Skip to content

Release

Release #20

Workflow file for this run

name: Release
# Runs automatically only AFTER the CI workflow succeeds on main, so a red
# main never publishes. The changesets flow then takes over:
# 1. add a changeset in your PR, merge to main
# 2. CI passes -> this opens/updates a "Version Packages" PR
# 3. merging THAT PR re-runs CI -> this publishes to npm
on:
workflow_run:
workflows: [CI]
branches: [main]
types: [completed]
concurrency: ${{ github.workflow }}-${{ github.ref }}
permissions:
contents: write
pull-requests: write
id-token: write
jobs:
release:
# Only release when CI on a push to main actually passed.
if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
with:
fetch-depth: 0
# Installs Node and pnpm at the exact versions pinned in mise.toml.
- name: Setup toolchain (mise)
uses: jdx/mise-action@v4
with:
cache: true
# Configure npm auth for changesets publish.
- name: Configure npm registry
run: |
echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
- run: pnpm install --frozen-lockfile
- run: pnpm build
# When changesets exist, this opens or updates a "Version Packages" PR.
# When none remain (after that PR merges), it publishes to npm.
- uses: changesets/action@v1
with:
version: pnpm exec changeset version
publish: pnpm exec changeset publish
commit: "chore: version packages"
title: "chore: version packages"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
# changesets/action looks for NPM_TOKEN specifically; without it the
# action falls back to OIDC trusted publishing. Set both so npm auth
# is deterministic regardless of which path the action takes.
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}