-
Notifications
You must be signed in to change notification settings - Fork 268
137 lines (133 loc) · 5.47 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Publish NPM packages
permissions:
contents: read
on:
pull_request:
branches: ["main"]
paths-ignore:
- "**"
- "!**/package.json"
- "!**/package-lock.json"
types:
- opened
- reopened
- synchronize
push:
branches: ["main"]
paths-ignore:
- "**"
- "!**/package.json"
- "!**/package-lock.json"
defaults:
run:
shell: bash
jobs:
publish:
runs-on: ubuntu-24.04
permissions:
contents: read
# required for npm package provenance
id-token: write
steps:
- name: Check for publish commit
id: checkPublishCommit
if: >-
${{
(
github.event_name == 'pull_request' &&
startsWith(github.event.pull_request.title, 'Publish v') &&
endsWith(github.event.pull_request.title, 'of the @tektoncd/dashboard-* packages')
) ||
(
github.event_name == 'push' &&
startsWith(github.event.head_commit.message, 'Publish v') &&
endsWith(github.event.head_commit.message, 'of the @tektoncd/dashboard-* packages')
)
}}
run: |
echo "Confirmed it's a publish commit"
- name: Harden Runner
if: ${{ steps.checkPublishCommit.outcome == 'success' }}
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout
if: ${{ steps.checkPublishCommit.outcome == 'success' }}
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# for PRs checkout the head rather than the merge commit so we can get the original commit message
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Validate PR title and commit message match
if: ${{ steps.checkPublishCommit.outcome == 'success' && github.event_name == 'pull_request' }}
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: |
COMMIT_MESSAGE="$(git log --pretty=%s -n 1)"
if [ "$PR_TITLE" != "$COMMIT_MESSAGE" ]; then
echo "::error::PR title and commit message mismatch"
echo "Expected format: Publish <version> of the @tektoncd/dashboard-* packages"
echo "PR_TITLE: $PR_TITLE"
echo "COMMIT_MESSAGE: $COMMIT_MESSAGE"
exit 1
else
echo "PR title and commit message match, continuing…"
fi
- name: Get version
id: get-version
if: ${{ steps.checkPublishCommit.outcome == 'success' }}
env:
MESSAGE_WITH_VERSION: ${{ github.event.pull_request.title || github.event.head_commit.message }}
run: |
echo "Extracting version from commit message"
VERSION=$(echo "$MESSAGE_WITH_VERSION" | grep -Po '(v\d+\.\d+\.\d+(\S)*)')
echo "VERSION: $VERSION"
echo "newPackageVersion=${VERSION}" >> $GITHUB_OUTPUT
- name: Check version matches package.json
if: ${{ steps.checkPublishCommit.outcome == 'success' }}
run: |
EXPECTED_VERSION="${{ steps.get-version.outputs.newPackageVersion }}"
mismatch=false
for packageJson in ./packages/*/package.json; do
VERSION="v$(jq -r .version $packageJson)"
PRIVATE="$(jq -r .private $packageJson)"
if [ "$PRIVATE" == "false" ] && [ "$VERSION" != "$EXPECTED_VERSION" ]; then
echo "::error::Version mismatch found in $packageJson: ${VERSION}"
mismatch=true
fi
done
if [ "$mismatch" == "true" ]; then
exit 1
fi
- name: Check PR is up-to-date
if: ${{ steps.checkPublishCommit.outcome == 'success' && github.event_name == 'pull_request' }}
env:
# user controls the head ref, use env var to avoid script injection similar to PR title / commit message handling above
PR_HEAD_REF: ${{github.event.pull_request.head.ref}}
GH_TOKEN: ${{ github.token }}
run: |
BASE_REF="${{github.event.pull_request.base.repo.owner.login}}:${{github.event.pull_request.base.ref}}"
HEAD_REF="${{github.event.pull_request.head.repo.owner.login}}:${PR_HEAD_REF}"
STATUS=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/${{ github.repository }}/compare/${BASE_REF}...${HEAD_REF} | jq -r .status)
if [ "$STATUS" != "ahead" ]; then
echo "::error::Pull request not up-to-date with base branch, please rebase"
exit 1
else
echo "Pull request is up-to-date with base branch, continuing…"
fi
- name: Setup Node.js
if: ${{ steps.checkPublishCommit.outcome == 'success' }}
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version-file: .nvmrc
registry-url: 'https://registry.npmjs.org/'
- name: Publish dry run
if: ${{ steps.checkPublishCommit.outcome == 'success' && github.event_name == 'pull_request' }}
run: npm publish --workspaces --provenance --access public --dry-run
- name: Publish
if: ${{ steps.checkPublishCommit.outcome == 'success' && github.event_name == 'push' }}
run: npm publish --workspaces --provenance --access public
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}