chore: update publish workflow for trusted publishing

Julusian · Julusian · commit 8dec0c3e8ca4 · 2025-10-20T17:08:51.000+01:00
diff --git a/.github/workflows/node.yaml b/.github/workflows/node.yaml
@@ -2,126 +2,64 @@ name: Node CI
 
 on:
   push:
-    branches:
-      - '**'
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+*'
   pull_request:
 
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    continue-on-error: true
+    timeout-minutes: 15
 
     steps:
-      - uses: actions/checkout@v5
+      - name: Git checkout
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
-
       - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
-          node-version: 22
-
-      - name: Prepare environment
+          node-version: 22.x
+      - name: Prepare Environment
         run: |
-          corepack enable
-          yarn
-      - name: Run linter
-        run: yarn lint
-
-  test:
-    name: Tests
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22
-
-      - name: Prepare environment
+          yarn install
+          yarn build
+        env:
+          CI: true
+      - name: Run typecheck and linter
         run: |
-          corepack enable
-          yarn
-      - name: Run tests
-        run: yarn test
+          yarn lint
+        env:
+          CI: true
 
-  release:
-    name: Release
+  test:
+    name: Test
     runs-on: ubuntu-latest
     timeout-minutes: 15
 
-    # only run for tags
-    if: contains(github.ref, 'refs/tags/')
-
-    needs:
-      - validate-dependencies
-      - lint
-      - test
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: [20.x, 22.x, 24.x]
 
     steps:
-      - uses: actions/checkout@v5
+      - name: Git checkout
+        uses: actions/checkout@v5
         with:
-          fetch-depth: 0
           persist-credentials: false
-      - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v6
         with:
-          node-version: 22.x
-      - name: Check release is desired
-        id: do-publish
-        run: |
-          corepack enable
-
-          if [ -z "${{ secrets.NPM_TOKEN }}" ]; then
-            echo "No Token"
-          else
-
-            PUBLISHED_VERSION=$(yarn npm info --json . | jq -c '.version' -r)
-            THIS_VERSION=$(node -p "require('./package.json').version")
-            # Simple bash helper to comapre version numbers
-            verlte() {
-              [  "$1" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
-            }
-            verlt() {
-              [ "$1" = "$2" ] && return 1 || verlte $1 $2
-            }
-            if verlt $PUBLISHED_VERSION $THIS_VERSION
-            then
-              echo "Publishing latest"
-              echo "tag=latest" >> $GITHUB_OUTPUT
-            else
-              echo "Publishing hotfix"
-              echo "tag=hotfix" >> $GITHUB_OUTPUT
-            fi
-
-          fi
-      - name: Prepare build
-        if: ${{ steps.do-publish.outputs.tag }}
+          node-version: ${{ matrix.node-version }}
+      - name: Prepare Environment
         run: |
-          corepack enable
           yarn install
-          yarn build
         env:
           CI: true
-      - name: Publish to NPM
-        if: ${{ steps.do-publish.outputs.tag }}
+      - name: Run tests
         run: |
-          yarn config set npmAuthToken $NPM_AUTH_TOKEN
-
-          NEW_VERSION=$(node -p "require('./package.json').version")
-          yarn npm publish --access=public --tag ${{ steps.do-publish.outputs.tag }}
-
-          echo "**Published:** $NEW_VERSION" >> $GITHUB_STEP_SUMMARY
+          yarn unit
         env:
-          NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           CI: true
 
   validate-dependencies:
@@ -132,15 +70,12 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
       - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 22.x
       - name: Prepare Environment
         run: |
-          corepack enable
           yarn install
         env:
           CI: true
@@ -162,15 +97,12 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
       - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 22.x
       - name: Prepare Environment
         run: |
-          corepack enable
           yarn install
         env:
           CI: true
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -1,59 +1,170 @@
-name: Publish prerelease
+name: Publish Release
 
 on:
-  # Allows you to run this workflow manually from the Actions tab
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+*'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# This workflow will perform a publish whenever it is triggered
+# If you are using a fork, and want to push tags you can disable this workflow in the github ui
 jobs:
-  prerelease:
-    name: Prerelease
+  test:
+    name: Test
     runs-on: ubuntu-latest
     timeout-minutes: 15
 
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: [20.x, 22.x, 24.x]
+
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Prepare Environment
+        run: |
+          corepack enable
+          yarn install
+        env:
+          CI: true
+      - name: Run tests
+        run: |
+          yarn unit
+        env:
+          CI: true
+
+  prepare:
+    name: Prepare package
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.do-publish.outputs.tag }}
+      prerelease: ${{ steps.do-publish.outputs.prerelease }}
+    timeout-minutes: 15
+
+    permissions:
+      contents: write
+
     steps:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
           persist-credentials: false
       - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 22.x
-      - name: Check release is desired
+      - name: Enable corepack
+        run: corepack enable
+      - name: Determine publish info
         id: do-publish
         run: |
-          if [ -z "${{ secrets.NPM_TOKEN }}" ]; then
-            echo "No Token"
-          elif [[ "${{ github.ref }}" == "refs/heads/master" ]]; then
-            echo "Publish nightly"
-            echo "publish=nightly" >> $GITHUB_OUTPUT
+          # If this run was started manually, choose nightly for main and experimental otherwise.
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+              echo "Publishing nightly"
+              echo "tag=nightly" >> $GITHUB_OUTPUT
+            else
+              echo "Publishing experimental"
+              echo "tag=experimental" >> $GITHUB_OUTPUT
+            fi
+            
+            HASH=$(git rev-parse --short HEAD)
+            TIMESTAMP=$(date +"%Y%m%d-%H%M%S")
+            PRERELEASE_TAG=nightly-$(echo "${{ github.ref_name }}" | sed -r 's/[^a-z0-9]+/-/gi')
+            echo "prerelease=${PRERELEASE_TAG}-${TIMESTAMP}-${HASH}" >> $GITHUB_OUTPUT
+
           else
-            echo "Publish experimental"
-            echo "publish=experimental" >> $GITHUB_OUTPUT
+            # Otherwise (push by tag), keep the previous logic: compare published vs package.json
+            PUBLISHED_VERSION=$(yarn npm info --json . | jq -c '.version' -r)
+            THIS_VERSION=$(node -p "require('./package.json').version")
+            # Simple bash helper to compare version numbers
+            verlte() {
+              [  "$1" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
+            }
+            verlt() {
+              [ "$1" = "$2" ] && return 1 || verlte $1 $2
+            }
+            if verlt $PUBLISHED_VERSION $THIS_VERSION
+            then
+              echo "Publishing latest"
+              echo "tag=latest" >> $GITHUB_OUTPUT
+            else
+              echo "Publishing hotfix"
+              echo "tag=hotfix" >> $GITHUB_OUTPUT
+            fi
           fi
-      - name: Prepare Environment
-        if: ${{ steps.do-publish.outputs.publish }}
+      - name: Prepare build
         run: |
-          corepack enable
           yarn install
+
+          # Bump to prerelease version if needed
+          if [ "${{ steps.do-publish.outputs.prerelease }}" != "" ]; then
+            OLD_VERSION=$(node -p "require('./package.json').version")
+            yarn version ${OLD_VERSION}-${{ steps.do-publish.outputs.prerelease }}
+          fi
+
+          yarn build
         env:
           CI: true
-      - name: Bump version and build
-        if: ${{ steps.do-publish.outputs.publish }}
-        run: |
-          PRERELEASE_TAG=nightly-$(echo "${{ github.ref_name }}" | sed -r 's/[^a-z0-9]+/-/gi')
-          yarn release --prerelease $PRERELEASE_TAG
-        env:
-          CI: true
+
+      - name: Upload release artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: publish-dist
+          path: |
+            dist
+            package.json
+          retention-days: 1
+          if-no-files-found: error
+
+  publish:
+    name: Publish to NPM
+    needs:
+      - prepare
+      - test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # scoped for as short as possible, as this gives write access to npm
+
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Use Node.js 22.x
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22.x
+
+      - name: Download release artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: publish-dist
+
       - name: Publish to NPM
-        if: ${{ steps.do-publish.outputs.publish }}
         run: |
-          yarn config set npmAuthToken $NPM_AUTH_TOKEN
+          corepack enable
+          yarn install
 
-          NEW_VERSION=$(node -p "require('./package.json').version")
-          yarn npm publish --access=public --tag "${{ steps.do-publish.outputs.publish }}"
+          # Publish from the extracted release (build output present)
+          yarn npm publish --access=public --provenance --tag ${{ needs.prepare.outputs.tag }}
 
+          NEW_VERSION=$(node -p "require('./package.json').version")
           echo "**Published:** $NEW_VERSION" >> $GITHUB_STEP_SUMMARY
         env:
-          NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           CI: true
