ci: Uses OIDC for NPM publish authentication. #18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ####################################################################################################################### | |
| # | |
| # Node CI - Production | |
| # | |
| # The workflow ensures quality for the build, builds the project and publishes it to the configured destinations. | |
| # There are the following destinations: | |
| # | |
| # [Github Release] | |
| # The destination is only triggered if the secret 'RELEASE_TO_GITHUB' is set to a non-empty value. | |
| # | |
| # [NPM] | |
| # The destination is only triggered if the secret 'NPM_TOKEN' is provided. | |
| # | |
| # [Docker Hub] | |
| # The destination is only triggered if the secrets 'DOCKER_USERNAME' and 'DOCKER_PASSWORD' are | |
| # provided. | |
| # | |
| ####################################################################################################################### | |
| name: Prod Node CI | |
| env: | |
| node-version: 16 | |
| node-package-manager: yarn | |
| on: | |
| push: | |
| branches: | |
| - "master" | |
| - "main" | |
| permissions: | |
| id-token: 'write' # Used for NPM publish | |
| jobs: | |
| cache-dependencies: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Access repository | |
| uses: actions/checkout@v4 | |
| - uses: ./.github/actions/cache | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| prebuild: | |
| runs-on: ubuntu-latest | |
| needs: cache-dependencies | |
| steps: | |
| - name: Access repository | |
| uses: actions/checkout@v4 | |
| - uses: ./.github/actions/cache | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Build | |
| run: yarn build | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: cache-dependencies | |
| steps: | |
| - name: Access repository | |
| uses: actions/checkout@v4 | |
| - uses: ./.github/actions/test | |
| validate-dependencies: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Access repository | |
| uses: actions/checkout@v4 | |
| - uses: ./.github/actions/validate-dependencies | |
| bump-version: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - prebuild | |
| - test | |
| - validate-dependencies | |
| outputs: | |
| tag_version: ${{ steps.tag_version.outputs.new_tag || steps.tag_version.outputs.previous_tag }} | |
| version: ${{ steps.tag_version.outputs.new_version || steps.tag_version.outputs.previous_version }} | |
| changelog: ${{ steps.tag_version.outputs.changelog }} | |
| bumped: ${{ steps.tag_version.outputs.new_tag != '' }} | |
| steps: | |
| - name: Access repository | |
| uses: actions/checkout@v4 | |
| - name: Configure committer | |
| run: | | |
| git config user.name "${{ github.event.pusher.name }}" | |
| git config user.email "${{ github.event.pusher.email }}" | |
| - name: Bump version and push tag | |
| id: tag_version | |
| uses: mathieudutour/github-tag-action@v6.2 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| default_bump: false | |
| - name: Update package.json | |
| if: steps.tag_version.outputs.new_tag != '' | |
| uses: jossef/action-set-json-field@v2.1 | |
| with: | |
| file: package.json | |
| field: version | |
| value: ${{ steps.tag_version.outputs.new_version }} | |
| - name: Update CHANGELOG.md | |
| env: | |
| changes: ${{ steps.tag_version.outputs.changelog }} | |
| run: | | |
| echo "$changes" > /tmp/tmp-changelog.md | |
| [ -f CHANGELOG.md ] && cat CHANGELOG.md >> /tmp/tmp-changelog.md | |
| mv /tmp/tmp-changelog.md CHANGELOG.md | |
| - name: Commit and push changes to package.json and CHANGELOG.md | |
| if: steps.tag_version.outputs.new_tag != '' | |
| uses: EndBug/add-and-commit@v9 | |
| with: | |
| add: "['package.json', 'CHANGELOG.md']" | |
| create-pull-request-develop: | |
| runs-on: ubuntu-latest | |
| if: needs.bump-version.outputs.bumped == 'true' | |
| needs: | |
| - bump-version | |
| steps: | |
| - name: Access repository | |
| uses: actions/checkout@v4 | |
| - name: Pull request to develop | |
| id: develop | |
| continue-on-error: true | |
| uses: repo-sync/pull-request@v2 | |
| with: | |
| destination_branch: "develop" | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| pr_label: "release, automated-pr" | |
| pr_title: "Release ${{ needs.bump-version.outputs.version }} -> develop" | |
| - name: Report status | |
| env: | |
| report: ${{ toJSON(steps.develop.outcome) }} - ${{ toJSON(steps.develop.conclusion) }} | |
| run: echo $report | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - bump-version | |
| steps: | |
| - name: Access repository | |
| uses: actions/checkout@v4 | |
| - name: Ensure commits from bump-version | |
| run: git pull | |
| - uses: ./.github/actions/cache | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Build | |
| run: yarn build | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ github.event.repository.name }} | |
| path: dist | |
| publish-npm-package: | |
| runs-on: ubuntu-latest | |
| if: needs.check-npm-token.outputs.defined == 'true' | |
| needs: | |
| - bump-version | |
| steps: | |
| - name: Access repository | |
| uses: actions/checkout@v4 | |
| - name: Configure publisher | |
| run: | | |
| git config user.name "${{ github.event.pusher.name }}" | |
| git config user.email "${{ github.event.pusher.email }}" | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ github.event.repository.name }} | |
| path: dist | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "16.x" | |
| registry-url: "https://registry.npmjs.org" | |
| - name: Ensure that Yarn V3 dependencies are installed | |
| run: yarn install | |
| shell: bash | |
| - name: Set package.json version | |
| run: yarn version "${{ needs.bump-version.outputs.version }}" | |
| - name: Publish package | |
| run: yarn npm publish --access=public --tag latest | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |