bug(npm): Attempt to fix issue with Trusted Publishers when using reusable workflows (#6446)

gnbm · web-flow · commit b8763895feb3 · 2025-11-15T00:24:21.000Z
* Added a new publish-npm.yml inside workflows

* Delete action.yml

* Restructure npm publish action

* Add id-token write

* Update publish-npm.yml

* Drive releases through a single orchestrator workflow

Drive releases through a single orchestrator workflow that:
Keeps the nightly cron
Offers manual dispatch inputs for dev/nightly/production
Passes the production tag/base down to release-production.yml
Without that orchestrator, the nightly job will stop running and dev/prod releases can’t be dispatched from the GitHub UI. Let me know if you’d like me to wire the orchestrator back up (or revert the individual workflow_dispatch blocks) so the previous scheduling behavior continues uninterrupted.

* Fix prettier issue
diff --git a/.github/workflows/actions/publish-npm/action.yml b/.github/workflows/actions/publish-npm/action.yml
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
@@ -0,0 +1,68 @@
+name: 'Release'
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: 'The type of version to release.'
+        required: true
+        type: string
+      tag:
+        description: 'The tag to publish to on NPM.'
+        required: true
+        type: string
+      node-version:
+        description: 'Node.js version to use when publishing.'
+        required: false
+        type: string
+        default: '20'
+      registry-url:
+        description: 'Registry URL used for npm publish.'
+        required: false
+        type: string
+        default: 'https://registry.npmjs.org'
+      scope:
+        description: 'npm scope that should use the trusted publisher auth.'
+        required: false
+        type: string
+        default: '@stencil'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 📥 Checkout Code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: 🕸️ Get Core Dependencies
+        uses: ./.github/workflows/actions/get-core-dependencies
+
+      - name: 🟢 Configure Node for Publish
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version: ${{ inputs.node-version }}
+          registry-url: ${{ inputs.registry-url }}
+          scope: ${{ inputs.scope }}
+
+      - name: 🔄 Ensure Latest npm
+        run: npm install -g npm@latest
+        shell: bash
+
+      - name: 📥 Download Build Archive
+        uses: ./.github/workflows/actions/download-archive
+        with:
+          name: stencil-core
+          path: .
+          filename: stencil-core-build.zip
+
+      - name: 🏷️ Set Version
+        run: npm version --no-git-tag-version ${{ inputs.version }}
+        shell: bash
+
+      - name: 🚀 Publish to NPM
+        run: npm publish --tag ${{ inputs.tag }} --provenance
+        shell: bash
diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml
@@ -1,9 +1,6 @@
 name: 'Stencil Dev Release'
 
 on:
-  workflow_dispatch:
-    # Make this a reusable workflow, no value needed
-    # https://docs.github.com/en/actions/using-workflows/reusing-workflows
   workflow_call:
     outputs:
       dev-version:
@@ -58,15 +55,7 @@ jobs:
   release-stencil-dev-build:
     name: 🚀 Publish Dev Build
     needs: [get-dev-version, build_core]
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: 📥 Checkout Code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - name: 📦 Publish to NPM
-        uses: ./.github/workflows/actions/publish-npm
-        with:
-          tag: dev
-          version: ${{ needs.get-dev-version.outputs.dev-version }}
+    uses: ./.github/workflows/publish-npm.yml
+    with:
+      tag: dev
+      version: ${{ needs.get-dev-version.outputs.dev-version }}
diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
@@ -1,13 +1,7 @@
 name: 'Stencil Nightly Release'
 
 on:
-  schedule:
-    # Run every Monday-Friday at 5:00 AM (UTC) (https://crontab.guru/#00_05_*_*_1-5)
-    # This is done to have a nightly build ready for the Ionic Framework/Stencil Eval Workflow:
-    # https://github.com/ionic-team/ionic-framework/blob/main/.github/workflows/stencil-eval.yml
-    - cron: '00 05 * * 1-5'
-  workflow_dispatch:
-    # Allow this workflow to be run on-demand
+  workflow_call:
 
 permissions:
   contents: read
@@ -60,15 +54,7 @@ jobs:
   release-stencil-nightly-build:
     name: 🚀 Publish Nightly Build
     needs: [get-nightly-version, build_core]
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: 📥 Checkout Code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - name: 🚀 Publish to NPM
-        uses: ./.github/workflows/actions/publish-npm
-        with:
-          tag: nightly
-          version: ${{ needs.get-nightly-version.outputs.nightly-version }}
+    uses: ./.github/workflows/publish-npm.yml
+    with:
+      tag: nightly
+      version: ${{ needs.get-nightly-version.outputs.nightly-version }}
diff --git a/.github/workflows/release-orchestrator.yml b/.github/workflows/release-orchestrator.yml
@@ -0,0 +1,57 @@
+name: 'Stencil Release'
+
+on:
+  schedule:
+    # Run every Monday-Friday at 5:00 AM (UTC)
+    - cron: '00 05 * * 1-5'
+  workflow_dispatch:
+    inputs:
+      release-type:
+        description: 'Which Stencil release workflow should run?'
+        required: true
+        type: choice
+        default: nightly
+        options:
+          - dev
+          - nightly
+          - production
+      tag:
+        description: 'npm tag for production releases.'
+        required: false
+        type: choice
+        default: latest
+        options:
+          - dev
+          - latest
+          - use_pkg_json_version
+      base:
+        description: 'Base branch for production releases.'
+        required: false
+        type: choice
+        default: main
+        options:
+          - main
+          - v3-maintenance
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  run-nightly:
+    if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.release-type == 'nightly') }}
+    uses: ./.github/workflows/release-nightly.yml
+    secrets: inherit
+
+  run-dev:
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.release-type == 'dev' }}
+    uses: ./.github/workflows/release-dev.yml
+    secrets: inherit
+
+  run-production:
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.release-type == 'production' }}
+    uses: ./.github/workflows/release-production.yml
+    secrets: inherit
+    with:
+      tag: ${{ inputs.tag }}
+      base: ${{ inputs.base }}
diff --git a/.github/workflows/release-production.yml b/.github/workflows/release-production.yml
@@ -1,6 +1,6 @@
 name: 'Stencil Production Release'
 on:
-  workflow_dispatch:
+  workflow_call:
     inputs:
       tag:
         required: false
