-
Notifications
You must be signed in to change notification settings - Fork 2.6k
172 lines (140 loc) · 5.76 KB
/
publish.yml
File metadata and controls
172 lines (140 loc) · 5.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: Publish to npm
on:
release:
types: [released]
workflow_dispatch:
inputs:
tag_name:
description: "Release tag (e.g., v1.2.3)"
required: true
release_id:
description: "GitHub release ID"
required: true
concurrency:
group: publish
cancel-in-progress: true
permissions:
contents: write
packages: write
id-token: write # Required for OIDC trusted publishing
env:
# Node 22.22.2 regresses `npm install -g npm@...` with
# `Cannot find module 'promise-retry'`. Pin a known-good patch until the
# upstream Node/npm regression is resolved.
NODE_VERSION: 22.22.1
PNPM_VERSION: 10.13.1
jobs:
publish:
runs-on: ubuntu-latest
# Only run for main app releases (not remote-v* tags) that were converted from pre-release
if: github.event.release.prerelease == false && !startsWith(github.event.release.tag_name, 'remote-')
steps:
- uses: actions/checkout@v6
with:
ref: ${{ github.event.release.tag_name || inputs.tag_name }}
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Upgrade npm for OIDC support
run: npm install -g [email protected]
- name: Download release assets
uses: actions/github-script@v8
env:
RELEASE_ID: ${{ inputs.release_id }}
with:
script: |
const fs = require('fs');
const path = require('path');
const releaseId = context.payload.release?.id || process.env.RELEASE_ID;
console.log("releaseId:", releaseId);
if (!releaseId) {
core.setFailed('No release ID found.');
return;
}
const release = await github.rest.repos.getRelease({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: releaseId
});
// Find the .tgz file
const tgzAsset = release.data.assets.find(asset => asset.name.endsWith('.tgz'));
if (!tgzAsset) {
core.setFailed('No .tgz file found in release assets');
return;
}
// Download the asset
const response = await github.rest.repos.getReleaseAsset({
owner: context.repo.owner,
repo: context.repo.repo,
asset_id: tgzAsset.id,
headers: {
Accept: 'application/octet-stream'
}
});
// Save to npx-cli directory
const filePath = path.join('npx-cli', tgzAsset.name);
fs.writeFileSync(filePath, Buffer.from(response.data));
console.log(`Downloaded ${tgzAsset.name} to ${filePath}`);
// Set output for next step
core.setOutput('package-file', filePath);
core.setOutput('package-name', tgzAsset.name);
- name: Verify package integrity
id: verify
run: |
cd npx-cli
# List files to confirm download
ls -la *.tgz
# Verify the package can be read
npm pack --dry-run || echo "Note: This is expected to show differences since we're using the pre-built package"
# Extract package name from the downloaded file
PACKAGE_FILE=$(ls *.tgz | head -n1)
echo "package-file=$PACKAGE_FILE" >> $GITHUB_OUTPUT
- name: Publish to npm
run: |
cd npx-cli
# Publish the exact same package that was tested
PACKAGE_FILE="${{ steps.verify.outputs.package-file }}"
echo "Publishing $PACKAGE_FILE to npm..."
npm publish "$PACKAGE_FILE" --provenance --access public
echo "✅ Successfully published to npm!"
- name: Update release description
uses: actions/github-script@v8
env:
RELEASE_ID: ${{ inputs.release_id }}
with:
script: |
const releaseId = context.payload.release?.id || process.env.RELEASE_ID;;
// Fetch the release to get the current body
const release = await github.rest.repos.getRelease({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: releaseId
});
const currentBody = release.data.body || '';
await github.rest.repos.updateRelease({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: releaseId,
body: currentBody + '\n\n✅ **Published to npm registry**'
});
# Promote the tag-specific Tauri update manifest to the fixed endpoint
# so existing desktop app users receive the update notification.
promote-tauri-update:
runs-on: ubuntu-latest
if: github.event.release.prerelease == false && !startsWith(github.event.release.tag_name, 'remote-')
steps:
- name: Configure AWS CLI for R2
run: |
aws configure set aws_access_key_id ${{ secrets.R2_BINARIES_ACCESS_KEY_ID }}
aws configure set aws_secret_access_key ${{ secrets.R2_BINARIES_SECRET_ACCESS_KEY }}
aws configure set default.region auto
- name: Copy update manifest to live endpoint
run: |
TAG="${{ github.event.release.tag_name || inputs.tag_name }}"
ENDPOINT="${{ secrets.R2_BINARIES_ENDPOINT }}"
BUCKET="${{ secrets.R2_BINARIES_BUCKET }}"
echo "Promoting update manifest for $TAG to live endpoint..."
aws s3 cp \
"s3://$BUCKET/binaries/$TAG/tauri/latest.json" \
"s3://$BUCKET/binaries/tauri-update/latest.json" \
--endpoint-url "$ENDPOINT" --content-type "application/json"
echo "Update manifest promoted: binaries/tauri-update/latest.json"