ci: Set up trusted publishing (#962)

janbuchar · web-flow · commit cfefdcd1dd6c · 2025-11-13T11:42:15.000+01:00
- closes #907
diff --git a/.github/workflows/pre_release.yaml b/.github/workflows/pre_release.yaml
@@ -220,44 +220,13 @@ jobs:
         needs: [update_changelog]
         runs-on: ubuntu-latest
 
-        # Required for --provenances to work
-        permissions:
-            id-token: write
-
         steps:
-            - uses: actions/checkout@v5
-              with:
-                  ref: ${{ needs.update_changelog.outputs.changelog_commitish }}
-
-            - name: Use Node.js
-              uses: actions/setup-node@v6
-              with:
-                  node-version: 24
-                  registry-url: https://registry.npmjs.org
-                  package-manager-cache: false
-
-            - name: Enable corepack
-              run: |
-                  corepack enable
-                  corepack prepare yarn@stable --activate
-
-            - name: Activate cache for yarn
-              uses: actions/setup-node@v6
-              with:
-                  cache: yarn
-
-            - name: Install dependencies
-              run: yarn
-
-            # Check version consistency and increment pre-release version number for beta only.
-            - name: Bump pre-release version
-              run: yarn tsx ./.github/scripts/before-beta-release.ts
-
-            - name: Build module
-              run: yarn build
-
-            - name: Publish to NPM
-              run: |
-                  yarn npm publish --provenance --access public --tag beta
-              env:
-                  YARN_NPM_AUTH_TOKEN: ${{ secrets.APIFY_SERVICE_ACCOUNT_NPM_TOKEN }}
+            - name: Execute publish workflow
+              uses: apify/workflows/execute-workflow@main
+              with:
+                  workflow: publish_to_npm.yaml
+                  inputs: >
+                      { 
+                          "ref": "${{ needs.update_changelog.outputs.changelog_commitish }}", 
+                          "tag": "beta" 
+                      }
diff --git a/.github/workflows/publish_to_npm.yaml b/.github/workflows/publish_to_npm.yaml
@@ -0,0 +1,60 @@
+name: Publish to NPM
+
+on:
+    workflow_dispatch:
+        inputs:
+            ref:
+                description: Git ref to publish (branch, tag, or commit SHA)
+                required: true
+                type: string
+            tag:
+                description: NPM dist-tag
+                required: true
+                type: choice
+                default: latest
+                options:
+                    - latest
+                    - beta
+
+permissions:
+    id-token: write # Required for OIDC
+    contents: read
+
+jobs:
+    publish_to_npm:
+        name: Publish to NPM
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v5
+              with:
+                  ref: ${{ inputs.ref }}
+
+            - name: Use Node.js
+              uses: actions/setup-node@v6
+              with:
+                  node-version: 24
+                  registry-url: "https://registry.npmjs.org"
+                  package-manager-cache: false
+
+            - name: Enable corepack
+              run: |
+                  corepack enable
+                  corepack prepare yarn@stable --activate
+
+            - name: Activate cache for yarn
+              uses: actions/setup-node@v6
+              with:
+                  cache: yarn
+
+            - name: Install dependencies
+              run: yarn
+
+            - name: Check version consistency and bump pre-release version (beta only)
+              if: ${{ inputs.tag == 'beta' }}
+              run: yarn tsx ./.github/scripts/before-beta-release.ts
+
+            - name: Build module
+              run: yarn build
+
+            - name: Publish to NPM
+              run: yarn npm publish --provenance --access public --tag ${{ inputs.tag }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -250,41 +250,15 @@ jobs:
             contents: write
             id-token: write
         steps:
-            - uses: actions/checkout@v5
+            - name: Execute publish workflow
+              uses: apify/workflows/execute-workflow@main
               with:
-                  ref: ${{ needs.update_changelog.outputs.changelog_commitish }}
-
-            - name: Use Node.js
-              uses: actions/setup-node@v6
-              with:
-                  node-version: 24
-                  registry-url: https://registry.npmjs.org
-                  package-manager-cache: false
-
-            - name: Enable corepack
-              run: |
-                  corepack enable
-                  corepack prepare yarn@stable --activate
-
-            - name: Activate cache for yarn
-              uses: actions/setup-node@v6
-              with:
-                  cache: yarn
-
-            - name: Install dependencies
-              run: yarn
-
-            - name: Build module
-              run: yarn build
-
-            - name: Pack with yarn
-              run: yarn pack
-
-            - name: Publish to NPM
-              run: |
-                  yarn npm publish --provenance --access public
-              env:
-                  YARN_NPM_AUTH_TOKEN: ${{ secrets.APIFY_SERVICE_ACCOUNT_NPM_TOKEN }}
+                  workflow: publish_to_npm.yaml
+                  inputs: >
+                      { 
+                          "ref": "${{ needs.update_changelog.outputs.changelog_commitish }}", 
+                          "tag": "latest" 
+                      }
 
     update_homebrew_formula:
         name: Update Homebrew Formula
