mirror of
https://github.com/jcreek/Tech-Radar-Editor.git
synced 2026-07-12 18:43:46 +00:00
build(*): Enable trusted publishing
This commit is contained in:
@@ -14,6 +14,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
contents: write
|
contents: write
|
||||||
|
id-token: write
|
||||||
issues: write
|
issues: write
|
||||||
pull-requests: write
|
pull-requests: write
|
||||||
|
|
||||||
@@ -35,6 +36,16 @@ jobs:
|
|||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: pnpm install --frozen-lockfile
|
run: pnpm install --frozen-lockfile
|
||||||
|
|
||||||
|
- name: Verify npm trusted publishing auth
|
||||||
|
run: |
|
||||||
|
if [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Missing GitHub Actions OIDC token for npm trusted publishing."
|
||||||
|
echo "Ensure this workflow keeps the id-token: write permission."
|
||||||
|
exit 1
|
||||||
|
|
||||||
- name: Typecheck Svelte package
|
- name: Typecheck Svelte package
|
||||||
run: pnpm --filter tech-radar-editor check
|
run: pnpm --filter tech-radar-editor check
|
||||||
|
|
||||||
@@ -44,5 +55,4 @@ jobs:
|
|||||||
- name: Publish packages
|
- name: Publish packages
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
||||||
run: pnpm release
|
run: pnpm release
|
||||||
|
|||||||
@@ -161,12 +161,16 @@ Releases are now automated with GitHub Actions and `semantic-release`.
|
|||||||
- `fix:` triggers a patch release, `feat:` triggers a minor release, and `BREAKING CHANGE:` or `!` triggers a major release.
|
- `fix:` triggers a patch release, `feat:` triggers a minor release, and `BREAKING CHANGE:` or `!` triggers a major release.
|
||||||
- Only packages with changes since their last tag are published, so the three packages version independently.
|
- Only packages with changes since their last tag are published, so the three packages version independently.
|
||||||
|
|
||||||
The release workflow expects an `NPM_TOKEN` repository secret with publish access to:
|
The release workflow uses npm trusted publishing from GitHub Actions for:
|
||||||
|
|
||||||
- `tech-radar-editor`
|
- `tech-radar-editor`
|
||||||
- `tech-radar-editor-backend`
|
- `tech-radar-editor-backend`
|
||||||
- `tech-radar-editor-backstage`
|
- `tech-radar-editor-backstage`
|
||||||
|
|
||||||
|
Each package must be configured in npm to trust releases from this GitHub repository's `main` branch workflow.
|
||||||
|
|
||||||
|
The release job requires the GitHub Actions `id-token: write` permission so npm can validate the OIDC identity issued for this repository.
|
||||||
|
|
||||||
To preview what the release job would do locally after installing dependencies:
|
To preview what the release job would do locally after installing dependencies:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|||||||
Reference in New Issue
Block a user