fix: add write permissions and pin action SHAs #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | ||
|
Check failure on line 1 in .github/workflows/release.yml
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| workflow_dispatch: | ||
| inputs: | ||
| publish: | ||
| description: 'Force publish packages to NPM' | ||
| type: boolean | ||
| default: false | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: false | ||
| permissions: | ||
| contents: write # for version bump commits and tags | ||
| pull-requests: write # for creating Version Packages PR | ||
| id-token: write # to enable use of OIDC for npm provenance | ||
| jobs: | ||
| release: | ||
| name: Release | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| id-token: write # to enable use of OIDC for npm provenance | ||
| outputs: | ||
| published: ${{ steps.changesets.outputs.published }} | ||
| publishedPackages: ${{ steps.changesets.outputs.publishedPackages }} | ||
| hasChangesets: ${{ steps.changesets.outputs.hasChangesets }} | ||
| env: | ||
| TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} | ||
| TURBO_TEAM: ${{ vars.TURBO_TEAM }} | ||
| steps: | ||
| - name: Generate GitHub App Token | ||
| id: generate_token | ||
| uses: actions/create-github-app-token@v2 | ||
| with: | ||
| app-id: ${{ secrets.ECOSPARK_APP_ID }} | ||
| private-key: ${{ secrets.ECOSPARK_APP_PRIVATE_KEY }} | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| token: ${{ steps.generate_token.outputs.token }} | ||
| persist-credentials: false | ||
| - name: Get app token user id | ||
| id: get-user-id | ||
| run: echo "user-id=$(gh api "/users/${{ steps.generate_token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" | ||
| env: | ||
| GH_TOKEN: ${{ steps.generate_token.outputs.token }} | ||
| - name: Setup git user | ||
| run: | | ||
| git config --global user.name '${{ steps.generate_token.outputs.app-slug }}[bot]' | ||
| git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.generate_token.outputs.app-slug }}[bot]@users.noreply.github.com' | ||
| - name: Setup Environment | ||
| uses: ./.github/actions/setup | ||
| with: | ||
| node-version: 20 | ||
| - name: Update npm to use trusted publishing (OIDC) | ||
| run: npm install -g npm@latest | ||
| - name: Authenticate with private npm | ||
| if: ${{ secrets.NPM_PUBLISH_TOKEN != '' }} | ||
| run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_PUBLISH_TOKEN }}" > ~/.npmrc | ||
| - run: pnpm install | ||
| - name: Remove npm auth | ||
| if: ${{ secrets.NPM_PUBLISH_TOKEN != '' }} | ||
| run: rm -f ~/.npmrc | ||
| - name: Create Release Pull Request or Publish | ||
| id: changesets | ||
| uses: changesets/action@c48e67d110a68bc90ccf1098e9646092baacaa87 # v1.6.0 | ||
| with: | ||
| version: pnpm version-packages | ||
| publish: pnpm release | ||
| title: 'chore: version packages' | ||
| commit: 'chore: version packages' | ||
| createGithubReleases: true | ||
| setupGitUser: false | ||
| env: | ||
| GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} | ||
| NPM_CONFIG_PROVENANCE: ${{ github.event.repository.visibility == 'public' && 'true' || 'false' }} | ||
| - name: Force Publish | ||
| if: ${{ github.event.inputs.publish == 'true' && steps.changesets.outputs.hasChangesets == 'false' }} | ||
| run: pnpm release | ||
| env: | ||
| NPM_CONFIG_PROVENANCE: ${{ github.event.repository.visibility == 'public' && 'true' || 'false' }} | ||
| - name: Summary | ||
| if: ${{ steps.changesets.outputs.published == 'true' || github.event.inputs.publish == 'true' }} | ||
| run: | | ||
| echo "## Published Packages 🚀" >> $GITHUB_STEP_SUMMARY | ||
| echo "" >> $GITHUB_STEP_SUMMARY | ||
| echo "Published packages:" >> $GITHUB_STEP_SUMMARY | ||
| echo '```json' >> $GITHUB_STEP_SUMMARY | ||
| echo '${{ steps.changesets.outputs.publishedPackages }}' >> $GITHUB_STEP_SUMMARY | ||
| echo '```' >> $GITHUB_STEP_SUMMARY | ||
| post-release: | ||
| runs-on: ubuntu-latest | ||
| needs: release | ||
| if: ${{ needs.release.outputs.published == 'true' }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| - name: Mark SDK issues as done | ||
| uses: sanity-io/mark-issues-done-action@88e6a3e6bc5a9c86d45873c4dba3302a4cafcb65 # main | ||
| with: | ||
| linear_api_key: ${{ secrets.LINEAR_API_KEY }} | ||
| repository_name: ${{ github.event.repository.name }} | ||
| initial_state_id: 'c56956cd-c281-4ca5-889f-6189ce231a6d' | ||
| done_state_id: '5a35b7bf-6d37-4cc2-854a-2f18d160e2e5' | ||
