Skip to content

Update zizmorcore/zizmor-action action to v0.6.0 (#140) #172

Update zizmorcore/zizmor-action action to v0.6.0 (#140)

Update zizmorcore/zizmor-action action to v0.6.0 (#140) #172

name: Publish Release
on:
push:
branches: [main]
workflow_dispatch:
permissions: {}
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: read
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-node@820762786026740c76f36085b0efc47a31fe5020 # v7.0.0
# No cache — release builds must be hermetic
with:
node-version: 24
- run: npm ci
- name: Verify CLI version matches package version
run: |
PKG_VERSION=$(node -p "require('./package.json').version")
CLI_VERSION=$(grep -oP '\.version\("\K[^"]+' src/cli.ts)
if [ "$PKG_VERSION" != "$CLI_VERSION" ]; then
echo "::error::Version mismatch: package.json=$PKG_VERSION, cli.ts=$CLI_VERSION"
exit 1
fi
echo "Versions match: $PKG_VERSION"
- name: Check if version is already published
id: check
run: |
PKG_NAME=$(node -p "require('./package.json').name")
PKG_VERSION=$(node -p "require('./package.json').version")
echo "version=${PKG_VERSION}" >> "$GITHUB_OUTPUT"
if npm view "${PKG_NAME}@${PKG_VERSION}" version 2>/dev/null; then
echo "published=true" >> "$GITHUB_OUTPUT"
else
echo "published=false" >> "$GITHUB_OUTPUT"
fi
- name: Build
if: steps.check.outputs.published == 'false'
run: npm run build
- name: Upload build artifacts
if: steps.check.outputs.published == 'false'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: build-output
path: .
include-hidden-files: true
retention-days: 1
outputs:
version: ${{ steps.check.outputs.version }}
published: ${{ steps.check.outputs.published }}
publish:
needs: build
if: needs.build.outputs.published == 'false'
runs-on: ubuntu-latest
timeout-minutes: 10
environment: npm
permissions:
contents: write
id-token: write
steps:
- name: Download build artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: build-output
- uses: actions/setup-node@820762786026740c76f36085b0efc47a31fe5020 # v7.0.0
with:
node-version: 24
registry-url: "https://registry.npmjs.org"
- name: Publish to npm
run: npm publish --access public --provenance
- name: Configure git credentials
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --local url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
- name: Ensure git tag exists
env:
RELEASE_VERSION: ${{ needs.build.outputs.version }}
run: |
TAG="v${RELEASE_VERSION}"
if ! git rev-parse "${TAG}" >/dev/null 2>&1; then
git tag "${TAG}"
git push origin "${TAG}"
fi
- name: Create GitHub Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RELEASE_VERSION: ${{ needs.build.outputs.version }}
run: |
TAG="v${RELEASE_VERSION}"
gh release create "${TAG}" --generate-notes --title "${TAG}" --verify-tag
- name: Notify Slack on success
env:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_OSS_ALERTS }}
RELEASE_VERSION: ${{ needs.build.outputs.version }}
GH_REPOSITORY: ${{ github.repository }}
run: |
VERSION="v${RELEASE_VERSION}"
if [ -n "$SLACK_WEBHOOK" ]; then
payload=$(jq -nc --arg ver "$VERSION" --arg rel "$RELEASE_VERSION" --arg repo "$GH_REPOSITORY" \
'{text: "📦 *@copilotkit/pathfinder \($ver) published*\nnpm: https://www.npmjs.com/package/@copilotkit/pathfinder/v/\($rel)\nRelease: https://github.com/\($repo)/releases/tag/\($ver)"}')
curl -s -X POST "$SLACK_WEBHOOK" \
-H "Content-Type: application/json" \
-d "$payload" || true
fi
- name: Notify Slack on failure
if: failure()
env:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_OSS_ALERTS }}
GH_REPOSITORY: ${{ github.repository }}
GH_RUN_ID: ${{ github.run_id }}
run: |
if [ -n "$SLACK_WEBHOOK" ]; then
payload=$(jq -nc --arg repo "$GH_REPOSITORY" --arg run "$GH_RUN_ID" \
'{text: "❌ *Pathfinder release failed*\n<https://github.com/\($repo)/actions/runs/\($run)|View run>"}')
curl -s -X POST "$SLACK_WEBHOOK" \
-H "Content-Type: application/json" \
-d "$payload" || true
fi
# Build & push the Docker image in the SAME run, right after the npm
# publish + tag succeed. The tag push above uses GITHUB_TOKEN, which does
# NOT trigger the `on: push: tags` event in publish-docker.yml, so we
# invoke that workflow directly via workflow_call instead of relying on
# the tag-push event firing it.
docker:
needs: [build, publish]
if: needs.build.outputs.published == 'false'
uses: ./.github/workflows/publish-docker.yml
permissions:
contents: read
packages: write
with:
tag: v${{ needs.build.outputs.version }}
secrets:
SLACK_WEBHOOK_OSS_ALERTS: ${{ secrets.SLACK_WEBHOOK_OSS_ALERTS }}