🐸 Versioned release (#100) #164
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 🐸 Bumpy CI release | |
| # when changes are made to main, it either creates/updates release PR, or triggers release | |
| # ⚠️ NOTE - DO NOT COPY THIS FILE | |
| # instead look at the recommended workflow in the docs | |
| # ➡️ https://bumpy.varlock.dev/blob/main/docs/github-actions.md ⬅️ | |
| name: Release | |
| on: | |
| push: | |
| branches: [main] | |
| concurrency: | |
| group: bumpy-release | |
| cancel-in-progress: false | |
| jobs: | |
| # Detect what `bumpy ci release` would do and gate downstream jobs accordingly. | |
| # Runs with no write permissions and no publish credentials. | |
| plan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| outputs: | |
| mode: ${{ steps.plan.outputs.mode }} | |
| packages: ${{ steps.plan.outputs.packages }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: oven-sh/setup-bun@v2 | |
| - run: bun install | |
| # --- You wont need this part --- | |
| # Build first since we use the local built version of bumpy instead of the published one | |
| - run: bun run --filter @varlock/bumpy build | |
| # run bun install again to make the now built CLI available | |
| - run: bun install | |
| # ------------------------------- | |
| # 🐸 Outputs: mode (version-pr|publish|nothing), packages (comma-separated), json (full plan) | |
| - id: plan | |
| run: bunx @varlock/bumpy ci plan | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| # Creates/updates the Version Packages PR. No publish credentials — never sees | |
| # id-token or npm secrets, so a malicious commit to main can't ride this job to publish. | |
| version-pr: | |
| needs: plan | |
| if: needs.plan.outputs.mode == 'version-pr' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: oven-sh/setup-bun@v2 | |
| - run: bun install | |
| # --- You wont need this part --- | |
| - run: bun run --filter @varlock/bumpy build | |
| - run: bun install | |
| # ------------------------------- | |
| - run: bunx @varlock/bumpy ci release --expect-mode version-pr | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| BUMPY_GH_TOKEN: ${{ secrets.BUMPY_GH_TOKEN }} # <- PAT so that version PR triggers CI | |
| # Publishes packages. Scoped to the `publish` environment — pin the npm trusted | |
| # publisher to this environment name on npmjs.com so that an OIDC token requested | |
| # from any other job (or a rogue workflow file) will be rejected by npm. | |
| publish: | |
| needs: plan | |
| if: needs.plan.outputs.mode == 'publish' | |
| runs-on: ubuntu-latest | |
| environment: publish | |
| permissions: | |
| contents: write | |
| id-token: write # required for npm trusted publishing (OIDC) | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: oven-sh/setup-bun@v2 | |
| # Node.js (npm) is needed for npm publish | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: latest | |
| - run: npm install -g npm@latest # ensure npm >= 11.15.0 for staged publishing | |
| - run: bun install | |
| # --- You wont need this part --- | |
| - run: bun run --filter @varlock/bumpy build | |
| - run: bun install | |
| # ------------------------------- | |
| - run: echo "📦 Publishing packages:" && echo "${{ needs.plan.outputs.packages }}" | |
| - run: bunx @varlock/bumpy ci release --expect-mode publish | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| # We dont use the default GH token so that further workflows can be triggred by GH release events | |
| BUMPY_GH_TOKEN: ${{ secrets.BUMPY_GH_TOKEN }} |