10.2.22 #29
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish npm package via OIDC | |
| on: | |
| release: | |
| types: [published] | |
| jobs: | |
| publish: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write # Required for npm OIDC provenance | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Wait for .tgz release asset uploaded by Jenkins | |
| run: | | |
| echo "Waiting for .tgz asset to appear in release..." | |
| for i in {1..30}; do | |
| assets=$(gh release view "${{ github.event.release.tag_name }}" --json assets --jq '.assets[].name' || true) | |
| echo "Assets found: $assets" | |
| if echo "$assets" | grep -E '\.tgz$' >/dev/null; then | |
| echo "Found .tgz asset." | |
| break | |
| fi | |
| echo "Attempt $i/30: not found yet, waiting 10s..." | |
| sleep 10 | |
| done | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Download release asset (.tgz) | |
| uses: robinraju/release-downloader@v1.11 | |
| with: | |
| repository: ${{ github.repository }} | |
| tag: ${{ github.event.release.tag_name }} | |
| fileName: "*.tgz" | |
| out-file-path: ./dist | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Determine package file name from tag | |
| id: pkg | |
| run: | | |
| VERSION="${GITHUB_REF_NAME#v}" # strip leading "v" if present | |
| FILE="./dist/wireapp-avs-${VERSION}.tgz" | |
| echo "Checking for package file: $FILE" | |
| if [ ! -f "$FILE" ]; then | |
| echo "ERROR: Expected file $FILE not found!" | |
| echo "Available files:" | |
| ls -lh ./dist | |
| exit 1 | |
| fi | |
| echo "Using package file: $FILE" | |
| echo "tgz_file=$FILE" >> $GITHUB_OUTPUT | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| registry-url: "https://registry.npmjs.org/" | |
| - name: Update npm to the required OIDC version | |
| run: npm install -g npm@latest | |
| - name: Determine npm tag for publish | |
| id: tag | |
| run: | | |
| VERSION=${{ steps.pkg.outputs.version }} | |
| NAME="@wireapp/avs" | |
| echo "Checking current latest version on npm..." | |
| LATEST=$(npm view "$NAME" version || echo "0.0.0") | |
| echo "Latest published version: $LATEST" | |
| # compare versions | |
| if [ "$(printf '%s\n%s' "$VERSION" "$LATEST" | sort -V | tail -n1)" = "$VERSION" ]; then | |
| TAG="latest" | |
| else | |
| BASE_TAG=$(echo "$VERSION" | awk -F. '{print $1"."$2}') | |
| TAG="release-$BASE_TAG" | |
| fi | |
| echo "Using npm tag: $TAG" | |
| echo "npm_tag=$TAG" >> $GITHUB_OUTPUT | |
| - name: Publish with provenance (OIDC) | |
| run: | | |
| echo "Publishing ${{ steps.pkg.outputs.tgz_file }} to npm with tag ${{ steps.tag.outputs.npm_tag }}..." | |
| npm publish "${{ steps.pkg.outputs.tgz_file }}" --tag "${{ steps.tag.outputs.npm_tag }}" --provenance --access public |