Gandalf the Greybeard
77e9aa9b37
Replaces NPM_TOKEN secret with id-token: write + --provenance so publishing uses GitHub's OIDC token directly. No repository secret required; provenance attestation is generated automatically. Also collapses the redundant second setup-node step (registry-url is now set on the first one). Co-Authored-By: Paperclip <noreply@paperclip.ing>
56 lines
1.2 KiB
YAML
56 lines
1.2 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [master]
|
|
pull_request:
|
|
branches: [master]
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: "22"
|
|
cache: "npm"
|
|
|
|
- run: npm ci
|
|
|
|
- run: npm run typecheck
|
|
name: Type check
|
|
|
|
- run: npm test
|
|
name: Test
|
|
|
|
publish:
|
|
needs: test
|
|
runs-on: ubuntu-latest
|
|
if: github.ref == 'refs/heads/master' && github.event_name == 'push'
|
|
permissions:
|
|
id-token: write
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: "22"
|
|
registry-url: "https://registry.npmjs.org"
|
|
cache: "npm"
|
|
|
|
- run: npm ci
|
|
|
|
- run: npm run build
|
|
|
|
- name: Publish (skip if version already exists)
|
|
run: |
|
|
PKG_NAME=$(node -p "require('./package.json').name")
|
|
PKG_VERSION=$(node -p "require('./package.json').version")
|
|
if npm view "${PKG_NAME}@${PKG_VERSION}" version 2>/dev/null; then
|
|
echo "Version ${PKG_VERSION} already published — skipping."
|
|
else
|
|
npm publish --provenance --access public
|
|
fi
|