-
Notifications
You must be signed in to change notification settings - Fork 130
107 lines (93 loc) · 3.48 KB
/
release.yml
File metadata and controls
107 lines (93 loc) · 3.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: Release
on:
workflow_dispatch:
inputs:
releaseType:
type: choice
description: Release type
required: true
default: dry-run
options:
- release
- dry-run
jobs:
authorize:
name: Authorize
runs-on: ubuntu-latest
steps:
- name: Check branch protection
run: |
if [ "${{ github.event.inputs.releaseType }}" == "dry-run" ]; then
echo "✅ Branch check skipped: dry-run mode allows any branch"
echo "Current branch: ${{ github.ref_name }}"
exit 0
fi
if [ "${{ github.ref_name }}" != "v8.x" ]; then
echo "❌ This workflow can only be triggered from the v8.x branch."
echo "Current branch: ${{ github.ref_name }}"
exit 1
fi
echo "✅ Branch check passed: running from v8.x"
- name: ${{ github.actor }} permission check to do a release
uses: 'lannonbr/repo-permission-check-action@2bb8c89ba8bf115c4bfab344d6a6f442b24c9a1f' # 2.0.2
with:
permission: 'write'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release:
name: Release
runs-on: ubuntu-latest
needs: [authorize]
permissions:
id-token: write # Required for OIDC (AWS + npm Trusted Publishing)
contents: write
env:
GIT_AUTHOR_NAME: amplitude-sdk-bot
GIT_AUTHOR_EMAIL: amplitude-sdk-bot@users.noreply.github.com
GIT_COMMITTER_NAME: amplitude-sdk-bot
GIT_COMMITTER_EMAIL: amplitude-sdk-bot@users.noreply.github.com
strategy:
matrix:
node-version: [24.x] # Ensure npm 11.5.1 or later is installed for OIDC
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
fetch-depth: 0
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2
with:
role-to-assume: arn:aws:iam::358203115967:role/github-actions-role
aws-region: us-west-2
- name: node_modules cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
- name: Set up Python
uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2
with:
python-version: '3.8.x'
- name: Install boto3 for deploy_s3.python
run: pip install boto3==1.14.63
- name: Setup Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: ${{ matrix.node-version }}
- name: Install dependencies
run: yarn install --frozen-lockfile
- name: Run tests
run: make test
# npm auth via OIDC (Trusted Publishing); no NPM_TOKEN needed when package has Trusted Publisher on npmjs.com
- name: Release --dry-run # Uses release.config.js
if: ${{ github.event.inputs.releaseType == 'dry-run' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
run: npx semantic-release --dry-run
- name: Release # Uses release.config.js
if: ${{ github.event.inputs.releaseType == 'release' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
run: npx semantic-release