Update zizmorcore/zizmor-action action to v0.6.0 (#140) #172
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Release | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: {} | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - uses: actions/setup-node@820762786026740c76f36085b0efc47a31fe5020 # v7.0.0 | |
| # No cache — release builds must be hermetic | |
| with: | |
| node-version: 24 | |
| - run: npm ci | |
| - name: Verify CLI version matches package version | |
| run: | | |
| PKG_VERSION=$(node -p "require('./package.json').version") | |
| CLI_VERSION=$(grep -oP '\.version\("\K[^"]+' src/cli.ts) | |
| if [ "$PKG_VERSION" != "$CLI_VERSION" ]; then | |
| echo "::error::Version mismatch: package.json=$PKG_VERSION, cli.ts=$CLI_VERSION" | |
| exit 1 | |
| fi | |
| echo "Versions match: $PKG_VERSION" | |
| - name: Check if version is already published | |
| id: check | |
| run: | | |
| PKG_NAME=$(node -p "require('./package.json').name") | |
| PKG_VERSION=$(node -p "require('./package.json').version") | |
| echo "version=${PKG_VERSION}" >> "$GITHUB_OUTPUT" | |
| if npm view "${PKG_NAME}@${PKG_VERSION}" version 2>/dev/null; then | |
| echo "published=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "published=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Build | |
| if: steps.check.outputs.published == 'false' | |
| run: npm run build | |
| - name: Upload build artifacts | |
| if: steps.check.outputs.published == 'false' | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: build-output | |
| path: . | |
| include-hidden-files: true | |
| retention-days: 1 | |
| outputs: | |
| version: ${{ steps.check.outputs.version }} | |
| published: ${{ steps.check.outputs.published }} | |
| publish: | |
| needs: build | |
| if: needs.build.outputs.published == 'false' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| environment: npm | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: build-output | |
| - uses: actions/setup-node@820762786026740c76f36085b0efc47a31fe5020 # v7.0.0 | |
| with: | |
| node-version: 24 | |
| registry-url: "https://registry.npmjs.org" | |
| - name: Publish to npm | |
| run: npm publish --access public --provenance | |
| - name: Configure git credentials | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| git config --local url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" | |
| - name: Ensure git tag exists | |
| env: | |
| RELEASE_VERSION: ${{ needs.build.outputs.version }} | |
| run: | | |
| TAG="v${RELEASE_VERSION}" | |
| if ! git rev-parse "${TAG}" >/dev/null 2>&1; then | |
| git tag "${TAG}" | |
| git push origin "${TAG}" | |
| fi | |
| - name: Create GitHub Release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| RELEASE_VERSION: ${{ needs.build.outputs.version }} | |
| run: | | |
| TAG="v${RELEASE_VERSION}" | |
| gh release create "${TAG}" --generate-notes --title "${TAG}" --verify-tag | |
| - name: Notify Slack on success | |
| env: | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_OSS_ALERTS }} | |
| RELEASE_VERSION: ${{ needs.build.outputs.version }} | |
| GH_REPOSITORY: ${{ github.repository }} | |
| run: | | |
| VERSION="v${RELEASE_VERSION}" | |
| if [ -n "$SLACK_WEBHOOK" ]; then | |
| payload=$(jq -nc --arg ver "$VERSION" --arg rel "$RELEASE_VERSION" --arg repo "$GH_REPOSITORY" \ | |
| '{text: "📦 *@copilotkit/pathfinder \($ver) published*\nnpm: https://www.npmjs.com/package/@copilotkit/pathfinder/v/\($rel)\nRelease: https://github.com/\($repo)/releases/tag/\($ver)"}') | |
| curl -s -X POST "$SLACK_WEBHOOK" \ | |
| -H "Content-Type: application/json" \ | |
| -d "$payload" || true | |
| fi | |
| - name: Notify Slack on failure | |
| if: failure() | |
| env: | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_OSS_ALERTS }} | |
| GH_REPOSITORY: ${{ github.repository }} | |
| GH_RUN_ID: ${{ github.run_id }} | |
| run: | | |
| if [ -n "$SLACK_WEBHOOK" ]; then | |
| payload=$(jq -nc --arg repo "$GH_REPOSITORY" --arg run "$GH_RUN_ID" \ | |
| '{text: "❌ *Pathfinder release failed*\n<https://github.com/\($repo)/actions/runs/\($run)|View run>"}') | |
| curl -s -X POST "$SLACK_WEBHOOK" \ | |
| -H "Content-Type: application/json" \ | |
| -d "$payload" || true | |
| fi | |
| # Build & push the Docker image in the SAME run, right after the npm | |
| # publish + tag succeed. The tag push above uses GITHUB_TOKEN, which does | |
| # NOT trigger the `on: push: tags` event in publish-docker.yml, so we | |
| # invoke that workflow directly via workflow_call instead of relying on | |
| # the tag-push event firing it. | |
| docker: | |
| needs: [build, publish] | |
| if: needs.build.outputs.published == 'false' | |
| uses: ./.github/workflows/publish-docker.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| with: | |
| tag: v${{ needs.build.outputs.version }} | |
| secrets: | |
| SLACK_WEBHOOK_OSS_ALERTS: ${{ secrets.SLACK_WEBHOOK_OSS_ALERTS }} |