ci: publish with provenance (#1007) #501
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
branches: | |
- master | |
- release/* | |
jobs: | |
release_please: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: write | |
pull-requests: write | |
steps: | |
- uses: google-github-actions/release-please-action@v4 | |
id: release | |
with: | |
release-type: go | |
target-branch: ${{ github.ref_name }} | |
- uses: actions/checkout@v4 | |
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }} | |
with: | |
fetch-depth: 0 | |
- if: ${{ steps.release.outputs }} | |
id: versions | |
run: | | |
set -ex | |
RELEASE_CANDIDATE=true | |
NOT_RELEASE_CANDIDATE='${{ steps.release.outputs.release_created }}' | |
if [ "$NOT_RELEASE_CANDIDATE" == "true" ] | |
then | |
RELEASE_CANDIDATE=false | |
fi | |
MAIN_RELEASE_VERSION=x | |
RELEASE_VERSION=y | |
if [ "$RELEASE_CANDIDATE" == "true" ] | |
then | |
# Release please doesn't tell you the candidate version when it | |
# creates the PR, so we have to take it from the title. | |
MAIN_RELEASE_VERSION=$(node -e "console.log('${{ steps.release.outputs.pr && fromJSON(steps.release.outputs.pr).title }}'.split(' ').reverse().find(x => x.match(/[0-9]+[.][0-9]+[.][0-9]+/)))") | |
# Use git describe tags to identify the number of commits the branch | |
# is ahead of the most recent non-release-candidate tag, which is | |
# part of the rc.<commits> value. | |
RELEASE_VERSION=$MAIN_RELEASE_VERSION-rc.$(node -e "console.log('$(git describe --tags --exclude rc*)'.split('-')[1])") | |
# release-please only ignores releases that have a form like [A-Z0-9]<version>, so prefixing with rc<version> | |
RELEASE_NAME="rc$RELEASE_VERSION" | |
else | |
MAIN_RELEASE_VERSION=${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }} | |
RELEASE_VERSION="$MAIN_RELEASE_VERSION" | |
RELEASE_NAME="v$RELEASE_VERSION" | |
fi | |
echo "MAIN_RELEASE_VERSION=${MAIN_RELEASE_VERSION}" >> "${GITHUB_ENV}" | |
echo "RELEASE_VERSION=${RELEASE_VERSION}" >> "${GITHUB_ENV}" | |
echo "RELEASE_CANDIDATE=${RELEASE_CANDIDATE}" >> "${GITHUB_ENV}" | |
echo "RELEASE_NAME=${RELEASE_NAME}" >> "${GITHUB_ENV}" | |
echo "MAIN_RELEASE_VERSION=${MAIN_RELEASE_VERSION}" >> "${GITHUB_OUTPUT}" | |
echo "RELEASE_VERSION=${RELEASE_VERSION}" >> "${GITHUB_OUTPUT}" | |
echo "RELEASE_CANDIDATE=${RELEASE_CANDIDATE}" >> "${GITHUB_OUTPUT}" | |
echo "RELEASE_NAME=${RELEASE_NAME}" >> "${GITHUB_OUTPUT}" | |
- uses: actions/setup-node@v4 | |
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }} | |
with: | |
node-version: 20 | |
- name: Build release artifacts | |
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }} | |
run: | | |
set -ex | |
echo "export const version = '$RELEASE_VERSION'" > src/lib/version.ts | |
npm ci | |
npm run build | |
for f in package.json package-lock.json | |
do | |
sed -i 's|"version": "0.0.0",|"version": "'"$RELEASE_VERSION"'",|g' "$f" | |
done | |
echo '//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}' > ~/.npmrc | |
DIST_TAG=patched | |
if [ "$RELEASE_CANDIDATE" == "true" ] | |
then | |
DIST_TAG=rc | |
elif [ "$GITHUB_REF" == "refs/heads/main" ] || [ "$GITHUB_REF" == "refs/heads/master" ] | |
then | |
# This is the main branch and it's not a prerelease, so the dist-tag should be `latest`. | |
DIST_TAG=latest | |
fi | |
echo "Publishing auth-js now..." | |
npm publish --provenance --tag "$DIST_TAG" | |
echo "Publishing gotrue-js now..." | |
for f in package.json package-lock.json | |
do | |
# only replace name not repository, homepage, etc. | |
sed -i 's|\("name":[[:space:]]*"@supabase/\)auth-js|\1gotrue-js|g' "$f" | |
done | |
npm publish --provenance --tag "$DIST_TAG" | |
- name: Create GitHub release and branches | |
if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }} | |
run: | | |
set -ex | |
if [ "$RELEASE_CANDIDATE" == "true" ] | |
then | |
PR_NUMBER='${{ steps.release.outputs.pr && fromJSON(steps.release.outputs.pr).number }}' | |
GH_TOKEN='${{ github.token }}' gh release \ | |
create $RELEASE_NAME \ | |
--title "v$RELEASE_VERSION" \ | |
--prerelease \ | |
-n "This is a release candidate. See release-please PR #$PR_NUMBER for context." | |
GH_TOKEN='${{ github.token }}' gh pr comment "$PR_NUMBER" \ | |
-b "Release candidate [v$RELEASE_VERSION](https://github.com/supabase/gotrue-js/releases/tag/$RELEASE_NAME) published." | |
else | |
if [ "$GITHUB_REF" == "refs/heads/main" ] || [ "$GITHUB_REF" == "refs/heads/master" ] | |
then | |
IS_PATCH_ZERO=$(node -e "console.log('$RELEASE_VERSION'.endsWith('.0'))") | |
if [ "$IS_PATCH_ZERO" == "true" ] | |
then | |
# Only create release branch if patch version is 0, as this | |
# means that the release can be patched in the future. | |
GH_TOKEN='${{ github.token }}' gh api \ | |
--method POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
/repos/supabase/gotrue-js/git/refs \ | |
-f "ref=refs/heads/release/${RELEASE_VERSION}" \ | |
-f "sha=$GITHUB_SHA" | |
fi | |
fi | |
fi | |