Set up trusted publishing

pimterry · pimterry · commit 00efe6f41e0e · 2026-01-23T14:56:09.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,4 +17,64 @@ jobs:
           node-version: ${{ matrix.node-version }}
 
       - run: npm install --no-package-lock
-      - run: npm test
+      - run: npm test
+
+  publish:
+    name: Publish to npm
+    needs: build
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    environment:
+      name: npm
+      url: https://www.npmjs.com/package/http-encoding
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 'v22.20.0'
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
+          cache-dependency-path: 'package.json'
+
+      - run: npm install
+      - run: npm run build
+
+      - name: Verify tag matches package.json version
+        id: version-check
+        run: |
+          TAG_VERSION=${GITHUB_REF#refs/tags/v}
+          PACKAGE_VERSION=$(node -p "require('./package.json').version")
+          if [ "$TAG_VERSION" != "$PACKAGE_VERSION" ]; then
+            echo "Error: Tag version (v$TAG_VERSION) does not match package.json version ($PACKAGE_VERSION)"
+            exit 1
+          fi
+          echo "✓ Tag version matches package.json version: $PACKAGE_VERSION"
+
+          # Check if version matches strict X.Y.Z format (stable release)
+          if echo "$PACKAGE_VERSION" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "Stable release version detected: $PACKAGE_VERSION"
+            echo "is_prerelease=false" >> $GITHUB_OUTPUT
+          else
+            echo "Prerelease version detected: $PACKAGE_VERSION"
+            echo "is_prerelease=true" >> $GITHUB_OUTPUT
+          fi
+
+      # Make sure we have the latest npm for publishing:
+      - run: npm install -g npm@latest
+
+      - name: Publish to npm
+        run: |
+          if [ "${{ steps.version-check.outputs.is_prerelease }}" == "true" ]; then
+            echo "Publishing untagged prerelease"
+            npm publish --provenance --tag test
+            # We have to publish with a tag (so we use 'test') but we can clean it up:
+            npm dist-tag rm http-encoding test --silent
+          else
+            echo "Publishing stable release with 'latest' tag"
+            npm publish --provenance
+          fi
