Publish #11

Workflow file for this run

.github/workflows/publish.yml at 63d9c8b

	name: Publish

	on:
	release:
	types: [published]
	workflow_dispatch:
	# GitHub does not start new workflow runs for events caused by the default
	# GITHUB_TOKEN (e.g. gh release create in another workflow). After
	# "Release on merge" creates a release, trigger publish here instead.
	workflow_run:
	workflows: [Release on merge]
	types: [completed]

	jobs:
	publish:
	if: >-
	github.event_name != 'workflow_run' \|\|
	github.event.workflow_run.conclusion == 'success'
	runs-on: ubuntu-latest
	# Explicit job permissions: org default token scopes must not block OIDC.
	permissions:
	contents: read
	id-token: write
	steps:
	- uses: actions/checkout@v6
	with:
	ref: ${{ github.event_name == 'workflow_run' && 'main' \|\| github.event_name == 'release' && github.ref \|\| 'main' }}

	- name: Decide whether to publish
	id: gate
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	set -euo pipefail
	if [[ "${{ github.event_name }}" != "workflow_run" ]]; then
	echo "publish=true" >> "${GITHUB_OUTPUT}"
	exit 0
	fi
	VERSION="$(node -p "require('./package.json').version")"
	TAG="v-${VERSION}"
	if gh release view "${TAG}" --repo "${{ github.repository }}" >/dev/null 2>&1; then
	echo "publish=true" >> "${GITHUB_OUTPUT}"
	else
	echo "No GitHub release ${TAG} yet (or release job was skipped); skipping publish."
	echo "publish=false" >> "${GITHUB_OUTPUT}"
	fi

	# Omit registry-url: setup-node otherwise sets NODE_AUTH_TOKEN to a placeholder and npm publish uses that instead of OIDC.
	- name: Setup Node
	if: steps.gate.outputs.publish == 'true'
	uses: actions/setup-node@v6
	with:
	node-version: 22
	cache: npm

	# Corepack avoids `npm install -g npm` when the bundled global npm is broken (e.g. missing promise-retry).
	- name: Upgrade npm for trusted publishing (OIDC)
	if: steps.gate.outputs.publish == 'true'
	env:
	COREPACK_ENABLE_DOWNLOAD_PROMPT: 0
	run: \|
	corepack enable
	corepack prepare npm@11.5.1 --activate
	npm --version

	- name: Ensure versions match
	if: steps.gate.outputs.publish == 'true'
	shell: bash
	run: \|
	set -euo pipefail
	PKG_VERSION="$(node -p "require('./package.json').version")"
	JSR_VERSION="$(node -p "require('./jsr.json').version")"
	TAG_NAME="${{ github.event.release.tag_name }}"
	if [[ -z "$TAG_NAME" ]]; then
	TAG_NAME="v-${PKG_VERSION}"
	fi
	if [[ "$PKG_VERSION" != "$JSR_VERSION" ]]; then
	echo "Version mismatch: package.json=$PKG_VERSION, jsr.json=$JSR_VERSION"
	exit 1
	fi
	if [[ "$TAG_NAME" != "v$PKG_VERSION" && "$TAG_NAME" != "$PKG_VERSION" && "$TAG_NAME" != "v-${PKG_VERSION}" ]]; then
	echo "Release tag '$TAG_NAME' does not match version '$PKG_VERSION' (expected '$PKG_VERSION', 'v$PKG_VERSION', or 'v-${PKG_VERSION}')."
	exit 1
	fi

	- name: Install dependencies
	if: steps.gate.outputs.publish == 'true'
	run: npm install --ignore-scripts --no-package-lock

	# If NODE_AUTH_TOKEN / NPM_TOKEN are set to empty or a placeholder (repo/org Variables,
	# or setup-node + registry-url), npm prefers them over OIDC and fails with ENEEDAUTH.
	- name: Publish to npm
	if: steps.gate.outputs.publish == 'true'
	run: \|
	set -euo pipefail
	if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" \|\| -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]]; then
	echo "::error::GitHub OIDC is unavailable (missing ACTIONS_ID_TOKEN_*). Check job permissions id-token: write and repo Settings → Actions → Workflow permissions."
	exit 1
	fi
	unset NODE_AUTH_TOKEN NPM_TOKEN
	npm publish --access public --provenance

	- name: Publish to JSR
	if: steps.gate.outputs.publish == 'true'
	run: npx jsr publish

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Publish #11

Workflow file

Publish #11

Uh oh!

Workflow file for this run