name: Release on: push: tags: - v* concurrency: group: release-${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false permissions: contents: write id-token: write attestations: write jobs: build-artifacts: name: Build runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up pnpm uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 - name: Set up Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: .node-version cache: "pnpm" - name: Install dependencies run: pnpm install --frozen-lockfile - name: Build run: pnpm build - name: Pack run: pnpm pack - name: Upload artifact archive uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: build-artifact path: "*.tgz" release-assets: name: Assemble Release Assets needs: - build-artifacts runs-on: ubuntu-latest steps: - name: Download build artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: build-artifact path: dist - name: Upload complete release assets uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: release-assets path: dist/* create-release: name: Publish GitHub Release needs: - release-assets runs-on: ubuntu-latest environment: release permissions: contents: write id-token: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Download release assets uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: release-assets path: dist - name: Create GitHub release uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: tag_name: ${{ github.ref_name }} name: ${{ github.ref_name }} generate_release_notes: true prerelease: ${{ contains(github.ref_name, '-') }} files: dist/* fail_on_unmatched_files: true make_latest: ${{ !contains(github.ref_name, '-') }} - name: Trigger release notes workflow env: GH_TOKEN: ${{ secrets.RELEASE_TOKEN }} run: | gh workflow run release-notes.yml \ --field tag="${{ github.ref_name }}" attest-provenance: name: Attest Build Provenance needs: - create-release runs-on: ubuntu-latest permissions: id-token: write attestations: write contents: read steps: - name: Download release assets uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: release-assets path: dist - name: Attest release assets uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-path: | dist/* publish-npm: name: Publish to npm needs: - create-release runs-on: ubuntu-latest environment: release permissions: contents: read id-token: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up pnpm uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 - name: Set up Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: .node-version cache: "pnpm" registry-url: "https://registry.npmjs.org" - name: Upgrade npm run: npm install -g npm@latest - name: Install dependencies run: pnpm install --frozen-lockfile - name: Build run: pnpm build - name: Publish run: pnpm publish --no-git-checks