Fix lockfile #721
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish to npm | |
| on: | |
| push: | |
| branches: [main] | |
| tags: ["!**"] | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: "Version to publish (e.g., 0.1.0, 0.1.0-beta.1). Leave empty to auto-calculate." | |
| required: false | |
| type: string | |
| dist-tag: | |
| description: "npm dist-tag (e.g., latest, dev, beta)" | |
| required: true | |
| default: "latest" | |
| type: string | |
| concurrency: | |
| group: npm-publish | |
| cancel-in-progress: false | |
| jobs: | |
| publish: | |
| name: Publish packages to npm | |
| runs-on: ubuntu-latest | |
| # Safety net: only publish from main, even though push trigger is already constrained | |
| if: github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: read | |
| id-token: write # Required for npm OIDC Trusted Publishing | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Setup mise | |
| uses: jdx/mise-action@9dc7d5dd454262207dea3ab5a06a3df6afc8ff26 # v3.4.1 | |
| with: | |
| cache: true | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 | |
| - name: Configure npm | |
| run: pnpm config set registry https://registry.npmjs.org | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Determine version | |
| id: version | |
| env: | |
| GITHUB_EVENT_NAME: ${{ github.event_name }} | |
| INPUT_VERSION: ${{ github.event.inputs.version }} | |
| INPUT_TAG: ${{ github.event.inputs.dist-tag }} | |
| run: | | |
| if [ -n "$INPUT_VERSION" ]; then | |
| echo "Using provided version: $INPUT_VERSION" | |
| # Validate version format (semantic versioning) | |
| if ! echo "$INPUT_VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$'; then | |
| echo "Error: Invalid version format. Must match semantic versioning (e.g., 1.0.0 or 1.0.0-beta.1)" | |
| exit 1 | |
| fi | |
| # Validate dist-tag format (alphanumeric, hyphen, underscore only) | |
| if ! echo "$INPUT_TAG" | grep -qE '^[a-zA-Z0-9_-]+$'; then | |
| echo "Error: Invalid dist-tag format. Must contain only alphanumeric characters, hyphens, and underscores" | |
| exit 1 | |
| fi | |
| # Use heredoc to safely write to GITHUB_OUTPUT (prevents injection) | |
| { | |
| echo "version<<EOF" | |
| echo "$INPUT_VERSION" | |
| echo "EOF" | |
| echo "tag<<EOF" | |
| echo "$INPUT_TAG" | |
| echo "EOF" | |
| } >> "$GITHUB_OUTPUT" | |
| else | |
| echo "No version provided, calculating..." | |
| node scripts/determine-version.ts | |
| fi | |
| - name: Set package versions | |
| run: node scripts/set-version.ts "${{ steps.version.outputs.version }}" | |
| - name: Build packages | |
| run: pnpm build | |
| # NODE_AUTH_TOKEN is intentionally NOT set. npm detects the OIDC environment | |
| # (id-token: write) and authenticates via Trusted Publishing automatically. | |
| # Setting NODE_AUTH_TOKEN to any value -- even empty string -- would block OIDC. | |
| # | |
| # Enable npm provenance attestations for each published package. | |
| # This requires a public source repository (npm rejects provenance from private repos). | |
| - name: Publish packages | |
| env: | |
| NPM_CONFIG_PROVENANCE: "true" | |
| run: pnpm -r publish --access public --tag "${{ steps.version.outputs.tag }}" --no-git-checks |