fix: Use trusted publishing for the canary workflow

davidkna-sap · davidkna-sap · commit 75b27e4f4976 · 2025-11-11T13:22:39.000+01:00
diff --git a/.github/workflows/publish-canary.yml b/.github/workflows/publish-canary.yml
@@ -1,17 +1,15 @@
 name: publish-canary
 
 on:
-  schedule:
-    - cron: '0 1 * * *'
-  workflow_dispatch:
+  workflow_call:
     inputs:
       tag:
         description: 'Dist tag for the release. If you chose something different than "canary", make sure to delete it once it is not needed anymore.'
         type: string
         required: false
         default: 'canary'
 jobs:
-  publish:
+  prepare-release:
     runs-on: ubuntu-latest
 
     steps:
@@ -31,12 +29,22 @@ jobs:
           Canary release
           EOT
 
-      - name: publish
+      - name: version canary release
         run: |
           date=`date +%Y%m%d%H%M%S`
           pnpm changeset pre enter ${date}
           pnpm changeset version
           pnpm changeset pre exit
-          pnpm changeset publish --tag ${{ github.event_name == 'schedule' && 'canary' || inputs.tag }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPMJS_ACCESS_TOKEN }}
+
+  publish-npm:
+    needs: prepare-release
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+    - uses: sap/ai-sdk-js/.github/actions/setup@main
+      with:
+        node-version: 24 # Will install npm 11 needed for trusted publishing
+    - name: publish
+      run: |
+        pnpm changeset publish
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -0,0 +1,80 @@
+name: publish
+
+on:
+  workflow_call:
+
+env:
+  DOCS_REPO: SAP/ai-sdk
+
+jobs:
+  check-release-notes-pr:
+    name: Check Release Notes PR Status
+    runs-on: ubuntu-latest
+    outputs:
+      release_notes_branch: ${{ steps.determine-branch-name.outputs.release_notes_branch }}
+      is_merged: ${{ steps.check_pr_status.outputs.merged }}
+    steps:
+      - uses: sap/ai-sdk-js/.github/actions/setup@main
+        with:
+          node-version: ${{ vars.DEFAULT_NODE_VERSION }}
+      - name: Determine Docs PR Branch Name
+        id: determine-branch-name
+        run: |
+          VERSION=$(pnpm node -p "require('./package.json').version")
+          echo "Using version: $VERSION"
+          BRANCH_NAME="update-release-notes-js-$VERSION"
+          echo "release_notes_branch=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
+
+      - name: Check PR Status (Exists, Merged)
+        id: check_pr_status
+        run: |
+          BRANCH_NAME="${{ steps.determine-branch-name.outputs.release_notes_branch }}"
+          echo "Checking status for PR associated with branch: $BRANCH_NAME"
+
+          # Get merged status. If gh pr view fails (e.g., PR not found), the step will fail.
+          MERGED_OUTPUT=$(gh pr view "$BRANCH_NAME" --repo "${{ env.DOCS_REPO }}" --json state --jq '.state == "MERGED" | tostring')
+
+          # This part only runs if the above command succeeded
+          echo "PR found. Is Merged: $MERGED_OUTPUT"
+          echo "merged=$MERGED_OUTPUT" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ secrets.GH_CLOUD_SDK_JS_ADMIN_WRITE_TOKEN }}
+
+      - name: 'Check Whether Release Notes PR Can Be Merged'
+        if: steps.check_pr_status.outputs.merged == 'false'
+        uses: ./.github/actions/pr-is-mergeable
+        with:
+          pr-ref: ${{ steps.determine-branch-name.outputs.release_notes_branch }}
+          repo: ${{ env.DOCS_REPO }}
+          token: ${{ secrets.GH_CLOUD_SDK_JS_ADMIN_WRITE_TOKEN }}
+          excluded-check-runs: |
+            {
+              \"Build Cloud SDK Documentation\": [\"dependabot\"]
+            }
+
+  publish-npm:
+    name: Publish to NPM
+    runs-on: ubuntu-latest
+    needs: [check-release-notes-pr]
+    permissions:
+      id-token: write
+    steps:
+      - uses: sap/ai-sdk-js/.github/actions/setup@main
+        with:
+          node-version: 24 # Will install npm 11 needed for trusted publishing
+      - name: publish
+        run: |
+          pnpm changeset publish
+
+  merge-release-notes-pr:
+    name: Merge Release Notes PR (if needed)
+    runs-on: ubuntu-latest
+    needs: [check-release-notes-pr, publish-npm]
+    if: needs.check-release-notes-pr.outputs.is_merged == 'false'
+    steps:
+      - name: 'Merge Release Notes PR'
+        run: |
+          echo "Attempting to merge PR for branch: ${{ needs.check-release-notes-pr.outputs.release_notes_branch }}"
+          gh pr merge --squash "${{ needs.check-release-notes-pr.outputs.release_notes_branch }}" --delete-branch --repo "${{ env.DOCS_REPO }}"
+        env:
+          GH_TOKEN: ${{ secrets.GH_CLOUD_SDK_JS_ADMIN_WRITE_TOKEN }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,81 +1,30 @@
-name: publish
+# For trusted publishing releases, it is required to start all releases from a single workflow file.
+# This workflow delegates to the appropriate release workflow based on the event that triggered it.
 
 on:
+  # Triggers for canary releases
+  schedule:
+    - cron: '0 1 * * *'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Dist tag for the release. If you chose something different than "canary", make sure to delete it once it is not needed anymore.'
+        type: string
+        required: false
+        default: 'canary'
+  # Triggers for official releases
   release:
     types: [published] # Trigger when a GitHub Release is published
 
-env:
-  DOCS_REPO: SAP/ai-sdk
-
 jobs:
-  check-release-notes-pr:
-    name: Check Release Notes PR Status
-    runs-on: ubuntu-latest
-    outputs:
-      release_notes_branch: ${{ steps.determine-branch-name.outputs.release_notes_branch }}
-      is_merged: ${{ steps.check_pr_status.outputs.merged }}
-    steps:
-      - uses: sap/ai-sdk-js/.github/actions/setup@main
-        with:
-          node-version: ${{ vars.DEFAULT_NODE_VERSION }}
-      - name: Determine Docs PR Branch Name
-        id: determine-branch-name
-        run: |
-          VERSION=$(pnpm node -p "require('./package.json').version")
-          echo "Using version: $VERSION"
-          BRANCH_NAME="update-release-notes-js-$VERSION"
-          echo "release_notes_branch=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
-
-      - name: Check PR Status (Exists, Merged)
-        id: check_pr_status
-        run: |
-          BRANCH_NAME="${{ steps.determine-branch-name.outputs.release_notes_branch }}"
-          echo "Checking status for PR associated with branch: $BRANCH_NAME"
-
-          # Get merged status. If gh pr view fails (e.g., PR not found), the step will fail.
-          MERGED_OUTPUT=$(gh pr view "$BRANCH_NAME" --repo "${{ env.DOCS_REPO }}" --json state --jq '.state == "MERGED" | tostring')
-
-          # This part only runs if the above command succeeded
-          echo "PR found. Is Merged: $MERGED_OUTPUT"
-          echo "merged=$MERGED_OUTPUT" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: ${{ secrets.GH_CLOUD_SDK_JS_ADMIN_WRITE_TOKEN }}
-
-      - name: 'Check Whether Release Notes PR Can Be Merged'
-        if: steps.check_pr_status.outputs.merged == 'false'
-        uses: ./.github/actions/pr-is-mergeable
-        with:
-          pr-ref: ${{ steps.determine-branch-name.outputs.release_notes_branch }}
-          repo: ${{ env.DOCS_REPO }}
-          token: ${{ secrets.GH_CLOUD_SDK_JS_ADMIN_WRITE_TOKEN }}
-          excluded-check-runs: |
-            {
-              \"Build Cloud SDK Documentation\": [\"dependabot\"]
-            }
-
-  publish-npm:
-    name: Publish to NPM
-    runs-on: ubuntu-latest
-    needs: [check-release-notes-pr]
-    permissions:
-      id-token: write
-    steps:
-      - uses: sap/ai-sdk-js/.github/actions/setup@main
-        with:
-          node-version: 24 # Will install npm 11 needed for trusted publishing
-      - name: publish
-        run: |
-          pnpm changeset publish
-
-  merge-release-notes-pr:
-    name: Merge Release Notes PR (if needed)
-    runs-on: ubuntu-latest
-    needs: [check-release-notes-pr, publish-npm]
-    if: needs.check-release-notes-pr.outputs.is_merged == 'false'
-    steps:
-      - name: 'Merge Release Notes PR'
-        run: |
-          echo "Attempting to merge PR for branch: ${{ needs.check-release-notes-pr.outputs.release_notes_branch }}"
-          gh pr merge --squash "${{ needs.check-release-notes-pr.outputs.release_notes_branch }}" --delete-branch --repo "${{ env.DOCS_REPO }}"
-        env:
-          GH_TOKEN: ${{ secrets.GH_CLOUD_SDK_JS_ADMIN_WRITE_TOKEN }}
+  delegate_to_release_job:
+    if: ${{ github.event_name == 'release' }}
+    uses: ./.github/workflows/publish-release.yml
+    secrets: inherit
+
+  delegate_to_canary_job:
+    if: ${{ github.event_name != 'release' }}
+    uses: ./.github/workflows/publish-canary.yml
+    secrets: inherit
+    with:
+      tag: ${{ github.event_name == 'schedule' && github.event.inputs.tag || 'canary' }}
