From 17c97825c78c14185d971b95c1a35ee78833cd72 Mon Sep 17 00:00:00 2001 From: Santiago Date: Thu, 21 May 2026 08:40:38 -0300 Subject: [PATCH] ci: replace publish workflow with tag-triggered release pipeline Replaces the GitHub-Release-triggered publish.yml with a release workflow conforming to the umbrella SDK release pipeline contract (u5c-factory reference/sdk-pipeline-requirements.md): a v* version tag triggers verify -> build -> test -> publish. The verify job checks the pushed tag against the package.json version and fails the release if they disagree; publish pushes to npm via OIDC trusted publishing (no static token). Verification: workflow YAML syntactically validated only; not executed and the package not built this session. Requires an npm trusted-publisher configured on npmjs.org for @utxorpc/sdk (GitHub repo utxorpc/node-sdk, workflow release.yml) before the first release; the old NPM_TOKEN secret can be removed afterward. --- .github/workflows/publish.yml | 23 ------------- .github/workflows/release.yml | 64 +++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 23 deletions(-) delete mode 100644 .github/workflows/publish.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml deleted file mode 100644 index 67a01a1..0000000 --- a/.github/workflows/publish.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Node.js Package - -on: - release: - types: [published] - -jobs: - publish-npm: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-node@v4 - with: - node-version: 20 - registry-url: https://registry.npmjs.org/ - - - run: npm install - - - run: npm publish - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..96e2f96 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,64 @@ +name: Release + +# Conforms to the umbrella SDK release pipeline contract: +# u5c-factory reference/sdk-pipeline-requirements.md +on: + push: + tags: ['v*'] + +jobs: + verify: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Verify tag matches package version + run: | + TAG="${GITHUB_REF_NAME#v}" + MANIFEST=$(jq -r .version package.json) + if [ "$TAG" != "$MANIFEST" ]; then + echo "::error::tag $GITHUB_REF_NAME does not match package.json version $MANIFEST" + exit 1 + fi + + build: + needs: verify + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + # Node 24.5.0 bundles npm 11.5.1, the minimum for OIDC trusted + # publishing used by the publish job below. + node-version: 24.5.0 + # The repo gitignores its lockfile, so `npm ci` cannot be used. + - run: npm install + - run: npm run build + + test: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 24.5.0 + - run: npm install + # index.test.mts is a live-server integration suite, excluded as in ci.yml. + - run: npx vitest run --passWithNoTests --exclude '**/index.test.mts' + + publish: + needs: test + runs-on: ubuntu-latest + # Required for npm OIDC trusted publishing — no static token is used. + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 24.5.0 + registry-url: 'https://registry.npmjs.org' + - run: npm install + - run: npm run build + - run: npm publish --access public