name: Release # Publish all packages to npm and cut a GitHub Release. Trigger: push a version # tag (v*) — e.g. `pnpm version:minor` then `git push --follow-tags`. The tag must # match every published package version. Release notes are generated by git-cliff # from the Conventional Commit history since the previous tag (see cliff.toml). on: push: tags: - "v*" concurrency: group: release-${{ github.ref }} cancel-in-progress: false permissions: contents: write # create the GitHub Release id-token: write # OIDC for npm (enables trusted publishing later; npm provenance needs a public repo) jobs: release: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v6 with: fetch-depth: 0 # full history + tags so git-cliff can build notes since the previous tag - name: Install pnpm uses: pnpm/action-setup@v6 - name: Setup Node uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm registry-url: "https://registry.npmjs.org" # writes .npmrc so pnpm publish authenticates - name: Install dependencies run: pnpm install --frozen-lockfile - name: Verify tag matches every published package version run: | TAG_VERSION="${GITHUB_REF_NAME#v}" FAIL=0 for manifest in packages/*/package.json; do if [ "$(node -p "require('./$manifest').private === true")" = "true" ]; then continue fi VERSION="$(node -p "require('./$manifest').version")" if [ "$VERSION" != "$TAG_VERSION" ]; then echo "::error::$manifest version $VERSION does not match tag $GITHUB_REF_NAME" FAIL=1 fi done [ "$FAIL" = "0" ] - name: Typecheck run: pnpm typecheck - name: Lint run: pnpm lint:check - name: Test run: pnpm test - name: Build run: pnpm build - name: Publish to npm # Public repo + `id-token: write` enables npm provenance: consumers can cryptographically # verify each @coldsmirk/* package was built and published from this repo's CI. run: pnpm -r publish --access public --no-git-checks --provenance env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Generate release notes id: changelog uses: orhun/git-cliff-action@v4 with: config: cliff.toml args: --latest - name: Create GitHub Release env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NOTES: ${{ steps.changelog.outputs.content }} run: gh release create "$GITHUB_REF_NAME" --title "$GITHUB_REF_NAME" --notes "$NOTES"