.github/.github/workflows/release.yml at main · nodenv/.github · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
name: Release
on:
  workflow_call:
    inputs:
      homebrew:
        description: "Boolean to opt-out of releasing to homebrew."
        default: true
        required: false
        type: boolean
      npm:
        description: "Boolean to opt-out of releasing to npm."
        default: true
        required: false
        type: boolean
      # FIXME until setup-node infers scope from package.json
      # https://github.com/actions/setup-node/pull/129
      npm_scope:
        description: "Name of scope to publish package under."
        default: nodenv
        required: false
        type: string
    secrets:
      BOT_TOKEN: { required: false } # required for homebrew job

permissions: {}
jobs:
  github:
    permissions: { contents: write }
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with: { egress-policy: audit }
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with: { persist-credentials: false }
      # TODO exit this job differently than success if release already exists
      - name: gh release create
        run: |
          # shellcheck disable=SC2086
          gh release view $tag || \
            gh release create ${tag/*-*/"$tag" --prerelease} --generate-notes
        env:
          GH_TOKEN: ${{ github.token }}
          tag: ${{ github.ref_name }}

  homebrew:
    if: inputs.homebrew && !contains(github.ref, '-') # skip prereleases
    permissions: { contents: read }
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with: { egress-policy: audit }
      - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6
        with:
          homebrew-tap: ${{ contains(fromJSON('["nodenv","node-build"]'),
            github.event.repository.name)
            && 'Homebrew/homebrew-core' || 'nodenv/homebrew-nodenv' }}
        env:
          COMMITTER_TOKEN: ${{ secrets.BOT_TOKEN }}

  npm:
    if: inputs.npm
    permissions: { id-token: write }
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with: { egress-policy: audit }
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with: { persist-credentials: false }
      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with: # FIXME https://github.com/actions/setup-node/pull/129
          scope: ${{ inputs.npm_scope }}
          registry-url: https://registry.npmjs.org
          node-version: 24 # Trusted Publishing requires npm v11.5.1+; node 24 bundles a sufficient version
      - run: npm ci
      - run: npm publish