-
Notifications
You must be signed in to change notification settings - Fork 1
166 lines (145 loc) · 6.32 KB
/
publish.yml
File metadata and controls
166 lines (145 loc) · 6.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# Publishes all @agentruntimecontrolprotocol/* workspace packages to npm and
# GitHub Packages after the `test` workflow succeeds on main, skipping any
# package whose local version is already on the target registry. The workspace
# root (package.json `"private": true`) is never published.
#
# Required repo configuration:
# - npm Trusted Publisher must be configured on every
# @agentruntimecontrolprotocol/* package (npmjs.com → package → Settings →
# Trusted Publishers) pointing at:
# repository: agentruntimecontrolprotocol/typescript-sdk
# workflow: publish.yml
# environment: (none)
# With trusted publishers in place the workflow authenticates to npm via
# the OIDC token GitHub Actions mints from `id-token: write`; no NPM_TOKEN
# secret is needed.
# - The built-in GITHUB_TOKEN is used for GitHub Packages; the job grants
# `packages: write` below.
# - `id-token: write` is required for both npm publish (trusted publisher
# handshake) and npm provenance (sigstore attestation).
name: publish
on:
workflow_run:
workflows: ["test"]
types: [completed]
branches: [main]
workflow_dispatch:
concurrency:
group: publish-${{ github.ref }}
cancel-in-progress: false
jobs:
publish:
name: publish to npm + GitHub Packages
runs-on: ubuntu-latest
# Only run if the test workflow succeeded (or this was manually dispatched).
if: >
github.event_name == 'workflow_dispatch' ||
(github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.head_branch == 'main')
permissions:
contents: read
id-token: write # required for npm provenance
packages: write # required for GitHub Packages publish
steps:
- name: Checkout
uses: actions/checkout@v6
with:
# For workflow_run, check out the exact commit that passed CI.
ref: ${{ github.event.workflow_run.head_sha || github.sha }}
fetch-depth: 1
- name: Setup pnpm
# pnpm/action-setup v4.0.0
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v4.0.0
with:
version: 9.15.0
run_install: false
- name: Setup Node.js
# No registry-url/scope: that would cause setup-node to write an
# `_authToken=${NODE_AUTH_TOKEN}` line into ~/.npmrc, which then
# short-circuits the trusted-publisher OIDC handshake when no token is
# present. The npm publish step passes --registry explicitly instead.
uses: actions/setup-node@v6
with:
node-version: "22"
cache: "pnpm"
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Build
run: pnpm run build
- name: Collect publishable packages
id: collect
run: |
set -euo pipefail
# Walk packages/ to depth 3 so packages/middleware/<name>/package.json
# is included alongside packages/<name>/package.json.
{
find packages -maxdepth 3 -name "package.json" \
-not -path "*/node_modules/*" \
-not -path "*/dist/*" \
| while IFS= read -r manifest; do
dir=$(dirname "$manifest")
private=$(node -p "require('./$manifest').private || false")
[ "$private" = "false" ] && echo "$dir"
done
} > .publish-dirs.txt
echo "Packages to consider:"
cat .publish-dirs.txt
- name: Publish to npm
# No NODE_AUTH_TOKEN: npm CLI uses the OIDC token from `id-token: write`
# against the npmjs.com trusted-publisher configured for each package.
run: |
set -euo pipefail
published=0
skipped=0
while IFS= read -r dir; do
[ -z "$dir" ] && continue
name=$(node -p "require('./$dir/package.json').name")
local_ver=$(node -p "require('./$dir/package.json').version")
# npm view exits non-zero if the package was never published.
npm_ver=$(npm view "$name" version --registry=https://registry.npmjs.org 2>/dev/null || echo "")
if [ "$local_ver" = "$npm_ver" ]; then
echo " [skip] $name@$local_ver — already on npm"
skipped=$((skipped + 1))
else
echo "[publish] $name@$local_ver (npm has '${npm_ver:-nothing}')"
# publishConfig in each package.json carries access=public and
# provenance=true; --provenance here is the CLI counterpart that
# activates the OIDC token flow in GitHub Actions.
(cd "$dir" && npm publish --provenance --registry=https://registry.npmjs.org)
published=$((published + 1))
fi
done < .publish-dirs.txt
echo ""
echo "npm — published: $published skipped: $skipped"
- name: Setup Node.js (GitHub Packages registry)
uses: actions/setup-node@v6
with:
node-version: "22"
registry-url: "https://npm.pkg.github.com"
scope: "@agentruntimecontrolprotocol"
- name: Publish to GitHub Packages
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GitHub Packages doesn't participate in the sigstore provenance
# flow; override the publishConfig.provenance=true set per-package.
NPM_CONFIG_PROVENANCE: "false"
run: |
set -euo pipefail
published=0
skipped=0
while IFS= read -r dir; do
[ -z "$dir" ] && continue
name=$(node -p "require('./$dir/package.json').name")
local_ver=$(node -p "require('./$dir/package.json').version")
gh_ver=$(npm view "$name" version --registry=https://npm.pkg.github.com 2>/dev/null || echo "")
if [ "$local_ver" = "$gh_ver" ]; then
echo " [skip] $name@$local_ver — already on GitHub Packages"
skipped=$((skipped + 1))
else
echo "[publish] $name@$local_ver (GitHub Packages has '${gh_ver:-nothing}')"
(cd "$dir" && npm publish --registry=https://npm.pkg.github.com)
published=$((published + 1))
fi
done < .publish-dirs.txt
echo ""
echo "GitHub Packages — published: $published skipped: $skipped"