devkit/.github/workflows/release.yml at main · cfxdevkit/devkit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
name: Release

# Triggered by a semver tag pushed from main, e.g. git tag v0.2.0 && git push origin v0.2.0
on:
  push:
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+"
      - "v[0-9]+.[0-9]+.[0-9]+-*" # allow pre-release tags like v1.0.0-beta.1

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false # never cancel an in-flight release

jobs:
  # ─────────────────────────────────────────────────────────────────────────────
  # Guard: run the full CI suite before publishing anything
  # ─────────────────────────────────────────────────────────────────────────────
  ci:
    name: CI checks
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: "10.11.0"

      - uses: actions/setup-node@v4
        with:
          node-version: "22"
          cache: "pnpm"

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Lint (Biome)
        run: pnpm check

      - name: Type-check
        run: pnpm type-check

      - name: Build all packages
        run: pnpm build

      - name: Run tests
        run: pnpm test

      # Persist the build artifacts for the publish job so we don't rebuild
      - name: Upload build artifacts
        uses: actions/upload-artifact@v4
        with:
          name: build-artifacts
          # packages/*/dist  — @cfxdevkit/* library dist outputs
          # devtools/devkit-ui/out — Next.js static export (needed by copy-ui.mjs)
          # devtools/devkit/dist  — CLI bundle
          # devtools/devkit/ui    — copied static UI assets (dist includes these via "files")
          path: |
            packages/*/dist
            devtools/devkit-ui/out
            devtools/devkit/dist
            devtools/devkit/ui
          retention-days: 1

  # ─────────────────────────────────────────────────────────────────────────────
  # Publish to npm via OIDC Trusted Publishing
  #
  # No NPM_TOKEN secret required. npm CLI automatically exchanges the GitHub
  # OIDC token for a short-lived npm credential during publish.
  #
  # Prerequisites (one-time setup):
  #   Each package must have a Trusted Publisher configured on npmjs.com
  #   pointing at this repository + "release.yml" workflow filename.
  #   Use `npm trust add` for bulk configuration (npm CLI ≥11.10.0).
  #   See: https://docs.npmjs.com/trusted-publishers
  # ─────────────────────────────────────────────────────────────────────────────
  publish:
    name: Publish to npm
    runs-on: ubuntu-latest
    needs: ci
    permissions:
      contents: read
      id-token: write # required for OIDC token exchange with npm

    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: "10.11.0"

      # registry-url tells setup-node (and therefore pnpm) which npm registry
      # to target. Do NOT pass a token here — OIDC handles auth automatically.
      # Trusted publishing requires npm CLI ≥11.5.1 and Node ≥22.14.0.
      - uses: actions/setup-node@v4
        with:
          node-version: "22.14"
          registry-url: "https://registry.npmjs.org"
          cache: "pnpm"

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      # Restore pre-built artifacts from the ci job (avoids a full rebuild)
      - name: Download build artifacts
        uses: actions/download-artifact@v4
        with:
          name: build-artifacts

      # ── 0. Upgrade npm so OIDC trusted publishing works reliably ────────────
      # actions/setup-node writes `_authToken=${NODE_AUTH_TOKEN}` to .npmrc.
      # When NODE_AUTH_TOKEN is unset, some npm versions treat the empty value
      # as an invalid token ("Access token expired") instead of falling through
      # to OIDC. Upgrading npm to latest (11.x) and clearing the stale auth
      # entry ensures the OIDC exchange is always used for publishing.
      - name: Upgrade npm and clear stale auth
        run: |
          npm install -g npm@latest
          npm --version
          # Remove the empty _authToken written by actions/setup-node so npm
          # finds no static credential and uses the OIDC token instead.
          npm config delete "//registry.npmjs.org/:_authToken" || true

      # ── 1. Publish all @cfxdevkit/* library packages ───────────────────────
      # Use `pnpm pack` to create the tarball — this normalises workspace:*
      # dependency references (e.g. "@cfxdevkit/contracts": "workspace:*") to
      # real semver before the tarball is created, so the published package.json
      # is clean. Then hand the tarball to `npm publish` so the OIDC token
      # exchange still happens via the npm CLI (pnpm publish does not trigger it).
      - name: Publish @cfxdevkit/* packages
        run: |
          set -e
          failed=''
          # packages/theme is an internal Tailwind preset — not published to npm
          SKIP_PACKAGES='packages/theme'
          for pkg_dir in packages/*/; do
            pkg_dir="${pkg_dir%/}"
            if echo "$SKIP_PACKAGES" | grep -qw "$pkg_dir"; then
              echo "\n--- Skipping ${pkg_dir} (not published) ---"
              continue
            fi
            pkg_name=$(node -p "require('./${pkg_dir}/package.json').name")
            echo "\n--- Publishing ${pkg_name} ---"
            tarball=$(pnpm pack -C "${pkg_dir}" --pack-destination "$PWD" 2>/dev/null | tail -1)
            if ! npm publish "${tarball}" --access public; then
              echo "::error::Failed to publish ${pkg_name}"
              failed="${failed} ${pkg_name}"
            fi
            rm -f "${tarball}"
          done
          if [ -n "$failed" ]; then
            echo "::error::The following packages failed to publish:${failed}"
            exit 1
          fi

      # ── 2. Publish the conflux-devkit CLI ──────────────────────────────────
      # `pnpm pack` normalises workspace:* dependency versions in package.json
      # to real semver before creating the tarball so the published package.json
      # is clean. We then hand the tarball to `npm publish` so the OIDC token
      # exchange still happens via the npm CLI.
      - name: Pack + Publish conflux-devkit CLI
        run: |
          # --pack-destination must be absolute so the tarball lands in the
          # repo root regardless of where pnpm resolves the -C working dir.
          pnpm pack -C devtools/devkit --pack-destination "$PWD"
          tarball=$(ls "$PWD"/conflux-devkit-*.tgz | tail -1)
          echo "Publishing tarball: $tarball"
          npm publish "$tarball" --access public

  # ─────────────────────────────────────────────────────────────────────────────
  # Docker — build & push cfxdevkit/devkit to Docker Hub
  #
  # Runs AFTER the npm publish job so that conflux-devkit@<version> already
  # exists on npm when the Docker build runs `npm install -g conflux-devkit@ver`.
  #
  # Prerequisites (one-time setup in GitHub → Settings → Secrets and variables
  # → Actions → Repository secrets):
  #   DOCKERHUB_USERNAME  — Docker Hub username or org that owns cfxdevkit/devkit
  #   DOCKERHUB_TOKEN     — Docker Hub Access Token with Read & Write scope
  #   (Create the token at: https://hub.docker.com/settings/security)
  # ─────────────────────────────────────────────────────────────────────────────
  docker:
    name: Publish Docker image (cfxdevkit/devkit)
    runs-on: ubuntu-latest
    needs: publish   # wait for npm publish so the package is available on npm
    permissions:
      contents: read

    steps:
      - uses: actions/checkout@v4

      # Strip the leading "v" from the tag (v1.2.3 → 1.2.3) and expose as
      # steps.version.outputs.version for use in subsequent steps.
      - name: Derive image version from tag
        id: version
        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # Build the image for linux/amd64 (the only platform @xcfx/node currently
      # provides a native binary for) and push two tags:
      #   cfxdevkit/devkit:<semver>  — immutable, version-pinned
      #   cfxdevkit/devkit:latest    — floating, always points at the newest release
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: docker/Dockerfile
          platforms: linux/amd64
          push: true
          build-args: |
            DEVKIT_VERSION=${{ steps.version.outputs.version }}
          tags: |
            cfxdevkit/devkit:${{ steps.version.outputs.version }}
            cfxdevkit/devkit:latest
          labels: |
            org.opencontainers.image.version=${{ steps.version.outputs.version }}
            org.opencontainers.image.revision=${{ github.sha }}