is set correctly
          echo "Registry: $(npm config get registry)"
          # Ensure no token-based auth is configured (OIDC should be used automatically)
          npm config delete //registry.npmjs.org/:_authToken || true
          # Verify npm can access the registry (this will use OIDC if configured)
          echo "npm OIDC authentication configured via setup-node action"

      - name: Publish npm package
        working-directory: node/rmf-codegen
        run: npm version minor && npm publish --no-git-tag-version

  bump_version:
    if: startsWith( github.ref, 'refs/tags/')
    name: Bump NPM version

    needs: [release_tag]
    runs-on: ubuntu-latest

    permissions:
      contents: write
      actions: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: main

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: "18"

      - name: Publish npm package
        working-directory: node/rmf-codegen
        run: yarn version --no-git-tag-version --minor

      - uses: stefanzweifel/git-auto-commit-action@v4.6.0
        with:
          file_pattern: "node/rmf-codegen/package.json"
          commit_message: "Bump codegen version"
          commit_user_name: Auto Mation
          commit_user_email: automation@commercetools.com
          commit_author: Auto Mation <automation@commercetools.com>