|
9 | 9 | release: |
10 | 10 | name: Release to npm and GitHub |
11 | 11 | runs-on: ubuntu-latest |
| 12 | + # Permissions needed for semantic-release to commit/tag/release |
12 | 13 | permissions: |
13 | | - contents: write # Needed to push commits/tags back to the repo |
14 | | - issues: write # Needed to comment on issues/PRs |
15 | | - pull-requests: write # Needed to comment on issues/PRs |
| 14 | + contents: write |
| 15 | + issues: write |
| 16 | + pull-requests: write |
16 | 17 | # id-token: write # Needed for OIDC trusted publishing (if not using NPM_TOKEN) |
| 18 | + outputs: |
| 19 | + # Output whether a new release was published |
| 20 | + new_release_published: ${{ steps.semantic.outputs.new_release_published }} |
| 21 | + new_release_version: ${{ steps.semantic.outputs.new_release_version }} |
17 | 22 | steps: |
18 | 23 | - name: Checkout code |
19 | 24 | # Need fetch-depth: 0 for semantic-release to analyze all relevant commits |
| 25 | + # and commit package.json/CHANGELOG.md changes |
20 | 26 | uses: actions/checkout@v4 |
21 | 27 | with: |
22 | 28 | fetch-depth: 0 |
|
35 | 41 | run: npm run build |
36 | 42 |
|
37 | 43 | - name: Run semantic-release |
| 44 | + id: semantic # Give step an ID to reference its outputs |
38 | 45 | run: npx semantic-release |
39 | 46 | env: |
40 | | - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Provided by Actions automatically |
41 | | - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Use a secret stored in GitHub repository settings |
| 47 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 48 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
| 49 | + |
| 50 | + docker_publish: |
| 51 | + name: Build and Push Docker Image to GHCR |
| 52 | + # Run only after the release job completes successfully |
| 53 | + needs: release |
| 54 | + # Run only if semantic-release actually published a new version |
| 55 | + if: needs.release.outputs.new_release_published == 'true' |
| 56 | + runs-on: ubuntu-latest |
| 57 | + permissions: |
| 58 | + contents: read # Needed to check out the code |
| 59 | + packages: write # Needed to push Docker image to GHCR |
| 60 | + attestations: write # Needed for build attestations |
| 61 | + id-token: write # Needed for OIDC (good practice) |
| 62 | + |
| 63 | + steps: |
| 64 | + - name: Checkout code |
| 65 | + # Checkout the specific commit tagged by semantic-release |
| 66 | + uses: actions/checkout@v4 |
| 67 | + with: |
| 68 | + # Use the tag name determined by the release job |
| 69 | + ref: ${{ needs.release.outputs.new_release_version }} |
| 70 | + |
| 71 | + - name: Set up Docker Buildx |
| 72 | + uses: docker/setup-buildx-action@v3 |
| 73 | + |
| 74 | + - name: Log in to GitHub Container Registry |
| 75 | + uses: docker/login-action@v3 |
| 76 | + with: |
| 77 | + registry: ghcr.io |
| 78 | + username: ${{ github.actor }} |
| 79 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 80 | + |
| 81 | + - name: Extract Docker metadata |
| 82 | + id: meta |
| 83 | + uses: docker/metadata-action@v5 |
| 84 | + with: |
| 85 | + images: ghcr.io/${{ github.repository }} |
| 86 | + # Use the version from the semantic-release output |
| 87 | + tags: | |
| 88 | + type=raw,value=${{ needs.release.outputs.new_release_version }} # e.g., v1.4.1 |
| 89 | + type=semver,pattern={{version}},value=${{ needs.release.outputs.new_release_version }} # e.g., 1.4.1 |
| 90 | + type=semver,pattern=v{{major}}.{{minor}},value=${{ needs.release.outputs.new_release_version }} # e.g., v1.4 |
| 91 | + type=semver,pattern=v{{major}},value=${{ needs.release.outputs.new_release_version }} # e.g., v1 |
| 92 | + type=raw,value=latest,enable=true # Always tag latest on main branch release |
| 93 | +
|
| 94 | + - name: Build and push Docker image |
| 95 | + id: push |
| 96 | + uses: docker/build-push-action@v6 |
| 97 | + with: |
| 98 | + context: . |
| 99 | + push: true |
| 100 | + tags: ${{ steps.meta.outputs.tags }} |
| 101 | + labels: ${{ steps.meta.outputs.labels }} |
| 102 | + cache-from: type=gha |
| 103 | + cache-to: type=gha,mode=max |
| 104 | + |
| 105 | + - name: Generate artifact attestation |
| 106 | + uses: actions/attest-build-provenance@v1 |
| 107 | + with: |
| 108 | + subject-name: ghcr.io/${{ github.repository }} |
| 109 | + subject-digest: ${{ steps.push.outputs.digest }} |
| 110 | + push-to-registry: true |
0 commit comments