stackbilt-build/.github/workflows/release.yml at main · Stackbilt-dev/stackbilt-build · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: Release

on:
  push:
    tags:
      - 'v*'
    branches-ignore:
      - '**'
  workflow_dispatch:
    inputs:
      tag:
        description: 'Existing tag to publish (for backfill), e.g. v0.4.2'
        required: true
        type: string

permissions:
  contents: write

jobs:
  publish-release:
    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Resolve tag
        id: tag
        shell: bash
        run: |
          if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
            TAG="${{ inputs.tag }}"
          else
            TAG="${GITHUB_REF_NAME}"
          fi

          if [[ -z "${TAG}" ]]; then
            echo "Tag could not be resolved." >&2
            exit 1
          fi

          echo "value=${TAG}" >> "$GITHUB_OUTPUT"

      - name: Verify tag
        shell: bash
        run: |
          TAG="${{ steps.tag.outputs.value }}"
          if [[ ! "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Invalid tag format: ${TAG}. Expected v<major>.<minor>.<patch>" >&2
            exit 1
          fi

          if [[ "${GITHUB_EVENT_NAME}" == "push" ]]; then
            PKG_VERSION="$(node -p "require('./package.json').version")"
            EXPECTED_TAG="v${PKG_VERSION}"

            if [[ "${TAG}" != "${EXPECTED_TAG}" ]]; then
              echo "Tag/version mismatch on push: got ${TAG}, expected ${EXPECTED_TAG}" >&2
              exit 1
            fi
          else
            if ! git rev-parse -q --verify "refs/tags/${TAG}" >/dev/null; then
              echo "Tag not found in repository: ${TAG}" >&2
              exit 1
            fi
          fi

      - name: Build release notes from CHANGELOG
        shell: bash
        run: |
          TAG="${{ steps.tag.outputs.value }}"
          VERSION="${TAG#v}"

          if [[ -f CHANGELOG.md ]]; then
            awk -v version="${VERSION}" '
              BEGIN { in_section=0 }
              $0 ~ "^## \\[" version "\\]" { in_section=1; print; next }
              in_section && $0 ~ "^## \\[" { exit }
              in_section { print }
            ' CHANGELOG.md > release_notes.md
          fi

          if [[ ! -s release_notes.md ]]; then
            echo "## ${TAG}" > release_notes.md
            echo >> release_notes.md
            echo "See CHANGELOG.md for release details." >> release_notes.md
          fi

      - name: Create or update GitHub Release
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
        with:
          tag_name: ${{ steps.tag.outputs.value }}
          name: ${{ steps.tag.outputs.value }}
          body_path: release_notes.md
          generate_release_notes: true

  publish-npm:
    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          ref: ${{ inputs.tag || github.ref }}

      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20'

      - name: Upgrade npm for trusted-publisher support
        run: npm install -g npm@latest

      - name: Install dependencies
        run: if [ -f package-lock.json ]; then npm ci; else npm install; fi

      - name: Build
        run: npm run build

      - name: Verify tag and workspace versions
        shell: bash
        run: |
          TAG="${{ github.event.inputs.tag || github.ref_name }}"
          if [[ ! "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "::error::Invalid tag format: ${TAG}. Expected v<major>.<minor>.<patch>"
            exit 1
          fi

          EXPECTED="${TAG#v}"
          V=$(node -p "require('./package.json').version")
          N=$(node -p "require('./package.json').name")
          if [[ "$V" != "$EXPECTED" ]]; then
            echo "::error::$N version $V does not match tag $EXPECTED"
            exit 1
          fi

      - name: Publish to npm
        shell: bash
        run: |
          TAG="${{ github.event.inputs.tag || github.ref_name }}"
          VERSION="${TAG#v}"
          mkdir -p release-tarballs

          npm pack --pack-destination ./release-tarballs

          TARBALL="./release-tarballs/stackbilt-build-${VERSION}.tgz"
          if npm view "@stackbilt/build@${VERSION}" version &>/dev/null 2>&1; then
            echo "Skipping @stackbilt/build@${VERSION} — already published"
          else
            npm publish "${TARBALL}" --access public --provenance
          fi