From 6d9f1b7b16bc5b94f4bd56fd4687f1940cebcd6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20Chalk?= Date: Mon, 11 May 2026 14:50:30 +0200 Subject: [PATCH 1/2] ci: automate releases --- .github/workflows/publish.yml | 44 ++++++++++++++++++++++++++++++ .github/workflows/release.yml | 50 +++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 .github/workflows/publish.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..15341b7 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,44 @@ +name: Publish + +on: + push: + tags: + - v*.*.* + +concurrency: + group: publish + cancel-in-progress: false + +# configured as trusted publisher (OIDC) +# https://docs.npmjs.com/trusted-publishers +permissions: + contents: read + id-token: write + +env: + NX_NON_NATIVE_HASHER: true + +jobs: + publish: + name: Publish packages + runs-on: ubuntu-latest + environment: release + steps: + - name: Clone the repository + uses: actions/checkout@v6 + with: + fetch-depth: 0 + - name: Configure Git user + # https://github.com/actions/checkout/blob/main/README.md#push-a-commit-using-the-built-in-token + run: | + git config user.name github-actions[bot] + git config user.email 41898282+github-actions[bot]@users.noreply.github.com + - name: Set up Node.js + uses: actions/setup-node@v6 + with: + node-version-file: .node-version + cache: npm + - name: Install dependencies + run: npm ci + - name: Publish packages to npm + run: npx nx release publish diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..72dbd30 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,50 @@ +name: Release + +on: + push: + branches: + - main + +concurrency: + group: release + cancel-in-progress: false + +jobs: + release: + name: Version and release + runs-on: ubuntu-latest + environment: release + env: + NX_NON_NATIVE_HASHER: true + steps: + - name: Authenticate as "Code PushUp Bot" GitHub App + uses: actions/create-github-app-token@v3 + id: app-token + with: + client-id: ${{ vars.GH_APP_CLIENT_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - name: Fetch GitHub App's user ID + id: get-user-id + run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + - name: Configure Git user + run: | + git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]' + git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com' + - name: Clone the repository + uses: actions/checkout@v6 + with: + fetch-depth: 0 + token: ${{ steps.app-token.outputs.token }} + - name: Set up Node.js + uses: actions/setup-node@v6 + with: + node-version-file: .node-version + cache: npm + - name: Install dependencies + run: npm ci + - name: Version, release and generate changelog + run: npx nx release --skip-publish + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} From 1181a0654436db3bfc9b0c6432fd80dbbb61377b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20Chalk?= Date: Mon, 11 May 2026 15:15:31 +0200 Subject: [PATCH 2/2] ci: minimize permissions for release workflow --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 72dbd30..0187f56 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,6 +9,9 @@ concurrency: group: release cancel-in-progress: false +permissions: + contents: read + jobs: release: name: Version and release