fix: add authentication tokens for release step in CI workflow #242
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci-build-lint-test-wf | |
| on: | |
| push: | |
| branches: [main, "release/*", "changeset-release/*"] | |
| pull_request: | |
| types: [opened, reopened, synchronize, labeled, unlabeled] | |
| branches: [main, "release/*", "changeset-release/*"] | |
| jobs: | |
| build: | |
| name: build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # This permissions are required by testcoverage report | |
| issues: write | |
| pull-requests: write | |
| contents: read | |
| actions: read # Required to download artifacts | |
| strategy: | |
| matrix: | |
| node-version: [22] | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| persist-credentials: false # so we control the push identity | |
| fetch-depth: 2 | |
| - uses: ./.github/actions/setup-node-pnpm | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Require changeset in PR | |
| uses: deresegetachew/systemcraft-stack-actions/actions/changeset-validator@main | |
| with: | |
| skip-label: "[skip changeset check]" | |
| - uses: ./.github/actions/build-lint-test | |
| with: | |
| github-token: ${{ github.token }} | |
| codeql: | |
| uses: ./.github/workflows/codeql-analyze-wf.yml | |
| permissions: | |
| # This permissions are required by codeql workflow | |
| security-events: write | |
| pull-requests: write | |
| contents: read | |
| with: | |
| languages: "javascript" # comma separated values code | |
| # we are keeping publish here bc uploading artifacts across wf can be buggy. | |
| publish: | |
| needs: [build] | |
| name: publish | |
| if: > | |
| github.event_name == 'push' && | |
| (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| pull-requests: write | |
| strategy: | |
| matrix: | |
| node-version: [22] | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 2 | |
| - uses: ./.github/actions/setup-node-pnpm | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - uses: ./.github/actions/setup-ci-git-identity | |
| with: | |
| purpose: "GPG-signed release commits" | |
| git-user-name: ${{ vars.CI_GPG_USER_NAME }} | |
| git-user-email: ${{ vars.CI_GPG_USER_EMAIL }} | |
| gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
| - name: Set up auth with bot token | |
| run: | | |
| git remote set-url origin https://x-access-token:${{ secrets.BOT_TOKEN }}@github.com/${{ github.repository }}.git | |
| # Debugging step to verify git identity configuration | |
| - name: Debug commit identity | |
| run: | | |
| echo "Git identity:" | |
| git config --get user.name | |
| git config --get user.email | |
| echo "Env identity:" | |
| env | grep -E 'GIT_(AUTHOR|COMMITTER)_' || true | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v5 | |
| with: | |
| name: dist-packages | |
| path: packages | |
| # Add a debugging step to list the contents of the packages directory | |
| - name: Debug downloaded artifacts | |
| run: | | |
| echo "Contents after artifact download:" | |
| find packages -name "*.js" -o -name "*.mjs" -o -name "*.d.ts" | head -10 | |
| echo "Package directories:" | |
| ls -la packages/*/dist/ 2>/dev/null || echo "No dist directories found" | |
| - name: Run version step | |
| uses: deresegetachew/systemcraft-stack-actions/actions/plan-maintenance-branches@main | |
| env: | |
| ENABLE_MULTI_RELEASE: ${{ vars.ENABLE_MULTI_RELEASE }} | |
| - name: Create Release Pull Request or Publish | |
| id: changesets | |
| uses: changesets/action@v1 | |
| with: | |
| commit: "chore: update package versions and changelogs" | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run release step | |
| uses: deresegetachew/systemcraft-stack-actions/actions/release-with-branching@main | |
| env: | |
| ENABLE_MULTI_RELEASE: ${{ vars.ENABLE_MULTI_RELEASE }} | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Debugging step to show the latest commit with signature info | |
| - name: Show latest commit + signature | |
| run: | | |
| echo "Latest commit with signature info:" | |
| git --no-pager log -1 --pretty=full --show-signature |