From 39c4086287e54a1c641f859f8a444db5ed5dfcaa Mon Sep 17 00:00:00 2001 From: Pierre Jeanjacquot <26487010+PierreJeanjacquot@users.noreply.github.com> Date: Thu, 16 Oct 2025 16:26:41 +0200 Subject: [PATCH] ci: migrate to npm trusted publisher --- .github/workflows/publish-npm.yml | 77 ++++++++++++++++--------------- 1 file changed, 41 insertions(+), 36 deletions(-) diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index 147bf04..c1dc352 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -1,50 +1,55 @@ +# ⚠️ THIS WORKFLOW IS THE TRUSTED PUBLISHER CONFIGURED ON NPMJS.COM, DO NOT RENAME OR DELETE THIS FILE ⚠️ name: Publish to npm on: + # For staging releases + workflow_dispatch: + # For latest releases release: types: [published] - workflow_dispatch: - inputs: - version: - description: "Version (e.g., 1.0.0)" - required: true - type: string + +permissions: + id-token: write # Required for OIDC + packages: write + contents: read jobs: - publish: + set-staging-version: + # Only run for manual dispatch on main branch + if: ${{ github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' }} runs-on: ubuntu-latest steps: - - name: Checkout + - name: Checkout code uses: actions/checkout@v4 - - - name: Setup Node.js + - name: Set up Node.js uses: actions/setup-node@v4 - with: - node-version: "18" - registry-url: "https://registry.npmjs.org" - - - name: Get version - id: version - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - VERSION="${{ github.event.inputs.version }}" - else - VERSION=${GITHUB_REF#refs/tags/v} - fi - echo "version=$VERSION" >> $GITHUB_OUTPUT - echo "Publishing version: $VERSION" - - - name: Install and build + - name: Set publish version + id: set-staging-version run: | - npm ci - npm run build + CURRENT_VERSION=$(npm pkg get version | tr -d '"') + NIGHTLY_VERSION="${CURRENT_VERSION}-nightly-${GITHUB_SHA::7}" + echo "VERSION=${NIGHTLY_VERSION}" >> $GITHUB_OUTPUT + outputs: + VERSION: ${{ steps.set-staging-version.outputs.VERSION }} - - name: Publish to npm - run: npm publish --tag latest - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + publish-npm-staging: + # Only run for manual dispatch on main branch + if: ${{ github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' }} + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/publish-npm.yml@publish-npm-v1.6.0 + needs: set-staging-version + with: + scope: "@iexec/mcp-server" + registry: "https://registry.npmjs.org" + node-version: "20" + tag: "nightly" + version: ${{ needs.set-staging-version.outputs.VERSION }} - - name: Success - run: | - echo "✅ Published v${{ steps.version.outputs.version }}" - echo "📦 npm: https://www.npmjs.com/package/@iexec/mcp-server" + publish-npm-latest: + # # Only run for release published with tag "v*" + if: ${{ github.event_name == 'release' && startsWith(github.ref_name,'v') }} + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/publish-npm.yml@publish-npm-v1.6.0 + with: + scope: "@iexec/mcp-server" + registry: "https://registry.npmjs.org" + node-version: "20" + tag: "latest"