cli/.github/workflows/release.yml at main · qawolf/cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: Release

on:
  push:
    branches: [main]

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false

jobs:
  release:
    name: Release
    environment: release
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      id-token: write
    outputs:
      published: ${{ steps.changesets.outputs.published }}
      tag: ${{ steps.tag.outputs.tag }}
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0

      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
        with:
          bun-version-file: package.json

      - run: bun install --frozen-lockfile

      - run: bun run build

      # GITHUB_TOKEN can't create PRs under org policy, and PRs it opens don't
      # trigger CI; the App token does both.
      - name: Generate qa-wolf-ops token
        id: app-token
        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        with:
          client-id: ${{ secrets.QA_WOLF_OPS_CLIENT_ID }}
          private-key: ${{ secrets.QA_WOLF_OPS_PRIVATE_KEY }}

      - name: Create Release PR or Publish
        id: changesets
        uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0
        with:
          version: bun run version-packages
          publish: bunx changeset publish
        env:
          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
          NPM_CONFIG_PROVENANCE: true

      # Only set when a publish actually happened; safe on version-mode runs.
      - name: Resolve release tag
        id: tag
        if: steps.changesets.outputs.published == 'true'
        env:
          PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
        run: |
          VERSION=$(echo "$PUBLISHED_PACKAGES" | bun -e "const d = await Bun.stdin.text(); console.log(JSON.parse(d)[0].version)")
          echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"

  binaries:
    name: Binaries
    needs: release
    if: needs.release.outputs.published == 'true'
    permissions:
      contents: write
    uses: ./.github/workflows/release-binaries.yml
    with:
      tag: ${{ needs.release.outputs.tag }}