parser/.github/workflows/publish.yml at master · typeup/parser · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: "Publish"

on:
  push:
    branches:
      - "master"
      - "master-2"
      - "master-beta"

concurrency:
  group: publish-${{ github.ref_name }}
  cancel-in-progress: false

permissions:
  contents: read
  id-token: write

jobs:
  publish:
    name: "Publish"
    environment:
      name: ${{ 'npm-publish' }}
    timeout-minutes: 60
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.sha }}
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: "npm"
          registry-url: "https://registry.npmjs.org"
      - run: npm ci
      - run: npm run build
      - name: "Debug OIDC claims (temporary)"
        run: |
          set -euo pipefail
          response="$(curl -sSf -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org")"
          token="$(echo "$response" | sed -n 's/.*"value":"\([^"]*\)".*/\1/p')"
          payload="$(echo "$token" | cut -d '.' -f2 | tr '_-' '/+' | base64 -d 2>/dev/null || true)"
          node -e 'const p = JSON.parse(process.argv[1]); const out = {repository: p.repository, job_workflow_ref: p.job_workflow_ref, ref: p.ref, environment: p.environment ?? null, aud: p.aud, sub: p.sub}; console.log(JSON.stringify(out, null, 2));' "$payload"
      - run: npm publish --tag "${{ github.ref_name == 'master-2' && 'alpha' || (github.ref_name == 'master-beta' && 'beta' || 'latest') }}" --access public --provenance