Release #240
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_run: | |
| workflows: ["CI"] | |
| types: | |
| - completed | |
| branches: | |
| - main | |
| concurrency: ${{ github.workflow }}-${{ github.ref }} | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| id-token: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v7 | |
| with: | |
| # Use the PAT here too so the git remote is configured with PAT | |
| # credentials. The bare GITHUB_TOKEN-authenticated push that | |
| # checkout normally sets up is treated by GitHub as a bot event | |
| # and would not fire `pull_request` workflows on the resulting | |
| # branch — defeating the whole point of using a PAT for releases. | |
| token: ${{ secrets.RELEASE_PAT }} | |
| - name: Setup | |
| uses: ./.github/actions/setup | |
| - name: Build | |
| run: pnpm build | |
| - name: Create Release Pull Request or Publish to npm | |
| id: changesets | |
| uses: changesets/action@v1 | |
| with: | |
| # Use `pnpm run …` so we invoke the package.json scripts. Bare | |
| # `pnpm version` collides with pnpm's built-in `version` command and | |
| # silently prints `process.versions` instead of running the changeset | |
| # version script, leaving package.json files untouched and the | |
| # release stuck. | |
| version: pnpm run version | |
| publish: pnpm run release | |
| commit: "chore: release packages" | |
| title: "chore: release packages" | |
| env: | |
| # Use a Personal Access Token rather than the default GITHUB_TOKEN. | |
| # Events triggered by GITHUB_TOKEN do not start new workflow runs | |
| # (GitHub's anti-recursion safeguard), so the "Version Packages" | |
| # PR opened by this action would otherwise skip CI entirely. A PAT | |
| # attributes the PR to a real user and CI fires normally. | |
| # Required repo secret: RELEASE_PAT (classic PAT with `repo` scope, | |
| # or a fine-grained token with Contents: read/write + Pull requests: | |
| # read/write on this repo). | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_PAT }} | |
| # NPM_TOKEN is intentionally absent — npm Trusted Publishing uses | |
| # the OIDC token minted via `id-token: write` above. Each package | |
| # must have a Trusted Publisher configured on npmjs.com pointing | |
| # at this repo + workflow file (.github/workflows/release.yml). |