-
Notifications
You must be signed in to change notification settings - Fork 0
60 lines (50 loc) · 1.61 KB
/
Copy pathpublish.yml
File metadata and controls
60 lines (50 loc) · 1.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: publish
on:
release:
types:
- published
permissions:
contents: read
jobs:
publish-npm:
if: startsWith(github.event.release.tag_name, 'v')
runs-on: ubuntu-latest
environment: npm-publish
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: "22"
registry-url: https://registry.npmjs.org
- name: Upgrade npm for trusted publishing
run: npm install --global npm@^11.5.1
- name: Validate release tag + package version
env:
TAG_NAME: ${{ github.event.release.tag_name }}
run: |
if [[ ! "$TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([-.][0-9A-Za-z.]+)?$ ]]; then
echo "Release tag must match vX.Y.Z (optional prerelease/build suffix)." >&2
exit 1
fi
PKG_VERSION="$(node -p "JSON.parse(require('node:fs').readFileSync('package.json', 'utf8')).version")"
if [[ "v${PKG_VERSION}" != "$TAG_NAME" ]]; then
echo "package.json version (${PKG_VERSION}) does not match release tag (${TAG_NAME})." >&2
exit 1
fi
- name: Install dependencies
run: |
if [[ -f package-lock.json ]]; then
npm ci
else
npm install --package-lock-only --ignore-scripts
npm ci
fi
- name: Validate structure
run: npm run check
- name: Publish to npm (OIDC + provenance)
run: npm publish --provenance --access public