-
Notifications
You must be signed in to change notification settings - Fork 16
57 lines (45 loc) · 1.44 KB
/
release.yml
File metadata and controls
57 lines (45 loc) · 1.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Release
# Publishes to npm with provenance (SLSA build attestation) when a version tag
# is pushed (e.g. `git tag v0.5.12 && git push --tags`).
# Requires an NPM_TOKEN repo secret (automation token, publish scope).
on:
push:
tags:
- 'v*'
permissions:
contents: read
id-token: write # required for npm provenance
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: 'https://registry.npmjs.org'
- name: Install dependencies
run: npm install
- name: Typecheck
run: npx tsc --noEmit
- name: Test
run: npm test
- name: Detection benchmark gate
run: npm run bench -- --ci
- name: Build
run: npm run build
# Idempotent: skip if this version is already on npm (e.g. published locally).
- name: Check if version already published
id: check
run: |
V=$(node -p "require('./package.json').version")
if npm view "shellward@$V" version >/dev/null 2>&1; then
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "exists=false" >> "$GITHUB_OUTPUT"
fi
- name: Publish with provenance
if: steps.check.outputs.exists == 'false'
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}