55 branches :
66 - main
77
8+ permissions :
9+ id-token : write # Required for OIDC
10+ contents : read
11+
812concurrency :
913 group : ${{ github.workflow }}-${{ github.ref }}
1014 cancel-in-progress : true
@@ -144,6 +148,7 @@ jobs:
144148 runs-on : ubuntu-latest
145149 timeout-minutes : 30
146150 permissions :
151+ id-token : write # Required for trusted publishing
147152 contents : write
148153 pull-requests : write
149154
@@ -155,12 +160,16 @@ jobs:
155160 - uses : actions/setup-node@v4
156161 with :
157162 node-version : 24
163+ registry-url : ' https://registry.npmjs.org'
158164 cache : ' npm'
159165
160166 - uses : oven-sh/setup-bun@v2
161167 with :
162168 bun-version : latest
163169
170+ - name : Upgrade npm for OIDC trusted publishing
171+ run : npm install -g npm@latest
172+
164173 - name : Install dependencies
165174 run : npm ci
166175
@@ -184,7 +193,9 @@ jobs:
184193 target : default
185194 platforms : linux/amd64
186195 push : true
187- tags : cloudflare/sandbox:${{ needs.unit-tests.outputs.version }}
196+ tags : |
197+ cloudflare/sandbox:${{ needs.unit-tests.outputs.version }}
198+ cloudflare/sandbox:latest
188199cache-from : type=gha,scope=release-default
189200 cache-to : type=gha,mode=max,scope=release-default
190201 build-args : |
@@ -198,7 +209,9 @@ jobs:
198209 target : python
199210 platforms : linux/amd64
200211 push : true
201- tags : cloudflare/sandbox:${{ needs.unit-tests.outputs.version }}-python
212+ tags : |
213+ cloudflare/sandbox:${{ needs.unit-tests.outputs.version }}-python
214+ cloudflare/sandbox:latest-python
202215cache-from : type=gha,scope=release-python
203216 cache-to : type=gha,mode=max,scope=release-python
204217 build-args : |
@@ -211,5 +224,58 @@ jobs:
211224 publish : npx tsx .github/changeset-publish.ts
212225 env :
213226 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
214- NPM_TOKEN : ${{ secrets.NPM_PUBLISH_TOKEN }}
215- NPM_PUBLISH_TOKEN : ${{ secrets.NPM_PUBLISH_TOKEN }}
227+ NPM_CONFIG_PROVENANCE : true
228+
229+ # Beta release - publishes on every push to main
230+ - name : Modify package.json version for beta
231+ run : npx tsx .github/version-script.ts
232+
233+ - name : Resolve workspace dependencies
234+ run : npx tsx .github/resolve-workspace-versions.ts
235+
236+ - name : Rebuild packages for beta
237+ run : npm run build
238+
239+ - name : Get beta version
240+ id : beta-version
241+ run : |
242+ VERSION=$(node -p "require('./packages/sandbox/package.json').version")
243+ echo "version=$VERSION" >> $GITHUB_OUTPUT
244+
245+ name : Build and push Docker image (default) - beta
246+ uses : docker/build-push-action@v6
247+ with :
248+ context : .
249+ file : packages/sandbox/Dockerfile
250+ target : default
251+ platforms : linux/amd64
252+ push : true
253+ tags : |
254+ cloudflare/sandbox:${{ steps.beta-version.outputs.version }}
255+ cloudflare/sandbox:beta
256+ cache-from : type=gha,scope=beta-default
257+ cache-to : type=gha,mode=max,scope=beta-default
258+ build-args : |
259+ SANDBOX_VERSION=${{ steps.beta-version.outputs.version }}
260+
261+ name : Build and push Docker image (python) - beta
262+ uses : docker/build-push-action@v6
263+ with :
264+ context : .
265+ file : packages/sandbox/Dockerfile
266+ target : python
267+ platforms : linux/amd64
268+ push : true
269+ tags : |
270+ cloudflare/sandbox:${{ steps.beta-version.outputs.version }}-python
271+ cloudflare/sandbox:beta-python
272+ cache-from : type=gha,scope=beta-python
273+ cache-to : type=gha,mode=max,scope=beta-python
274+ build-args : |
275+ SANDBOX_VERSION=${{ steps.beta-version.outputs.version }}
276+
277+ name : Publish npm package (beta)
278+ run : npm publish --tag beta
279+ env :
280+ NPM_CONFIG_PROVENANCE : true
281+ working-directory : packages/sandbox
0 commit comments