rebuild-dist #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: rebuild-dist | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
| permissions: | |
| contents: read | |
| on: | |
| pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| # Rebuilds the bundled dist/ on Dependabot PRs (and on manual workflow_dispatch | |
| # runs) and pushes it back to the branch, so a dependency bump and its matching | |
| # dist/ land together and the validate workflow stays green. | |
| # | |
| # Dependabot runs get a read-only GITHUB_TOKEN, and commits pushed with it do | |
| # not re-trigger checks. Pushing the dist commit therefore uses a GitHub App | |
| # token, which is repo-scoped and short-lived, and can re-run workflows. | |
| # Configure a GitHub App with contents:write on this repo and set its | |
| # credentials as GORELEASER_APP_ID and GORELEASER_APP_KEY. Dependabot runs only | |
| # expose Dependabot secrets, while workflow_dispatch runs only expose Actions | |
| # secrets, so set both copies to cover both triggers. Until both exist this job | |
| # is a no-op. | |
| rebuild-dist: | |
| if: github.actor == 'dependabot[bot]' || github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check app credentials | |
| id: app | |
| env: | |
| GORELEASER_APP_ID: ${{ secrets.GORELEASER_APP_ID }} | |
| GORELEASER_APP_KEY: ${{ secrets.GORELEASER_APP_KEY }} | |
| run: | | |
| if [ -n "$GORELEASER_APP_ID" ] && [ -n "$GORELEASER_APP_KEY" ]; then | |
| echo "available=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "available=false" >> "$GITHUB_OUTPUT" | |
| echo "::notice::GORELEASER_APP_ID/GORELEASER_APP_KEY Dependabot secrets are not set; skipping automatic dist rebuild." | |
| fi | |
| - name: Generate token | |
| if: steps.app.outputs.available == 'true' | |
| id: token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ secrets.GORELEASER_APP_ID }} | |
| private-key: ${{ secrets.GORELEASER_APP_KEY }} | |
| - name: Checkout | |
| if: steps.app.outputs.available == 'true' | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| ref: ${{ github.head_ref || github.ref_name }} | |
| token: ${{ steps.token.outputs.token }} | |
| - name: Setup Node.js | |
| if: steps.app.outputs.available == 'true' | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version-file: '.node-version' | |
| cache: npm | |
| - name: Install dependencies | |
| if: steps.app.outputs.available == 'true' | |
| run: npm ci --ignore-scripts | |
| - name: Rebuild dist | |
| if: steps.app.outputs.available == 'true' | |
| run: npm run build | |
| - name: Commit and push dist if changed | |
| if: steps.app.outputs.available == 'true' | |
| env: | |
| HEAD_REF: ${{ github.head_ref || github.ref_name }} | |
| run: | | |
| if [ -z "$(git status --porcelain -- dist)" ]; then | |
| echo "dist is already up to date." | |
| exit 0 | |
| fi | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git add dist | |
| git commit -m "build: rebuild dist" | |
| git push origin "HEAD:${HEAD_REF}" |