-
Notifications
You must be signed in to change notification settings - Fork 28
147 lines (126 loc) · 5.66 KB
/
publish.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Publish to NPM
on:
workflow_dispatch:
inputs:
release_type:
type: choice
description: Release Type
options:
- prepatch
- preminor
- premajor
- patch
- minor
- major
required: true
default: prepatch
dry_run:
type: boolean
description: "(Optional) Dry run"
required: false
default: false
push:
branches:
- main
env:
RELEASE_TYPE: ${{ github.event.inputs.release_type }}
DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.inputs.release_type }}
cancel-in-progress: false
jobs:
Publish:
name: Publish Workflow
runs-on: ubuntu-latest-4-cores
env:
GH_TOKEN: ${{ secrets.TS_IMMUTABLE_SDK_GITHUB_TOKEN }}
NODE_OPTIONS: --max-old-space-size=14366
SDK_PUBLISH_SLACK_WEBHOOK: ${{ secrets.SDK_PUBLISH_SLACK_WEBHOOK }}
SDK_PUBLISH_MAJOR_VERSION_ACTORS: ${{ secrets.SDK_PUBLISH_MAJOR_VERSION_ACTORS }}
permissions:
id-token: write # ! Required for GitHub Attestations, removing will create a Sev 0 incident !
attestations: write # ! Required for GitHub Attestations, removing will create a Sev 0 incident !
steps:
- name: Check Public Release Branch
if: ${{ !startsWith(env.RELEASE_TYPE, 'pre') && github.ref != 'refs/heads/main' }}
run: |
echo "Public releases can only be executed from the main branch, current branch ${{ github.ref }}"
exit 1
- name: Check User Permission
if: ${{ env.RELEASE_TYPE == 'major' }}
id: check_user_permission
uses: actions-cool/check-user-permission@v2
with:
token: ${{ secrets.TS_IMMUTABLE_SDK_GITHUB_TOKEN }}
require: admin
username: ${{ github.triggering_actor }}
check-bot: true
- name: Log User Permission
if: ${{ env.RELEASE_TYPE == 'major' }}
run: |
echo "Check user permissions for triggering actor - ${{ github.triggering_actor }}"
echo "user-permission = ${{ steps.check_user_permission.outputs.user-permission }}"
echo "require-result = ${{ steps.check_user_permission.outputs.require-result }}"
- name: Major release Permission Check
if: ${{ env.RELEASE_TYPE == 'major' }}
run: |
if [[ ${{ steps.check_user_permission.outputs.require-result }} != 'true' || !${{ fromJson(env.SDK_PUBLISH_MAJOR_VERSION_ACTORS) }}.includes(${{ github.triggering_actor }}) ]]; then
echo "User does not have permission to perform a major release."
exit 1
fi
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.TS_IMMUTABLE_SDK_GITHUB_TOKEN }}
- name: Setup
uses: ./.github/actions/setup
- name: Setup Github
run: |
git config user.name "platform-sa"
git config user.email "[email protected]"
- name: Setup new package versions
run: pnpm nx release version --specifier ${{ env.RELEASE_TYPE }} $( ${{ env.DRY_RUN }} && echo "--dry-run" || echo "")
- name: Build SDK & Checkout Widgets
run: pnpm build
# ! Do NOT remove - this will cause a Sev 0 incident !
- name: Generate SDK attestations
uses: actions/attest-build-provenance@v1
with:
subject-path: './sdk, !./sdk/node_modules'
- name: Authenticate NPM
run: npm config set //registry.npmjs.org/:_authToken ${{ secrets.TS_IMMUTABLE_SDK_NPM_TOKEN }}
- name: Publish Github Release
if: ${{ !startsWith(env.RELEASE_TYPE, 'pre') }}
run: pnpm nx release changelog $(jq -r '.version' ./sdk/package.json) $( ${{ env.DRY_RUN }} && echo "--dry-run" || echo "")
- name: Release to NPM
id: npm_release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: pnpm nx release publish $( ${{ env.DRY_RUN }} && echo "--dry-run" || echo "")
- name: Warm up CDN
id: warm_up_cdn
if: ${{ !startsWith(env.RELEASE_TYPE, 'pre') }}
run: |
wget https://cdn.jsdelivr.net/npm/@imtbl/checkout-widgets/dist/widgets.js
wget https://cdn.jsdelivr.net/npm/@imtbl/checkout-widgets/dist/index.js
# Wait for 30 seconds to make sure the tag is available on GitHub
- uses: GuillaumeFalourd/wait-sleep-action@v1
with:
time: "30"
- name: Get GitHub Release Name and URL
if: contains(env.RELEASE_TYPE, 'release') && env.DRY_RUN == 'false'
id: release
run: |
echo "RELEASE_NAME=$(gh release view --json name | jq -r .name)" >> $GITHUB_OUTPUT
echo "RELEASE_URL=$(gh release view --json url | jq -r .url)" >> $GITHUB_OUTPUT
- name: Notify SDK Slack Publish Success
if: ${{ success() && (steps.npm_release.conclusion == 'success') && env.DRY_RUN == 'false' }}
uses: ./.github/actions/notify-slack-publish-status
with:
message: "✅ ${{ github.triggering_actor }} successfully published SDK packages @ version ${{steps.release.outputs.RELEASE_NAME}} to NPM.\n\nhttps://www.npmjs.com/package/@imtbl/sdk/v/${{steps.release.outputs.RELEASE_NAME}}"
- name: Notify SDK Slack Publish Failure
if: ${{ failure() && (steps.npm_release.conclusion == 'failure') && env.DRY_RUN == 'false' }}
uses: ./.github/actions/notify-slack-publish-status
with:
message: "❌ Failed to publish SDK packages @ version ${{steps.release.outputs.RELEASE_NAME}} to NPM. ${{ github.triggering_actor }} please check the logs for more details."