-
Notifications
You must be signed in to change notification settings - Fork 169
77 lines (74 loc) · 2.7 KB
/
Copy pathpublish.yml
File metadata and controls
77 lines (74 loc) · 2.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Publishes a single workspace package to npm via OIDC trusted publishing.
# No NPM_TOKEN is used; the job exchanges its GitHub OIDC token for a short-lived
# npm credential and attaches SLSA provenance via `--provenance`.
#
# Prerequisite: each package in the `package` choice list must have a Trusted
# Publisher entry configured on npmjs.com under Settings → Publishing access.
# Use owner=`graphprotocol`, repo=`contracts`, workflow=`publish.yml`,
# environment=blank. Adding a package to the choice list without that npm-side
# entry will 403 at the publish step.
#
# Conventions:
# - `tag=latest` is reserved for the changeset-driven release flow (see README).
# Use a custom dist-tag (`dips`, `sepolia`, `next`, …) for ad-hoc or
# pre-release publishes so the stable channel is never overwritten.
# - `dry_run=true` validates the workflow end-to-end without consuming a
# version or pushing a git tag — useful when adding a new package or
# verifying a fresh Trusted Publisher entry.
#
# Fallback: maintainers with publish rights on `@graphprotocol/*` can still run
# `pnpm publish` locally if OIDC is unavailable.
name: Publish package to NPM
on:
workflow_dispatch:
inputs:
package:
description: 'Package to publish'
required: true
type: choice
options:
- address-book
- contracts
- interfaces
- toolshed
tag:
description: 'Tag to publish'
required: true
type: string
default: latest
dry_run:
description: 'Dry-run (validate only, no publish or git tag)'
required: false
type: boolean
default: false
jobs:
publish:
name: Publish package
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v6
with:
submodules: recursive
- name: Set up environment
uses: ./.github/actions/setup
- name: Read package info
id: pkg
shell: bash
run: |
PKG_NAME=$(node -p "require('./packages/${{ inputs.package }}/package.json').name")
PKG_VERSION=$(node -p "require('./packages/${{ inputs.package }}/package.json').version")
echo "tag=${PKG_NAME}@${PKG_VERSION}" >> $GITHUB_OUTPUT
- name: Publish 🚀
shell: bash
run: |
pushd packages/${{ inputs.package }}
pnpm publish --provenance --tag ${{ inputs.tag }} --access public --no-git-checks ${{ inputs.dry_run && '--dry-run' || '' }}
- name: Tag release
if: ${{ !inputs.dry_run }}
run: |
git tag ${{ steps.pkg.outputs.tag }}
git push origin ${{ steps.pkg.outputs.tag }}