git-commitai-cli/.github/workflows/ci.yml at main · SaharAvr/git-commitai-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: CI

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

permissions:
  contents: write

jobs:
  build:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [20.x]

    steps:
    - uses: actions/checkout@v4

    - name: Use Node.js ${{ matrix.node-version }}
      uses: actions/setup-node@v4
      with:
        node-version: ${{ matrix.node-version }}
        cache: 'npm'

    - name: Install dependencies
      run: npm ci

    - name: Lint
      run: npm run lint
      continue-on-error: false

    - name: Build
      run: npm run build
      continue-on-error: false

    - name: Test
      run: npm test
      continue-on-error: false

    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@v5
      with:
        token: ${{ secrets.CODECOV_TOKEN }}
        fail_ci_if_error: true

  create-tag:
    needs: build
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Get current version
        id: get_version
        run: echo "VERSION=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT

      - name: Check if version changed
        id: check_version
        run: |
          CURRENT_VERSION=${{ steps.get_version.outputs.VERSION }}
          LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
          LATEST_VERSION=${LATEST_TAG#v}

          if [ "$CURRENT_VERSION" != "$LATEST_VERSION" ]; then
            echo "version_changed=true" >> $GITHUB_OUTPUT
            echo "new_tag=v$CURRENT_VERSION" >> $GITHUB_OUTPUT
          else
            echo "version_changed=false" >> $GITHUB_OUTPUT
          fi

      - name: Create and push tag
        if: steps.check_version.outputs.version_changed == 'true'
        run: |
          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local user.name "github-actions[bot]"
          git tag ${{ steps.check_version.outputs.new_tag }}
          git push origin ${{ steps.check_version.outputs.new_tag }}

  publish:
    needs: [build, create-tag]
    runs-on: ubuntu-latest
    # Required permissions for npm trusted publishing (OIDC)
    permissions:
      contents: read
      id-token: write  # Required for OIDC token generation
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'

      # Ensure npm 11.5.1+ is installed (required for trusted publishing)
      - name: Update npm to latest
        run: |
          npm install -g npm@latest
          echo "npm version: $(npm --version)"

      # Remove .npmrc created by setup-node to let OIDC handle authentication
      - name: Configure npm for OIDC
        run: |
          rm -f .npmrc ~/.npmrc
          npm config set registry https://registry.npmjs.org/

      - name: Check published version
        id: check-version
        run: |
          CURRENT_VERSION=$(node -p "require('./package.json').version")
          PUBLISHED_VERSION=$(npm view git-commitai-cli version 2>/dev/null || echo "0.0.0")
          if [ "$CURRENT_VERSION" = "$PUBLISHED_VERSION" ] || [ "$(echo -e "$CURRENT_VERSION\n$PUBLISHED_VERSION" | sort -V | head -n1)" = "$CURRENT_VERSION" ]; then
            echo "Current version ($CURRENT_VERSION) is the same or lower than the published version ($PUBLISHED_VERSION). Exiting."
            echo "should_publish=false" >> $GITHUB_OUTPUT
            exit 0
          fi
          echo "should_publish=true" >> $GITHUB_OUTPUT

      - name: Install dependencies
        run: npm ci

      - name: Ensure esbuild is executable
        run: |
          npx esbuild --version
          npm list esbuild

      # Publish using OIDC trusted publishing - no NPM_TOKEN needed!
      # Provenance attestation is automatically generated
      - name: Publish to npm
        if: steps.check-version.outputs.should_publish == 'true'
        run: npm publish --access=public --provenance