javascript-proxy-headers/.github/workflows/publish.yml at main · proxymesh/javascript-proxy-headers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: Publish

on:
  release:
    types: [published]
  workflow_dispatch:
  # GitHub does not start new workflow runs for events caused by the default
  # GITHUB_TOKEN (e.g. gh release create in another workflow). After
  # "Release on merge" creates a release, trigger publish here instead.
  workflow_run:
    workflows: [Release on merge]
    types: [completed]

jobs:
  publish:
    if: >-
      github.event_name != 'workflow_run' ||
      github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest
    # Explicit job permissions: org default token scopes must not block OIDC.
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ github.event_name == 'workflow_run' && 'main' || github.event_name == 'release' && github.ref || 'main' }}

      - name: Decide whether to publish
        id: gate
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          if [[ "${{ github.event_name }}" != "workflow_run" ]]; then
            echo "publish=true" >> "${GITHUB_OUTPUT}"
            exit 0
          fi
          VERSION="$(node -p "require('./package.json').version")"
          TAG="v-${VERSION}"
          if gh release view "${TAG}" --repo "${{ github.repository }}" >/dev/null 2>&1; then
            echo "publish=true" >> "${GITHUB_OUTPUT}"
          else
            echo "No GitHub release ${TAG} yet (or release job was skipped); skipping publish."
            echo "publish=false" >> "${GITHUB_OUTPUT}"
          fi

      # Omit registry-url: setup-node otherwise sets NODE_AUTH_TOKEN to a placeholder and npm publish uses that instead of OIDC.
      # Node 24 ships npm 11.x (≥11.5.1 in current LTS line). Node 22’s npm is 10.x; Corepack `prepare npm@11` does not replace
      # the toolcache `npm` binary on GitHub-hosted runners, so `npm publish` stayed on 10.x and OIDC trusted publishing never ran.
      - name: Setup Node
        if: steps.gate.outputs.publish == 'true'
        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: npm

      - name: Assert npm supports trusted publishing (OIDC)
        if: steps.gate.outputs.publish == 'true'
        run: |
          set -euo pipefail
          ver="$(npm --version)"
          echo "npm ${ver}"
          node -e "
          const v = process.argv[1].split('.').map(Number);
          const ok = v[0] > 11 || (v[0] === 11 && (v[1] > 5 || (v[1] === 5 && (v[2] || 0) >= 1)));
          if (!ok) { console.error('npm ' + process.argv[1] + ' < 11.5.1; trusted publishing OIDC requires npm >= 11.5.1'); process.exit(1); }
          " "$ver"

      - name: Ensure versions match
        if: steps.gate.outputs.publish == 'true'
        shell: bash
        run: |
          set -euo pipefail
          PKG_VERSION="$(node -p "require('./package.json').version")"
          JSR_VERSION="$(node -p "require('./jsr.json').version")"
          TAG_NAME="${{ github.event.release.tag_name }}"
          if [[ -z "$TAG_NAME" ]]; then
            TAG_NAME="v-${PKG_VERSION}"
          fi
          if [[ "$PKG_VERSION" != "$JSR_VERSION" ]]; then
            echo "Version mismatch: package.json=$PKG_VERSION, jsr.json=$JSR_VERSION"
            exit 1
          fi
          if [[ "$TAG_NAME" != "v$PKG_VERSION" && "$TAG_NAME" != "$PKG_VERSION" && "$TAG_NAME" != "v-${PKG_VERSION}" ]]; then
            echo "Release tag '$TAG_NAME' does not match version '$PKG_VERSION' (expected '$PKG_VERSION', 'v$PKG_VERSION', or 'v-${PKG_VERSION}')."
            exit 1
          fi

      - name: Install dependencies
        if: steps.gate.outputs.publish == 'true'
        run: npm install --ignore-scripts --no-package-lock

      # If NODE_AUTH_TOKEN / NPM_TOKEN are set to empty or a placeholder (repo/org Variables,
      # or setup-node + registry-url), npm prefers them over OIDC and fails with ENEEDAUTH.
      - name: Publish to npm
        if: steps.gate.outputs.publish == 'true'
        run: |
          set -euo pipefail
          if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" || -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]]; then
            echo "::error::GitHub OIDC is unavailable (missing ACTIONS_ID_TOKEN_*). Check job permissions id-token: write and repo Settings → Actions → Workflow permissions."
            exit 1
          fi
          unset NODE_AUTH_TOKEN NPM_TOKEN
          npm publish --access public --provenance

      - name: Publish to JSR
        if: steps.gate.outputs.publish == 'true'
        run: npx jsr publish