FDC3/.github/workflows/release.yml at main · finos/FDC3 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

name: Publish To NPM

on:
  release:
    types: [published]

permissions:
  contents: read
  id-token: write     # required for npm provenance
  packages: write     # required for GitHub Packages publish

jobs:
  build_and_pack:
    name: Build and pack workspaces (once)
    runs-on: ubuntu-latest
    outputs:
      is_prerelease: ${{ steps.version.outputs.is_prerelease }}
      publish_tag: ${{ steps.version.outputs.publish_tag }}
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Configure Node
        uses: actions/setup-node@v4
        with:
          node-version: 22

      - name: Install dependencies
        run: npm ci

      - name: Lint
        run: npm run lint

      - name: Run tests
        run: npm run test

      - name: Build
        run: npm run build

      - name: Verify version consistency across workspaces
        run: npm run version-check

      # Compute prerelease flag & desired dist-tag from top-level package.json version
      - name: Determine prerelease tag
        id: version
        run: |
          set -euo pipefail
          VERSION="$(node -p 'JSON.parse(require("fs").readFileSync("./package.json","utf8")).version')"
          echo "Detected version: $VERSION"

          # If version contains a hyphen, it's a prerelease (e.g., 1.2.3-alpha.1)
          if [[ "$VERSION" == *-* ]]; then
            echo "is_prerelease=true"  >> "$GITHUB_OUTPUT"
            echo "publish_tag=prerelease" >> "$GITHUB_OUTPUT"
            echo "This is a prerelease. Will use tag 'prerelease'."
          else
            echo "is_prerelease=false" >> "$GITHUB_OUTPUT"
            echo "publish_tag=latest"  >> "$GITHUB_OUTPUT"
            echo "This is a stable release. Will use tag 'latest'."
          fi

      # Create tarballs for each public workspace so we can publish the exact same artifacts twice
      - name: Pack workspaces (skip private)
        run: |
          set -euo pipefail
          for ws in $(node -e '
            const fs = require("fs");
            const read = (p) => JSON.parse(fs.readFileSync(p, "utf8"));
            const root = read("./package.json");
            for (const dir of root.workspaces || []) {
              const pkg = read("./" + dir + "/package.json");
              if (!pkg.private) console.log(dir);
            }
          '); do
            echo "Packing $ws ..."
            npm pack --workspace "$ws"
          done
          echo "Packed tarballs:"
          ls -1 *.tgz

      - name: Upload packed artifacts
        uses: actions/upload-artifact@v4
        with:
          name: npm-tarballs
          path: |
            ./*.tgz
          if-no-files-found: error
          retention-days: 7

  publish_npm:
    name: Publish to npmjs.org
    runs-on: ubuntu-latest
    needs: build_and_pack
    steps:
      - name: Checkout repo (required for npm provenance)
        uses: actions/checkout@v4

      - name: Download packed artifacts
        uses: actions/download-artifact@v4
        with:
          name: npm-tarballs
          path: ./dist-tarballs

      - name: Configure Node for npmjs.org
        uses: actions/setup-node@v4
        with:
          node-version: 22
          registry-url: https://registry.npmjs.org
          always-auth: true

      - name: Publish tarballs to npmjs.org (with provenance and dist-tag)
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}   # npm automation token
          PUBLISH_TAG: ${{ needs.build_and_pack.outputs.publish_tag }}
        run: |
          set -euo pipefail
          shopt -s nullglob
          for tgz in ./dist-tarballs/*.tgz; do
            echo "Publishing $tgz to npmjs.org with tag '${PUBLISH_TAG}' ..."
            # --access public needed for first publish of public packages
            npm publish "$tgz" --provenance --access public --tag "${PUBLISH_TAG}"
          done

  publish_github:
    name: Publish to GitHub Packages
    runs-on: ubuntu-latest
    needs: build_and_pack
    steps:
      - name: Download packed artifacts
        uses: actions/download-artifact@v4
        with:
          name: npm-tarballs
          path: ./dist-tarballs

      - name: Configure Node for GitHub Packages
        uses: actions/setup-node@v4
        with:
          node-version: 22
          registry-url: https://npm.pkg.github.com
          scope: '@finos'
          always-auth: true

      - name: Publish tarballs to GitHub Packages (with dist-tag)
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # has packages: write via permissions
          PUBLISH_TAG: ${{ needs.build_and_pack.outputs.publish_tag }}
        run: |
          set -euo pipefail
          shopt -s nullglob
          for tgz in ./dist-tarballs/*.tgz; do
            echo "Publishing $tgz to GitHub Packages with tag '${PUBLISH_TAG}' ..."
            # GitHub Packages does not support npm provenance; omit --provenance and --access
            npm publish "$tgz" --tag "${PUBLISH_TAG}"
          done