-
Notifications
You must be signed in to change notification settings - Fork 0
89 lines (80 loc) · 4.56 KB
/
Copy pathrelease.yml
File metadata and controls
89 lines (80 loc) · 4.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: release
# Publish @subsquid/ponder@<version> = ponder@<version> + the Portal layer.
# Trigger: manually (Actions → release → Run workflow → enter the ponder version), or push a
# tag `v<version>` (e.g. v0.16.6). Auth is npm **Trusted Publishing via OIDC** — no NPM_TOKEN.
on:
workflow_dispatch:
inputs:
version:
description: "ponder version (e.g. 0.16.6). Must have portal/wiring/<version>.patch + a versions.json row."
required: true
rev:
description: "fork revision N → publishes @subsquid/ponder@<version>-sqd.<N> (bump for a fork-side fix on the same ponder version)."
required: true
default: "1"
push:
tags: ["v*.*.*"]
permissions:
contents: read
id-token: write # OIDC token for npm Trusted Publishing (replaces NPM_TOKEN)
concurrency:
group: release-${{ github.event.inputs.version || github.ref_name }}
cancel-in-progress: false
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
registry-url: "https://registry.npmjs.org"
- run: corepack enable
# npm Trusted Publishing (OIDC) requires npm >= 11.5.1; node 22 ships an older one.
# Do NOT `npm install -g npm@latest` in place: npm 12.0.0 (latest since 2026-07-08) clobbers
# its own bundled deps when installed over the toolcache npm (MODULE_NOT_FOUND: 'sigstore'
# at publish). The publish step runs a PINNED npm via npx instead — isolated and proven.
- name: Resolve version (workflow input or v<version> tag)
id: v
run: |
V="${{ github.event.inputs.version }}"
[ -z "$V" ] && V="${GITHUB_REF_NAME#v}"
echo "version=$V" >> "$GITHUB_OUTPUT"
echo "→ publishing @subsquid/ponder@$V"
- name: Guard — version must be declared in versions.json
run: |
node -e "const v='${{ steps.v.outputs.version }}'; const j=require('./versions.json'); if(!j.versions.some(r=>r.ponder===v)){console.error('✗ '+v+' not in versions.json — add a row + portal/wiring/'+v+'.patch first (PUBLISHING.md)');process.exit(1)} console.log('✓ '+v+' declared')"
- name: Idempotency guard — no-op if this exact version is already on npm
id: published
# Creating a `v<version>` tag (e.g. via `gh release create` after a dispatch publish)
# re-triggers this workflow with rev=1. npm can never re-publish an existing version, so
# detect that case and end the run green without building — a tag-triggered re-run is a
# no-op, not a failure (#86). On an npm-lookup error we fall through to a normal
# build+publish attempt (fail-safe: worst case is today's behavior, a duplicate-publish red).
run: |
FULL='${{ steps.v.outputs.version }}-sqd.${{ github.event.inputs.rev || '1' }}'
if npm view "@subsquid/ponder@$FULL" version >/dev/null 2>&1; then
echo "✓ @subsquid/ponder@$FULL is already published — nothing to do (tag-triggered re-run)."
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "→ @subsquid/ponder@$FULL not on npm yet — proceeding to build + publish."
echo "exists=false" >> "$GITHUB_OUTPUT"
fi
- name: Build + test the fork (apply Portal layer to ponder@<version>)
if: steps.published.outputs.exists != 'true'
run: bash scripts/sync-upstream.sh "${{ steps.v.outputs.version }}" --test
env:
SYNC_WORKDIR: ${{ runner.temp }}/fork
SYNC_REV: ${{ github.event.inputs.rev || '1' }}
- name: Publish to npm (Trusted Publishing via OIDC — no token)
if: steps.published.outputs.exists != 'true'
working-directory: ${{ runner.temp }}/fork/${{ steps.v.outputs.version }}/packages/core
# `latest` ONLY for the newest ponder version in versions.json, so publishing an older version
# (e.g. 0.15.17 after 0.16.6) does not clobber the default `npm install`. Older versions get a
# `ponder-<version>` tag; users still pin the exact `<version>-sqd.<rev>`. Provenance is automatic.
run: |
V='${{ steps.v.outputs.version }}'
MAX=$(node -e "const j=require('$GITHUB_WORKSPACE/versions.json');console.log(j.versions.map(r=>r.ponder).sort((a,b)=>a.localeCompare(b,undefined,{numeric:true})).pop())")
if [ "$V" = "$MAX" ]; then TAG=latest; else TAG="ponder-$V"; fi
echo "→ npm publish --tag $TAG (newest ponder in versions.json = $MAX)"
npx -y npm@11.18.0 publish --access public --tag "$TAG"