fix(ci): upgrade npm for OIDC trusted publishing support (#40) #30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Please | |
| on: | |
| push: | |
| branches: | |
| - master | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Publish an existing release tag (e.g. v1.0.3)' | |
| required: true | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| id-token: write | |
| jobs: | |
| release-please: | |
| if: github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: googleapis/release-please-action@v4 | |
| id: release | |
| with: | |
| release-type: node | |
| # If a release was created, publish to npm | |
| - name: Checkout code | |
| if: ${{ steps.release.outputs.release_created }} | |
| uses: actions/checkout@v6 | |
| - name: Setup pnpm | |
| if: ${{ steps.release.outputs.release_created }} | |
| uses: pnpm/action-setup@v5 | |
| with: | |
| version: 10 | |
| - name: Setup Node.js | |
| if: ${{ steps.release.outputs.release_created }} | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '20' | |
| cache: 'pnpm' | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Install dependencies | |
| if: ${{ steps.release.outputs.release_created }} | |
| run: pnpm install --frozen-lockfile | |
| - name: Build package | |
| if: ${{ steps.release.outputs.release_created }} | |
| run: pnpm run build | |
| - name: Update npm for OIDC trusted publishing | |
| if: ${{ steps.release.outputs.release_created }} | |
| run: npm install -g npm@latest | |
| - name: Publish to npm | |
| if: ${{ steps.release.outputs.release_created }} | |
| run: npm publish --access public --provenance | |
| - name: Generate SBOM | |
| if: ${{ steps.release.outputs.release_created }} | |
| run: pnpm run sbom | |
| - name: Upload SBOM to release | |
| if: ${{ steps.release.outputs.release_created }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh release upload ${{ steps.release.outputs.tag_name }} sbom.cdx.json --clobber | |
| publish: | |
| if: github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ inputs.tag }} | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v5 | |
| with: | |
| version: 10 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '20' | |
| cache: 'pnpm' | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Build package | |
| run: pnpm run build | |
| - name: Update npm for OIDC trusted publishing | |
| run: npm install -g npm@latest | |
| - name: Publish to npm | |
| run: npm publish --access public --provenance | |
| - name: Generate SBOM | |
| run: pnpm run sbom | |
| - name: Upload SBOM to release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh release upload ${{ inputs.tag }} sbom.cdx.json --clobber |