diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 51dd999..5f4c491 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -76,21 +76,28 @@ jobs: id-token: write # Required for OIDC authentication with npm env: - GITHUB_TOKEN: ${{ secrets.MP_INTEGRATIONS_SEMANTIC_RELEASE_BOT }} GIT_AUTHOR_NAME: mparticle-automation GIT_AUTHOR_EMAIL: developers@mparticle.com GIT_COMMITTER_NAME: mparticle-automation GIT_COMMITTER_EMAIL: developers@mparticle.com - # npm auth: no trusted publisher is configured on npmjs for this package, - # so publish authenticates with the org token (provenance still attested via OIDC). + # npm auth: publish authenticates via OIDC trusted publishing; the token + # remains as a fallback (provenance is still attested via OIDC). NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }} steps: + - name: Generate GitHub App token + id: app_token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ secrets.SDK_RELEASE_GITHUB_APP_ID }} + private-key: ${{ secrets.SDK_RELEASE_GITHUB_APP_PRIVATE_KEY }} + - name: Checkout public main branch uses: actions/checkout@v6 with: fetch-depth: 0 ref: main + token: ${{ steps.app_token.outputs.token }} - name: Import GPG Key uses: crazy-max/ghaction-import-gpg@v4 @@ -117,10 +124,14 @@ jobs: - name: Release --dry-run if: ${{ github.event.inputs.dryRun == 'true'}} + env: + GITHUB_TOKEN: ${{ steps.app_token.outputs.token }} run: | npx semantic-release --dry-run - name: Release if: ${{ github.event.inputs.dryRun == 'false'}} + env: + GITHUB_TOKEN: ${{ steps.app_token.outputs.token }} run: | npx semantic-release - name: Archive npm failure logs @@ -138,13 +149,22 @@ jobs: name: Sync repositories needs: release runs-on: ubuntu-latest + permissions: + contents: write steps: + - name: Generate GitHub App token + id: app_token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ secrets.SDK_RELEASE_GITHUB_APP_ID }} + private-key: ${{ secrets.SDK_RELEASE_GITHUB_APP_PRIVATE_KEY }} + - name: Checkout main branch uses: actions/checkout@v6 with: fetch-depth: 0 repository: ${{ github.repository }} - token: ${{ secrets.MP_INTEGRATIONS_SEMANTIC_RELEASE_BOT }} + token: ${{ steps.app_token.outputs.token }} ref: main - name: Merge release branch into main branch @@ -160,3 +180,20 @@ jobs: if: ${{ github.event.inputs.dryRun == 'false' }} run: | git push --delete origin release/${{ github.run_number }} + + # Runs last so a Release failure can't block npm publish, the tag, or the sync. + - name: Resolve released version + id: version + if: ${{ github.event.inputs.dryRun == 'false' }} + run: echo "release-version=v$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT" + + - name: Create GitHub release + if: ${{ github.event.inputs.dryRun == 'false' }} + uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 + with: + makeLatest: true + allowUpdates: true + generateReleaseNotes: true + tag: ${{ steps.version.outputs.release-version }} + artifacts: 'dist/RoktPayPlus-Kit.common.js,dist/RoktPayPlus-Kit.esm.js,dist/RoktPayPlus-Kit.iife.js,dist/RoktPayPlus-Kit.d.ts' + token: ${{ steps.app_token.outputs.token }} diff --git a/release.config.js b/release.config.js index 7c4769a..2f23a89 100644 --- a/release.config.js +++ b/release.config.js @@ -46,17 +46,6 @@ module.exports = { publishCmd: 'npm publish', }, ], - [ - '@semantic-release/github', - { - assets: [ - 'dist/RoktPayPlus-Kit.common.js', - 'dist/RoktPayPlus-Kit.esm.js', - 'dist/RoktPayPlus-Kit.iife.js', - 'dist/RoktPayPlus-Kit.d.ts', - ], - }, - ], [ '@semantic-release/git', {